It took me weeks of searching and asking of questions to a knowledgable friend before I even got close to understanding iptables. Although it's Red Hat based, I wrote up most of what I have learnt and stuck it on my website (running behind almost that exact script) if you're interested. It's basic I guess but 'may' be a good starting place: http://www.nryonline.co.uk/documents/html/iptablesFirewall.htm
Hope it helps,
Regards,
nry
Bret, I will address your question, but first: before delving into constructing your own iptables rules, I suggest you seriously look at might want to look at what some of the firewall tools can do for you unless you really understand what you're doing. I suggest you look at Shorewall and Bastille for IP filtering firewalls.(Bastille has some great scripts for platform hardening but I prefer shorewall's firewall configuration.) Zorp is an application-layer firewall that has gotten some attention lately but I haven't evaluated it myself -- I expect it might be good as a personal firewall to complement my site firewall, especially for catching unauthorized outbound traffic as might originate from a sploit, trojan or spyware.
Assuming you already have your tables, policies and chain rulesets defined and assigned targets, you can use the iptables-save and iptables-restore commands (and/or their respective ip6tables counterparts) to save and restore the configuration. Once you've manually saved the iptables configuration, the /etc/init.d/iptables script can be used to restore a saved configuration at boot time. Better yet (as recommended in the bit of documentation you quoted), you can bind an initialization script to the device startup. For example, I use the "up" and "down" parameters on the iface statement in my network interface definition for my ppp connection (in the file /etc/network/interfaces), for example:
auto ppp0 iface ppp0 inet ppp up /etc/init.d/firewall start down /etc/init.d/firewall stop
Hope this helps. ...Murray
On Tue, 2003-08-26 at 21:12, Bret Comstock Waldow wrote: > I can find all the sites and advice I want about how to form iptables > rules, but I can't find any decent discussion of how to enable the damn > things. > > I get the idea that an iptables firewall is set up by actually running a > bunch of "iptables -options" lines, presumably from a script. > > But where do I put the script(s)? > > There's a mechanism set up in /etc/default/iptables. I quote from the > file: > > # A: I was pretty much hounded into providing it. I do not like it. > # Don't use it. Use /etc/network/interfaces, use /etc/network/*.d/ > # scripts use /etc/ppp/ip-*.d/ script. Create your own custom > # init.d script -- no need to even name it iptables. Use ferm, > # ipmasq, ipmenu, guarddog, firestarter, or one of the many other > # firewall configuration tools available. Do not use the init.d > # script. > ... > # Q: How do I get started? > # A: (Did I mention "do not use it" already? Oh well.) > > For crissake! Can anyone point me at some sensible discussion of how > the hell to go about putting firewall rules in place? I've got a > laptop, usually on a cable modem, but sometimes using dial-up. > > I know generally about the /etc/init.d/rcX.d runlevel mechanism. Now I > need a sensible discussion of when and HOW to run what sorts of > iptables-rules-containing scripts so I can figure out how to protect my > system. Please don't just tell me about "runlevels" - I know they exist > already. > > The Debian Security manual is useless. It only give examples of a few > iptables rules, says that's not enough, and speaks not at all (that I've > found yet) about how to implement the damn things. > > Someone somewhere speaks to issue of the actual plumbing to implement > iptables. Can anyone point me? > > thanks much in advance, > Bret > > -- > bwaldow at alum dot mit dot edu >
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
_________________________________________________________________
It's fast, it's easy and it's free. Get MSN Messenger today! http://www.msn.co.uk/messenger
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
