New User - Part 2
Rodolfo J. Paiz
rpaiz at simpaticus.com
Thu Jun 17 22:51:19 UTC 2004
At 16:43 6/17/2004, Carnal Ortega wrote:
>Do you happen to have any good workable iptable scripts for newbies to
>build off of?
My experience was that it is better to use a good tool, and learn how to
use that tool well. It takes a lot less time and produces better, more
repeatable results with fewer errors than it does to code rules by hand.
Even from a good script.
Using Shorewall and the "Quick-Start Guides" on the author's site, I had my
first box up and running in 15 minutes. I can now get a decent firewall up
and running in about 45 seconds, with no notes and no previous scripts. Too
easy. :-)
There are certainly other tools... this one is just *my* absolute favorite.
Power, simplicity, documentation, support, all together. As an example,
Shorewall puts all files into /etc/shorewall. And let's say I have a normal
two-interface firewall where eth0 is the outside interface and eth1 is the
inside. I would download and install the latest stable Shorewall RPM, then:
1. zones: Make sure there is a "net" zone and a "loc" zone.
Already done in the default file. No "fw" zone needs to be defined, since
the firewall zone always exists.
2. interfaces: "net eth0" and "loc eth1".
3. policy: "loc net ACCEPT" and "loc fw ACCEPT" (the others "loc
net DROP" and "all all REJECT" are already in the default file).
4. masq: "eth0 eth1" (interface #1 masquerades traffic for
interface #2... well documented).
5. "rm startup_disabled"
6. rules: "AllowSSH net fw" and "AllowNTP net fw" so that
I can SSH into the box and get NTP service from it too.
7. "service shorewall start"
Maybe I made a mistake or two here, but for illustration purposes in about
45 seconds I've just set up masquerading and firewalling. Allow SSH and NTP
in from the Internet to the firewall, drop any other traffic, and allow
anything from the local network to the Internet. Raw iptables rules? Don't
really remember them anymore, as I don't really need to. <grin>
Cheers,
--
Rodolfo J. Paiz
rpaiz at simpaticus.com
http://www.simpaticus.com
More information about the fedora-list
mailing list