On 04/20/2011 02:47 PM, Nicolas Kovacs wrote:
Le 20/04/2011 02:26, Tom H a écrit :
On Tue, Apr 19, 2011 at 12:53 PM, Robert E. Blair<r...@anl.gov> wrote:
There is a sourceforge project called firestarter which has a rather
nice script that does lots of iptables config and provides a gui monitor
of firewall activity.
You could also try APF:
http://www.rfxn.com/projects/advanced-policy-firewall/
(I've never used it so this isn't an experienced-based recommendation
but I've installed it on a test box to check out its rules and they
looked good.)
Shorewall's also an option that you could consider. It's another blind
recommendation though; I've never even seen its default rules...
Thanks very much for the numerous answers. I read through a pile of
documentation, and figured out the most simple solution was a
handcrafted iptables script from scratch. Here goes :
--8<-------------------------------
#!/bin/sh
##/root/bin/firewall-start
IPT="/sbin/iptables"
WAN_IFACE="eth0"
LAN_IFACE="eth1"
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X
$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -p tcp -i $LAN_IFACE --dport 22 -j ACCEPT
$IPT -A INPUT -p udp -i $LAN_IFACE --dport 67 -j ACCEPT
$IPT -A INPUT -j LOG --log-prefix "+++ IPv4 packet rejected +++ "
$IPT -A INPUT -j REJECT
$IPT -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE
/sbin/service iptables save
/sbin/service iptables condrestart
--8<-------------------------------
Works like a charm so far. Logging (near the end of the script) tells me
whenever I'm locking myself out of something.
Cheers from South France,
Niki
Please add the following line BEFORE the RELATED,ESTABLISHED line
$IPT -A INPUT -m state --state INVALID -j DROP
This will drop any packet whose flags make no sense or whose size is not
as advertised.
If you are not intending to do any routing, I'd remove the "$IPT -t nat
-A POSTROUTING -o $WAN_IFACE -j MASQUERADE" line as well as "$IPT -P
FORWARD ACCEPT" and instead insert some drops.
Adding to the list of firewall management, I'm strangely attached to
UFW.... mostly because I can pre-load application rules into it and it
makes limiting connection rates easier[1]. A current(ish) rpm is hiding
out at
http://www.openmamba.org/distribution/distromatic.html?tag=devel-ercolinux&pkg=ufw.source
Pat
[1] http://www.snowman.net/projects/ipt_recent/ you can seriously slow
brute force logins with this
