Greetings, I am not sure about Shorewall-based iptables, but there are a few items that any firewall must have to control the flow of traffic in or out. (There is an excellent Article in the Linux Journal May 03 and June 03 that would go into more depth about setting up a Firewall using Firewall Builder, great tool).
The steps needed to setup a firewall policy can be broken down into a three-step process: 1)Create objects, 2)Create Rule Base, 3)Compile rule base into policy and install. (Assuming that you have Netfilter/iptables installed). Objects - You will need to define all your objects for your internal and external networks. Objects represent hosts, networks, address ranges, TCP/IP services, your firewall. An object is usually defined by an IP address and subnet mask or IP address. Define an object for your loopback device too, i.e. 127.0.0.1, mask 255.0.0.0. Now that you have your objects defined, you can create your rule base and/or policies. Here are a few questions when creating rules for your rule base: Source - where is this request coming from? Inside or outside your network. This is very important to know and should be based on who wants access to your firewall or network. Destination - where or what is this request trying to get too. Service - what service is this request trying to utilize: SMTP, POP, www, ssh. Action - what will be the outcome, based on the above information and what should the firewall do with the request: accept, reject, deny. A Policy Example: (Note it is assumed you have your objects already defined). Number Source Destination Service Action Notes 1 Internal_LAN Your_Firewall Any Accept Allow internal access to your firewall 2 Any Your_Firewall ssh Accept Allow outside ssh access to your firewall 3 Internal_LAN Any www Accept Allow internal access out 4 Any Any Any Deny Clean up rule * Note: some times you may have rules that conflict with each other or overlap, you may have to put rule 2 before rule 1. After you have your rule base then you can compile and install on your firewall. If your policy does not allow it, normally it will not be allowed, you have to turn services on for them to work. I hope this helps. Regards, Joe Maroney -----Original Message----- From: Tinus Nijmeijers [mailto:[EMAIL PROTECTED] Sent: Monday, August 25, 2003 3:05 AM To: [email protected] Subject: iptables q: I have this great shorewall-based iptables setup that I have screwed up and reading it I have to admit that I have no idea really where to begin. (Started reading the iptables-tutorial but I'm als in a hurry here.) Could someone divulge how I do this: firewall eth0: internet eth1: internal net -allow anything from the internal net to the firewall -allow port 22 from the outside to the firewall -masquerade ONLY port 80 from internal to internet. everything else should be closed. thanks. tinus -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
