View previous topic :: View next topic |
Author |
Message |
Tachyon n00b
Joined: 02 Oct 2002 Posts: 16
|
Posted: Fri Mar 07, 2003 5:27 am Post subject: firewalls |
|
|
I am looking for some information/opinions on configuring the firewall on my gentoo box. i know there are a few programs to configure ipchains and iptables, i am wondering what the difference between the two is, and about the different programs for configuring them... basicly are they worth it for the help, or is it better for me to do it manually
All i run on my system is SSH on a custom port, other than that closing incoming connections wouldnt be a problem
Thanks in advance for the advice,
Andrew |
|
Back to top |
|
|
jufoa Apprentice
Joined: 10 Dec 2002 Posts: 213 Location: Rovaniemi, Finland
|
Posted: Fri Mar 07, 2003 5:32 am Post subject: |
|
|
well you dont need to use ipchains because iptables replaced it in newer kernels. basically it's good to learn how to use iptables manually and build your own firewall scripts. but if you are not interested to learn try shorewall or some other program. |
|
Back to top |
|
|
elzbal Guru
Joined: 31 Aug 2002 Posts: 364 Location: Seattle, WA, USA
|
Posted: Fri Mar 07, 2003 6:07 am Post subject: |
|
|
You seem to have very simple needs. I'm sure that any iptables tutorial would be able to help you out, so try doing a google search for something like 'iptables tutorial' or 'iptables howto'.
Sorry I can't help with specifics... I use OpenBSD. |
|
Back to top |
|
|
rajl Apprentice
Joined: 25 Sep 2002 Posts: 287
|
Posted: Fri Mar 07, 2003 6:14 am Post subject: |
|
|
As was mentioned. Iptables is an upgraded version of ipchains, introduced in the 2.4.x series kernel.
All you really need for you computer is to make a shell script, put it in /etc/init.d and then add it to run-level boot with rc-update. My script looks like this:
Code: |
/sbin/iptables -F
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --dport ssh -j ACCEPT
|
What the lines due are as follows:
1) flush any pre-existing rule sets
2) set the default policy of the INPUT chain (ie incoming connections) to drop. This effectively creates a "stealth" firewall. Note that this drops ALL packets coming into your machine
3) set the default policy of the FORWARD chain to drop. Since I don't do any NAT, this chain is worthless, and so I drop ALL packets that might reach it, just in case.
4) open up the INPUT to allow packets that are related to, or part of already established connections. This is necessary so that when your web-browser requests a web-page, the packets containing the page can be received by your computer
5) open up the INPUT chain to accept all connection attempts from the internet to port 22 (ssh server port). This allows remote access via the ssh server
There are more advance options available. For example, I haven't implemented any logging or port scan detection features here. For a much more thorough review of iptables, check out the tutorial in the gentoo documentation for security and google for Rusty's Remarkably Unreliable guide (Rusty wrote iptables).
Good luck! _________________ -Rajl
-----------------------------------------------------------
It's easy to be brave once you consider the alternatives. |
|
Back to top |
|
|
Tachyon n00b
Joined: 02 Oct 2002 Posts: 16
|
Posted: Fri Mar 07, 2003 7:20 am Post subject: |
|
|
cool, thanks for the places to look,
and yes, i can see that actually learning how it works might be more valuable than just having someone else do all the work for me
Andrew |
|
Back to top |
|
|
harsha n00b
Joined: 19 Jul 2002 Posts: 37 Location: Philadelphia, PA
|
Posted: Sun Mar 09, 2003 7:45 am Post subject: |
|
|
Mr. Daniel Robbins wrote a beautiful tutorial on firewall config using iptables...find it in the Docs section...
-Harsha |
|
Back to top |
|
|
|