[TriLUG] anyone out there good with iptables?........

Chris Bullock cgbullock at gmail.com
Tue Aug 10 14:44:05 EDT 2004 

http://easyfwgen.morizot.net/gen/
--cgb

On Tue, 10 Aug 2004 14:22:36 -0400, Brian Henning
<brian at strutmasters.com> wrote:
> *to the Meow Mix tune*
> webmin webmin webmin webmin webmin webmin webmin webmin...
> 
> Not at all required, but I've found that webmin's iptables ("Linux Firewall"
> applet under Networking) interface is very clean and intuitive.
> 
> One basic rule of thumb is on your input chain, the last rule should always
> be an across-the-board drop:
> iptables -a INPUT_CHAIN_NAME -j DROP
> 
> Then all you have to do is put your specific allows in front of that rule.
> 
> If you choose to use Webmin, I recommend against also using any boot-time
> scripts..  the two may not get along nicely.  Instead of scripting, rely on
> iptables' ability to save its current configuration.  The only use for a
> script in the webmin case would be for safekeeping in case iptables' saved
> configuration somehow gets trashed.
> 
> Hope this is helpful...
> Cheers,
> ~Brian
> 
> 
> 
> ----- Original Message -----
> From: "dsandif" <dsandif at email.unc.edu>
> To: <trilug at trilug.org>
> Sent: Tuesday, August 10, 2004 2:11 PM
> Subject: [TriLUG] anyone out there good with iptables?........
> 
> > Hi folks,
> >
> > I am slowly but steadily pushing my way  through this file server setup.
> > Next phase: Iptables! I am no linux guru here and in the past two weeks,
> > I have been searching the net and purchased books in an effort to better
> > understand linux firewalling. Well the right side of my brain just threw
> > in the towel and my left side is fighting for dear life in an attempt to
> > absorb this stuff. So if ANY of you out there feels confident enough
> > about iptables to fill me in, here's what I'm trying to do:
> >
> > 1). I want to setup this file server so that only local lan traffic can
> > see or (anyone on this local lan of 154.3.77.x network)  access the
> > server.
> >
> > 2). I want the users to use SSH only to get into the server to their
> > home directories and be able to see their files in a windows file &
> > folder format. No other in bound traffic should be allowed.
> >
> > 3). I want to take this file server off the main network\internet and
> > restrict it to the local LAN (this may be more of an network properties
> > configuration issue and not a iptables issue, not sure) save for update
> > & upgrade purposes.
> >
> > 4). No telnet, no ftp, and I'm  guessing I will need to use Samba  to
> > satisfy client access needs. I did an nmap scan of my system to see what
> > was open port-wise and got this ( currently the server is unplugged from
> > the network):
> >
> >
> > Linux Mamasan 2.4.21-15.0.3.EL #1 Tue Jun 29 18:17:52 EDT 2004 i686 i686
> > i386 GNU/Linux
> >
> > [root at Mamasan root]#  nmap -sS -O Mamasan
> >
> > Starting nmap V. 3.00 ( www.insecure.org/nmap/ )
> > Interesting ports on Mamasan (127.0.0.1):
> > (The 1596 ports scanned but not shown below are in state: closed)
> > Port       State       Service
> > 22/tcp     open        ssh
> > 139/tcp    open        netbios-ssn
> > 445/tcp    open        microsoft-ds
> > 631/tcp    open        ipp
> > 6000/tcp   open        X11
> > Remote operating system guess: Linux Kernel 2.4.0 - 2.5.20
> > Uptime 4.285 days (since Thu Aug  5 09:56:11 2004)
> >
> > Nmap run completed -- 1 IP address (1 host up) scanned in 6 seconds
> >
> > This is my current iptables configuration:
> >
> > [root at Mamasan root]# iptables -L
> > Chain INPUT (policy ACCEPT)
> > target     prot opt source               destination
> > RH-Firewall-1-INPUT  all  --  anywhere             anywhere
> >
> > Chain FORWARD (policy ACCEPT)
> > target     prot opt source               destination
> > RH-Firewall-1-INPUT  all  --  anywhere             anywhere
> >
> > Chain OUTPUT (policy ACCEPT)
> > target     prot opt source               destination
> >
> > Chain RH-Firewall-1-INPUT (2 references)
> > target     prot opt source               destination
> > ACCEPT     all  --  anywhere             anywhere
> > ACCEPT     all  --  anywhere             anywhere
> > ACCEPT     icmp --  anywhere             anywhere           icmp any
> > ACCEPT     ipv6-crypt--  anywhere             anywhere
> > ACCEPT     ipv6-auth--  anywhere             anywhere
> > ACCEPT     all  --  anywhere             anywhere           state
> > RELATED,ESTABLISHED
> > ACCEPT     tcp  --  anywhere             anywhere           state NEW
> > tcp dpt:ssh
> > REJECT     all  --  anywhere             anywhere           reject-with
> > icmp-host-prohibited
> >
> > I have looked at several web sites like this one below, but I'm not sure
> > I want to entrust the security of my machines to such scripts. I could
> > use some input on this. Thxs.
> >
> > D-
> >
> > http://deepquest.code511.com/iptables/
> >
> > --
> > TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
> > TriLUG Organizational FAQ  : http://trilug.org/faq/
> > TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> > TriLUG PGP Keyring         : http://trilug.org/~chrish/trilug.asc
> >
> 
> --
> TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ  : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> TriLUG PGP Keyring         : http://trilug.org/~chrish/trilug.asc
>

More information about the TriLUG mailing list