SCIENTIFIC-LINUX-USERS Archives

April 2011

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: RHEL/SL and iptables
From:
Nicolas Kovacs <[log in to unmask]>
Reply To:
[log in to unmask]
Date:
Wed, 20 Apr 2011 21:47:52 +0200
Content-Type:
text/plain
Parts/Attachments:
text/plain (62 lines) 
Le 20/04/2011 02:26, Tom H a écrit :
> On Tue, Apr 19, 2011 at 12:53 PM, Robert E. Blair<[log in to unmask]>  wrote:
>>
>> There is a sourceforge project called firestarter which has a rather
>> nice script that does lots of iptables config and provides a gui monitor
>> of firewall activity.
>
> You could also try APF:
> http://www.rfxn.com/projects/advanced-policy-firewall/
> (I've never used it so this isn't an experienced-based recommendation
> but I've installed it on a test box to check out its rules and they
> looked good.)
>
> Shorewall's also an option that you could consider. It's another blind
> recommendation though; I've never even seen its default rules...

Thanks very much for the numerous answers. I read through a pile of 
documentation, and figured out the most simple solution was a 
handcrafted iptables script from scratch. Here goes :

--8<-------------------------------
#!/bin/sh
##/root/bin/firewall-start
IPT="/sbin/iptables"
WAN_IFACE="eth0"
LAN_IFACE="eth1"
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -p tcp -i $LAN_IFACE --dport 22 -j ACCEPT
$IPT -A INPUT -p udp -i $LAN_IFACE --dport 67 -j ACCEPT
$IPT -A INPUT -j LOG --log-prefix "+++ IPv4 packet rejected +++ "
$IPT -A INPUT -j REJECT
$IPT -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE
/sbin/service iptables save
/sbin/service iptables condrestart
--8<-------------------------------

Works like a charm so far. Logging (near the end of the script) tells me 
whenever I'm locking myself out of something.

Cheers from South France,

Niki
-- 
Microlinux - Solutions informatiques 100% Linux et logiciels libres
7, place de l'église - 30730 Montpezat
Web  : http://www.microlinux.fr
Mail : [log in to unmask]
Tél. : 04 66 63 10 32

ATOM RSS1 RSS2