New User - Part 2

Rodolfo J. Paiz rpaiz at
Thu Jun 17 22:51:19 UTC 2004

At 16:43 6/17/2004, Carnal Ortega wrote:
>Do you happen to have any good workable iptable scripts for newbies to 
>build off of?

My experience was that it is better to use a good tool, and learn how to 
use that tool well. It takes a lot less time and produces better, more 
repeatable results with fewer errors than it does to code rules by hand. 
Even from a good script.

Using Shorewall and the "Quick-Start Guides" on the author's site, I had my 
first box up and running in 15 minutes. I can now get a decent firewall up 
and running in about 45 seconds, with no notes and no previous scripts. Too 
easy. :-)

There are certainly other tools... this one is just *my* absolute favorite. 
Power, simplicity, documentation, support, all together. As an example, 
Shorewall puts all files into /etc/shorewall. And let's say I have a normal 
two-interface firewall where eth0 is the outside interface and eth1 is the 
inside. I would download and install the latest stable Shorewall RPM, then:

         1. zones: Make sure there is a "net" zone and a "loc" zone. 
Already done in the default file. No "fw" zone needs to be defined, since 
the firewall zone always exists.

         2. interfaces: "net   eth0" and "loc   eth1".

         3. policy: "loc net ACCEPT" and "loc fw ACCEPT" (the others "loc 
net DROP" and "all all REJECT" are already in the default file).

         4. masq: "eth0   eth1" (interface #1 masquerades traffic for 
interface #2... well documented).

         5. "rm startup_disabled"

         6. rules: "AllowSSH   net   fw" and "AllowNTP   net   fw" so that 
I can SSH into the box and get NTP service from it too.

         7. "service shorewall start"

Maybe I made a mistake or two here, but for illustration purposes in about 
45 seconds I've just set up masquerading and firewalling. Allow SSH and NTP 
in from the Internet to the firewall, drop any other traffic, and allow 
anything from the local network to the Internet. Raw iptables rules? Don't 
really remember them anymore, as I don't really need to. <grin>


Rodolfo J. Paiz
rpaiz at

More information about the fedora-list mailing list