[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: New User - Part 2



At 16:43 6/17/2004, Carnal Ortega wrote:
Do you happen to have any good workable iptable scripts for newbies to build off of?

My experience was that it is better to use a good tool, and learn how to use that tool well. It takes a lot less time and produces better, more repeatable results with fewer errors than it does to code rules by hand. Even from a good script.

Using Shorewall and the "Quick-Start Guides" on the author's site, I had my first box up and running in 15 minutes. I can now get a decent firewall up and running in about 45 seconds, with no notes and no previous scripts. Too easy. :-)

There are certainly other tools... this one is just *my* absolute favorite. Power, simplicity, documentation, support, all together. As an example, Shorewall puts all files into /etc/shorewall. And let's say I have a normal two-interface firewall where eth0 is the outside interface and eth1 is the inside. I would download and install the latest stable Shorewall RPM, then:

1. zones: Make sure there is a "net" zone and a "loc" zone. Already done in the default file. No "fw" zone needs to be defined, since the firewall zone always exists.

        2. interfaces: "net   eth0" and "loc   eth1".

3. policy: "loc net ACCEPT" and "loc fw ACCEPT" (the others "loc net DROP" and "all all REJECT" are already in the default file).

4. masq: "eth0 eth1" (interface #1 masquerades traffic for interface #2... well documented).

        5. "rm startup_disabled"

6. rules: "AllowSSH net fw" and "AllowNTP net fw" so that I can SSH into the box and get NTP service from it too.

        7. "service shorewall start"

Maybe I made a mistake or two here, but for illustration purposes in about 45 seconds I've just set up masquerading and firewalling. Allow SSH and NTP in from the Internet to the firewall, drop any other traffic, and allow anything from the local network to the Internet. Raw iptables rules? Don't really remember them anymore, as I don't really need to. <grin>

Cheers,


--
Rodolfo J. Paiz
rpaiz simpaticus com
http://www.simpaticus.com




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]