firewall ??
jludwig
wralphie at comcast.net
Fri Jul 2 20:16:21 UTC 2004
On Fri, 2004-07-02 at 15:41, Jason Costomiris wrote:
snip
> # These flush any existing rules
> iptables -F
> iptables -F INPUT
> iptables -F OUTPUT
> iptables -F FORWARD
> iptables -F -t mangle
> iptables -F -t nat
> iptables -X
>
> # These set an initial drop everything policy
> iptables -P INPUT DROP
> iptables -P OUTPUT DROP
> iptables -P FORWARD DROP
>
> # For connections already deemed OK
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> # Setup stuff you're allowing to talk directly to the firewall
> # eg - ssh to firewall from 10.1.1.0/24:
> iptables -A INPUT -p tcp -m state --state NEW -s 10.1.1.0/24 --dport 22
> -j ACCEPT
>
> # Setup stuff you're allowing to talk outbound from the firewall
> # eg - ssh to anywhere
> iptables -A OUTPUT -p tcp -m state --state NEW -d 0/0 --dport 22 -j
> ACCEPT
>
> # Setup stuff you're forwarding outbound
> # eg - internal net == 192.168.1.0/24, allow everything out
> iptables -A FORWARD -p all -m state --state NEW -s 192.168.1.0/24 -j
> ACCEPT
>
> # Setup stuff you're forwarding to a particular server
> # eg - https to 192.168.1.50
> iptables -A FORWARD -p tcp -m state --state NEW -d 192.168.1.50 --dport
> 443 -j ACCEPT
snip
I like how you set up your firewall. If I might suggest one thing I do
is add rules S.A.
iptables -I -s internal -d 0/0 -m state --state NEW -j LOG \ --log-level
WARN --log-prefix "First out from "
Then in syslog.conf add something like
# Log general networking info
*.notice
/var/log/networking
*.warn
/var/log/firewall
# Log cron stuff
--
jludwig <wralphie at comcast.net>
More information about the fedora-list
mailing list