What I was really looking for was the debian way of doing things, which I managed to locate in the "Securing Debian Manual" [1]. According to this, the iptables initd script should be used. However, the author/package-maintainer disapproves this method:
(from /etc/default/iptables:)
".. #Q: You concocted this init.d setup, but you do not like it? # A: I was pretty much hounded into providing it. I do not like it. # Don't use it. Use /etc/network/interfaces, use /etc/network/*.d/ # scripts use /etc/ppp/ip-*.d/ script. Create your own custom # init.d script -- no need to even name it iptables. Use ferm, # ipmasq, ipmenu, guarddog, firestarter, or one of the many other # firewall configuration tools available. Do not use the init.d # script. .."
The whole thing is a little comfusing (to novice guys like I). There is a manual referring to the use of the script, while the very author of the script discourages the use of it. It seems as a matter of personal taste, but I think he could at least have explained his reasons.
Anyway, I decided to follow the procedures in the manual.
~kmag
[1] http://www.debian.org/doc/manuals/securing-debian-howto/ch-sec-services.en.html#s-firewall-setup (section 5.14.3.1 Doing it the Debian way)
On 04/03/04 17:14, Costas Magkos wrote:
Hi all,
Can someone give me some best-practices for setting up iptables on a Debian system? I'm looking for things like where should the rules be placed, what startup script to use [1], good configuration tools [2] and so on. URLs are appreciated, I dont mind reading :-)
I'm currently setting up iptables on a single-server enviroment (no routing), but since I will be using iptables a lot, general concepts are also welcome.
--
[1] When looking around how to set up iptables, I found in /etc/default/iptables some discouraging words (apparently from the author) about the usage of the iptables init.d script, which can be summarized to this: "Do not use it". Why not? And if not, is there any other way?
[2] I tried firestarter, seems nice. However, it produces a large ruleset with tones of redundant rules and /proc optimizations (for instance, the anti-spoof filtering is activated by default). It involves too much editing, which I have no problem doing it if someone tells me it's worth it.
Thanks in advance,
~kmag
Costas Magkos Internet Systematics Lab Athens, Greece
-- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]