On Tue, Aug 2, 2011 at 2:37 PM, Camaleón <noela...@gmail.com> wrote:
> On Mon, 01 Aug 2011 21:56:08 +0100, Paul Stuffins wrote: > > > I am trying to set iptables up, but am getting into a right mess editing > > the rules direct in the init script. > > > > What are peoples recommendations of a front end, either one that I can > > run via an Apache VirtualHost, obviously on a secured and locked down > > VirtualHost so that only I can access it, or via SSH. > > There is a good set of firewall/iptables front-ends at debian wiki: > > http://wiki.debian.org/Firewalls > > Greetings, > > -- > Camaleón > > > -- > To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact > listmas...@lists.debian.org > Archive: http://lists.debian.org/pan.2011.08.02.13.37...@gmail.com > > Hi Guys, I have decided to go with Shorewall as it seems that it is fairly simple to implement. While that may be the case, I just want to check my setup before I enable it and lock myself out of the server. My setup really only needs to allow access, from the internet to the server, on ports 80 and 443, for Apache, 60000, for ssh and 3306, for MySQL along with access from the server to the Debian repos and 3306, I have a couple database servers that I manage from one central location hence needing access to and from the server on 3306. After following the walk through on http://wiki.debian.org/HowTo/shorewall, my /etc/shorewall/policy is: net all DROP fw all ACCEPT all all REJECT ACCEPT net fw tcp 80,443, 3306,60000 ACCEPT fw net tcp 3306 ACCEPT fw net:128.101.240.212 tcp 80 My /etc/shorewall/zones is: fw firewall net ipv4 My /etc/shorewall/interfaces is: net venet0:0 detect dhcp,routefilter,tcpflags ( I run on an OpenVZ VPS hence venet0:0 for my interface. ) and I have turned on IP_FORWARDING in /etc/shorewall/shorewall.conf When I run "shorewall check" I get the following output: shorewall check Checking... Processing /etc/shorewall/shorewall.conf... ERROR: FOREWARD_CLEAR_MARK=Yes requires MARK Target in your kernel and iptables What do I need to ask my provider to enable on the host node? Many thanks for your help --Paul