Re: setting up iptables

2004-03-09 Thread Glen Mehn 

Costas Magkos wrote:

Thank you all for the links and hints.

What I was really looking for was the debian way of doing things, which 
I managed to locate in the "Securing Debian Manual" [1]. According to 
this, the iptables initd script should be used. However, the 
author/package-maintainer disapproves this method:


(from /etc/default/iptables:)

"..
#Q: You concocted this init.d setup, but you do not like it?
# A: I was pretty much hounded into providing it. I do not like it.
#Don't use it. Use /etc/network/interfaces, use /etc/network/*.d/
#scripts use /etc/ppp/ip-*.d/ script. Create your own custom
#init.d script -- no need to even name it iptables.  Use ferm,
#ipmasq, ipmenu, guarddog, firestarter, or one of the many other
#firewall configuration tools available. Do not use the init.d
#script.
.."

The whole thing is a little comfusing (to novice guys like I). There is 
a manual referring to the use of the script, while the very author of 
the script discourages the use of it. It seems as a matter of personal 
taste, but I think he could at least have explained his reasons.


Anyway, I decided to follow the procedures in the manual.



seriously, use shorewall (or something similar). They're all just 
interfacest to iptables, and after ipfw, ipchains, iptables, etc, my 
head's ready to explode with syntax.


there's also nice, updated versions of shorewall for debian at 
shorewall.net, at backports.org, and at apt-get.org...


the author of the script puts it there for compatibility with the debian 
software guidelines, but he recommends other tools in any case.


(I'm sure the others are there, too)

-g

Re: setting up iptables

2004-03-08 Thread Glen Mehn 
Costas Magkos wrote:
Thank you all for the links and hints.

What I was really looking for was the debian way of doing things, which 
I managed to locate in the "Securing Debian Manual" [1]. According to 
this, the iptables initd script should be used. However, the 
author/package-maintainer disapproves this method:

(from /etc/default/iptables:)

"..
#Q: You concocted this init.d setup, but you do not like it?
# A: I was pretty much hounded into providing it. I do not like it.
#Don't use it. Use /etc/network/interfaces, use /etc/network/*.d/
#scripts use /etc/ppp/ip-*.d/ script. Create your own custom
#init.d script -- no need to even name it iptables.  Use ferm,
#ipmasq, ipmenu, guarddog, firestarter, or one of the many other
#firewall configuration tools available. Do not use the init.d
#script.
.."
The whole thing is a little comfusing (to novice guys like I). There is 
a manual referring to the use of the script, while the very author of 
the script discourages the use of it. It seems as a matter of personal 
taste, but I think he could at least have explained his reasons.

Anyway, I decided to follow the procedures in the manual.

seriously, use shorewall (or something similar). They're all just 
interfacest to iptables, and after ipfw, ipchains, iptables, etc, my 
head's ready to explode with syntax.

there's also nice, updated versions of shorewall for debian at 
shorewall.net, at backports.org, and at apt-get.org...

the author of the script puts it there for compatibility with the debian 
software guidelines, but he recommends other tools in any case.

(I'm sure the others are there, too)

-g

--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: setting up iptables

2004-03-08 Thread Costas Magkos 

Thank you all for the links and hints.

What I was really looking for was the debian way of doing things, which 
I managed to locate in the "Securing Debian Manual" [1]. According to 
this, the iptables initd script should be used. However, the 
author/package-maintainer disapproves this method:


(from /etc/default/iptables:)

"..
#Q: You concocted this init.d setup, but you do not like it?
# A: I was pretty much hounded into providing it. I do not like it.
#Don't use it. Use /etc/network/interfaces, use /etc/network/*.d/
#scripts use /etc/ppp/ip-*.d/ script. Create your own custom
#init.d script -- no need to even name it iptables.  Use ferm,
#ipmasq, ipmenu, guarddog, firestarter, or one of the many other
#firewall configuration tools available. Do not use the init.d
#script.
.."

The whole thing is a little comfusing (to novice guys like I). There is 
a manual referring to the use of the script, while the very author of 
the script discourages the use of it. It seems as a matter of personal 
taste, but I think he could at least have explained his reasons.


Anyway, I decided to follow the procedures in the manual.

~kmag



[1] 
http://www.debian.org/doc/manuals/securing-debian-howto/ch-sec-services.en.html#s-firewall-setup 
(section 5.14.3.1 Doing it the Debian way)


On 04/03/04 17:14, Costas Magkos wrote:


Hi all,

Can someone give me some best-practices for setting up iptables on a 
Debian system? I'm looking for things like where should the rules be 
placed, what startup script to use [1], good configuration tools [2] 
and so on. URLs are appreciated, I dont mind reading :-)


I'm currently setting up iptables on a single-server enviroment (no 
routing), but since I will be using iptables a lot, general concepts 
are also welcome.


--

[1] When looking around how to set up iptables, I found in 
/etc/default/iptables some discouraging words (apparently from the 
author) about the usage of the iptables init.d script, which can be 
summarized to this: "Do not use it". Why not? And if not, is there any 
other way?


[2] I tried firestarter, seems nice. However, it produces a large 
ruleset with tones of redundant rules and /proc optimizations (for 
instance, the anti-spoof filtering is activated by default). It 
involves too much editing, which I have no problem doing it if someone 
tells me it's worth it.


Thanks in advance,

~kmag

Costas Magkos
Internet Systematics Lab
Athens, Greece

Re: setting up iptables

2004-03-08 Thread Costas Magkos 
Thank you all for the links and hints.

What I was really looking for was the debian way of doing things, which 
I managed to locate in the "Securing Debian Manual" [1]. According to 
this, the iptables initd script should be used. However, the 
author/package-maintainer disapproves this method:

(from /etc/default/iptables:)

"..
#Q: You concocted this init.d setup, but you do not like it?
# A: I was pretty much hounded into providing it. I do not like it.
#Don't use it. Use /etc/network/interfaces, use /etc/network/*.d/
#scripts use /etc/ppp/ip-*.d/ script. Create your own custom
#init.d script -- no need to even name it iptables.  Use ferm,
#ipmasq, ipmenu, guarddog, firestarter, or one of the many other
#firewall configuration tools available. Do not use the init.d
#script.
.."
The whole thing is a little comfusing (to novice guys like I). There is 
a manual referring to the use of the script, while the very author of 
the script discourages the use of it. It seems as a matter of personal 
taste, but I think he could at least have explained his reasons.

Anyway, I decided to follow the procedures in the manual.

~kmag



[1] 
http://www.debian.org/doc/manuals/securing-debian-howto/ch-sec-services.en.html#s-firewall-setup 
(section 5.14.3.1 Doing it the Debian way)

On 04/03/04 17:14, Costas Magkos wrote:

Hi all,

Can someone give me some best-practices for setting up iptables on a 
Debian system? I'm looking for things like where should the rules be 
placed, what startup script to use [1], good configuration tools [2] 
and so on. URLs are appreciated, I dont mind reading :-)

I'm currently setting up iptables on a single-server enviroment (no 
routing), but since I will be using iptables a lot, general concepts 
are also welcome.

--

[1] When looking around how to set up iptables, I found in 
/etc/default/iptables some discouraging words (apparently from the 
author) about the usage of the iptables init.d script, which can be 
summarized to this: "Do not use it". Why not? And if not, is there any 
other way?

[2] I tried firestarter, seems nice. However, it produces a large 
ruleset with tones of redundant rules and /proc optimizations (for 
instance, the anti-spoof filtering is activated by default). It 
involves too much editing, which I have no problem doing it if someone 
tells me it's worth it.

Thanks in advance,

~kmag

Costas Magkos
Internet Systematics Lab
Athens, Greece




--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: setting up iptables

2004-03-05 Thread s. keeling 
Incoming from Klaus Maxam:
> von: s. keeling / Thu, 4 Mar 2004 09:56:01 -0700
> > Incoming from Costas Magkos:
> > > 
> > > Can someone give me some best-practices for setting up iptables on a
> > 
> > Good question.  I'm using ppp and I have a script in /etc/ppp/ip-up.d
> > that should be run by /etc/ppp/ip-up:
> > 
> > # This script is run by the pppd after the link is established.
> > # It uses run-parts to run scripts in /etc/ppp/ip-up.d, so to add
> > 
> > I've yet to see ip-up execute it.  I haven't yet figured out why.  The
>  
> You've read the manpage?

Sigh.  No.  I didn't realize there was one.

> directory directory.  Filenames   should consist entirely of upper
> and lower case letters, digits, underscores, and hyphens.  Sub­  

That could be the problem, thanks.  mv blah.sh blah

Much appreciated.


-- 
Any technology distinguishable from magic is insufficiently advanced.
(*)   http://www.spots.ab.ca/~keeling 
- -

Re: setting up iptables

2004-03-05 Thread s. keeling 
Incoming from Klaus Maxam:
> von: s. keeling / Thu, 4 Mar 2004 09:56:01 -0700
> > Incoming from Costas Magkos:
> > > 
> > > Can someone give me some best-practices for setting up iptables on a
> > 
> > Good question.  I'm using ppp and I have a script in /etc/ppp/ip-up.d
> > that should be run by /etc/ppp/ip-up:
> > 
> > # This script is run by the pppd after the link is established.
> > # It uses run-parts to run scripts in /etc/ppp/ip-up.d, so to add
> > 
> > I've yet to see ip-up execute it.  I haven't yet figured out why.  The
>  
> You've read the manpage?

Sigh.  No.  I didn't realize there was one.

> directory directory.  Filenames   should consist entirely of upper
> and lower case letters, digits, underscores, and hyphens.  Sub­  

That could be the problem, thanks.  mv blah.sh blah

Much appreciated.


-- 
Any technology distinguishable from magic is insufficiently advanced.
(*)   http://www.spots.ab.ca/~keeling 
- -


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: setting up iptables

2004-03-05 Thread Klaus Maxam 
Hi,
von: s. keeling / Thu, 4 Mar 2004 09:56:01 -0700
> Incoming from Costas Magkos:
> > 
> > Can someone give me some best-practices for setting up iptables on a
> > Debian system? I'm looking for things like where should the rules be
> > placed, what startup script to use [1], good configuration tools [2]
> > and 
> 
> Good question.  I'm using ppp and I have a script in /etc/ppp/ip-up.d
> that should be run by /etc/ppp/ip-up:
> 
> # This script is run by the pppd after the link is established.
> # It uses run-parts to run scripts in /etc/ppp/ip-up.d, so to add
> routes,# set IP address, run the mailq etc. you should create
> script(s) there.
> 
> I've yet to see ip-up execute it.  I haven't yet figured out why.  The
> script runs fine at the command line.
>
 
You've read the manpage?
DESCRIPTION
   run-parts runs a number of scripts or programs found in a single
directory directory.  Filenames   should consist entirely of upper
and lower case letters, digits, underscores, and hyphens.  Sub­  
directories of directory and files with other names will be silently
ignored.

HTH
 Klaus

Re: setting up iptables

2004-03-05 Thread Klaus Maxam 
Hi,
von: s. keeling / Thu, 4 Mar 2004 09:56:01 -0700
> Incoming from Costas Magkos:
> > 
> > Can someone give me some best-practices for setting up iptables on a
> > Debian system? I'm looking for things like where should the rules be
> > placed, what startup script to use [1], good configuration tools [2]
> > and 
> 
> Good question.  I'm using ppp and I have a script in /etc/ppp/ip-up.d
> that should be run by /etc/ppp/ip-up:
> 
> # This script is run by the pppd after the link is established.
> # It uses run-parts to run scripts in /etc/ppp/ip-up.d, so to add
> routes,# set IP address, run the mailq etc. you should create
> script(s) there.
> 
> I've yet to see ip-up execute it.  I haven't yet figured out why.  The
> script runs fine at the command line.
>
 
You've read the manpage?
DESCRIPTION
   run-parts runs a number of scripts or programs found in a single
directory directory.  Filenames   should consist entirely of upper
and lower case letters, digits, underscores, and hyphens.  Sub­  
directories of directory and files with other names will be silently
ignored.

HTH
 Klaus


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

RE: setting up iptables

2004-03-05 Thread Novotny, Tomas 
Hi

try this http://www.shorewall.net/ lot of documentation , included some samples 
for 1,2,3 interfaces and of courese Debian packages.

Tomas Novotny
Internet systems manager 
Bratislava, Slovakia

-Original Message-
From: Costas Magkos [mailto:[EMAIL PROTECTED]
Sent: Thursday, March 04, 2004 4:15 PM
To: Debian Security
Subject: setting up iptables


Hi all,

Can someone give me some best-practices for setting up iptables on a 
Debian system? I'm looking for things like where should the rules be 
placed, what startup script to use [1], good configuration tools [2] and 
so on. URLs are appreciated, I dont mind reading :-)

I'm currently setting up iptables on a single-server enviroment (no 
routing), but since I will be using iptables a lot, general concepts are 
also welcome.

--

[1] When looking around how to set up iptables, I found in 
/etc/default/iptables some discouraging words (apparently from the 
author) about the usage of the iptables init.d script, which can be 
summarized to this: "Do not use it". Why not? And if not, is there any 
other way?

[2] I tried firestarter, seems nice. However, it produces a large 
ruleset with tones of redundant rules and /proc optimizations (for 
instance, the anti-spoof filtering is activated by default). It involves 
too much editing, which I have no problem doing it if someone tells me 
it's worth it.

Thanks in advance,

~kmag

Costas Magkos
Internet Systematics Lab
Athens, Greece



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

RE: setting up iptables

2004-03-04 Thread Novotny, Tomas 
Hi

try this http://www.shorewall.net/ lot of documentation , included some samples for 
1,2,3 interfaces and of courese Debian packages.

Tomas Novotny
Internet systems manager 
Bratislava, Slovakia

-Original Message-
From: Costas Magkos [mailto:[EMAIL PROTECTED]
Sent: Thursday, March 04, 2004 4:15 PM
To: Debian Security
Subject: setting up iptables


Hi all,

Can someone give me some best-practices for setting up iptables on a 
Debian system? I'm looking for things like where should the rules be 
placed, what startup script to use [1], good configuration tools [2] and 
so on. URLs are appreciated, I dont mind reading :-)

I'm currently setting up iptables on a single-server enviroment (no 
routing), but since I will be using iptables a lot, general concepts are 
also welcome.

--

[1] When looking around how to set up iptables, I found in 
/etc/default/iptables some discouraging words (apparently from the 
author) about the usage of the iptables init.d script, which can be 
summarized to this: "Do not use it". Why not? And if not, is there any 
other way?

[2] I tried firestarter, seems nice. However, it produces a large 
ruleset with tones of redundant rules and /proc optimizations (for 
instance, the anti-spoof filtering is activated by default). It involves 
too much editing, which I have no problem doing it if someone tells me 
it's worth it.

Thanks in advance,

~kmag

Costas Magkos
Internet Systematics Lab
Athens, Greece



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: setting up iptables

2004-03-04 Thread Lars Ellenberg 
/ 2004-03-04 19:17:10 +0100
\ Marcus Frings:
> > If you like editing config files more than clicking some colorful frontend,
> > you may want to have a look at SuSEfirewall2 by Marc Heuse.

> > I like it. Much brainwork went in it. I'd love to see something
> > similar (based on it?) in Debian.
> 
> Have a look at `firehol'. Available in sid but it can also be used for
> woody. Upstream source is 

YES! Nice one. Thank you for the pointer.
I'm not so sure whether I like the default "ACCEPT" during activation.
But this was only a first glance at this amazing script.

Lars Ellenberg

Re: setting up iptables

2004-03-04 Thread Lars Ellenberg 
/ 2004-03-04 19:17:10 +0100
\ Marcus Frings:
> > If you like editing config files more than clicking some colorful frontend,
> > you may want to have a look at SuSEfirewall2 by Marc Heuse.

> > I like it. Much brainwork went in it. I'd love to see something
> > similar (based on it?) in Debian.
> 
> Have a look at `firehol'. Available in sid but it can also be used for
> woody. Upstream source is 

YES! Nice one. Thank you for the pointer.
I'm not so sure whether I like the default "ACCEPT" during activation.
But this was only a first glance at this amazing script.

Lars Ellenberg


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

RE: setting up iptables

2004-03-04 Thread Christian Storch 
Have a look at http://www.netfilter.org/ - there you could find all about
it.
If you want a nice html configuration, start a firewall script from above
and import it by 'webmin-firewall'.

Christian


-Original Message-
From: Costas Magkos [mailto:[EMAIL PROTECTED]
Sent: Thursday, March 04, 2004 4:15 PM
To: Debian Security
Subject: setting up iptables


Hi all,

Can someone give me some best-practices for setting up iptables on a
Debian system? I'm looking for things like where should the rules be
placed, what startup script to use [1], good configuration tools [2] and
so on. URLs are appreciated, I dont mind reading :-)

I'm currently setting up iptables on a single-server enviroment (no
routing), but since I will be using iptables a lot, general concepts are
also welcome.

--

[1] When looking around how to set up iptables, I found in
/etc/default/iptables some discouraging words (apparently from the
author) about the usage of the iptables init.d script, which can be
summarized to this: "Do not use it". Why not? And if not, is there any
other way?

[2] I tried firestarter, seems nice. However, it produces a large
ruleset with tones of redundant rules and /proc optimizations (for
instance, the anti-spoof filtering is activated by default). It involves
too much editing, which I have no problem doing it if someone tells me
it's worth it.

Thanks in advance,

~kmag

Costas Magkos
Internet Systematics Lab
Athens, Greece



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact
[EMAIL PROTECTED]

Re: setting up iptables

2004-03-04 Thread Marcus Frings 
* Lars Ellenberg <[EMAIL PROTECTED]> wrote:

> If you like editing config files more than clicking some colorful frontend,
> you may want to have a look at SuSEfirewall2 by Marc Heuse.
> [Note the "2". And, btw, current version of it is 3.1 :)]

> This is "only" a bash script wrapper for iptables
> with a well commented configuration file.
> It should work with little effort on Debian, too.

> I like it. Much brainwork went in it. I'd love to see something
> similar (based on it?) in Debian.

Have a look at `firehol'. Available in sid but it can also be used for
woody. Upstream source is 

Regards,
Marcus
-- 
"Tu aus das Licht, tu aus. Doch ist erst dein Licht ausgetan,
nie find ich den Prometheusfunken wieder."

Re: setting up iptables

2004-03-04 Thread thing 

This might help you,

http://www.thing.dyndns.org/debian/iptables.htm

regards

Thing

Costas Magkos wrote:


Hi all,

Can someone give me some best-practices for setting up iptables on a 
Debian system? I'm looking for things like where should the rules be 
placed, what startup script to use [1], good configuration tools [2] 
and so on. URLs are appreciated, I dont mind reading :-)


I'm currently setting up iptables on a single-server enviroment (no 
routing), but since I will be using iptables a lot, general concepts 
are also welcome.


--

[1] When looking around how to set up iptables, I found in 
/etc/default/iptables some discouraging words (apparently from the 
author) about the usage of the iptables init.d script, which can be 
summarized to this: "Do not use it". Why not? And if not, is there any 
other way?


[2] I tried firestarter, seems nice. However, it produces a large 
ruleset with tones of redundant rules and /proc optimizations (for 
instance, the anti-spoof filtering is activated by default). It 
involves too much editing, which I have no problem doing it if someone 
tells me it's worth it.


Thanks in advance,

~kmag

Costas Magkos
Internet Systematics Lab
Athens, Greece

Re: setting up iptables

2004-03-04 Thread Lars Ellenberg 
/ 2004-03-04 17:14:50 +0200
\ Costas Magkos:
> Hi all,
> 
> Can someone give me some best-practices for setting up iptables on a 
> Debian system? I'm looking for things like where should the rules be 
> placed, what startup script to use [1], good configuration tools [2] and 
> so on. URLs are appreciated, I dont mind reading :-)
> 
> I'm currently setting up iptables on a single-server enviroment (no 
> routing), but since I will be using iptables a lot, general concepts are 
> also welcome.

If you like editing config files more than clicking some colorful frontend,
you may want to have a look at SuSEfirewall2 by Marc Heuse.
[Note the "2". And, btw, current version of it is 3.1 :)]

This is "only" a bash script wrapper for iptables
with a well commented configuration file.
It should work with little effort on Debian, too.

I like it. Much brainwork went in it. I'd love to see something
similar (based on it?) in Debian.

AFAIK, the most recent version
can be found here, and on the suse mirrors of course:
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/noarch/SuSEfirewall2.rpm
(I don't know of any tgz, sorry,
 but there is rpm2cpio * | cpio --extract --make-dir )

Lars Ellenberg

RE: setting up iptables

2004-03-04 Thread Christian Storch 
Have a look at http://www.netfilter.org/ - there you could find all about
it.
If you want a nice html configuration, start a firewall script from above
and import it by 'webmin-firewall'.

Christian


-Original Message-
From: Costas Magkos [mailto:[EMAIL PROTECTED]
Sent: Thursday, March 04, 2004 4:15 PM
To: Debian Security
Subject: setting up iptables


Hi all,

Can someone give me some best-practices for setting up iptables on a
Debian system? I'm looking for things like where should the rules be
placed, what startup script to use [1], good configuration tools [2] and
so on. URLs are appreciated, I dont mind reading :-)

I'm currently setting up iptables on a single-server enviroment (no
routing), but since I will be using iptables a lot, general concepts are
also welcome.

--

[1] When looking around how to set up iptables, I found in
/etc/default/iptables some discouraging words (apparently from the
author) about the usage of the iptables init.d script, which can be
summarized to this: "Do not use it". Why not? And if not, is there any
other way?

[2] I tried firestarter, seems nice. However, it produces a large
ruleset with tones of redundant rules and /proc optimizations (for
instance, the anti-spoof filtering is activated by default). It involves
too much editing, which I have no problem doing it if someone tells me
it's worth it.

Thanks in advance,

~kmag

Costas Magkos
Internet Systematics Lab
Athens, Greece



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact
[EMAIL PROTECTED]


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: setting up iptables

2004-03-04 Thread s. keeling 
Incoming from Costas Magkos:
> 
> Can someone give me some best-practices for setting up iptables on a 
> Debian system? I'm looking for things like where should the rules be 
> placed, what startup script to use [1], good configuration tools [2] and 

Good question.  I'm using ppp and I have a script in /etc/ppp/ip-up.d
that should be run by /etc/ppp/ip-up:

# This script is run by the pppd after the link is established.
# It uses run-parts to run scripts in /etc/ppp/ip-up.d, so to add routes,
# set IP address, run the mailq etc. you should create script(s) there.

I've yet to see ip-up execute it.  I haven't yet figured out why.  The
script runs fine at the command line.


-- 
Any technology distinguishable from magic is insufficiently advanced.
(*)   http://www.spots.ab.ca/~keeling 
- -

Re: setting up iptables

2004-03-04 Thread Marcus Frings 
* Lars Ellenberg <[EMAIL PROTECTED]> wrote:

> If you like editing config files more than clicking some colorful frontend,
> you may want to have a look at SuSEfirewall2 by Marc Heuse.
> [Note the "2". And, btw, current version of it is 3.1 :)]

> This is "only" a bash script wrapper for iptables
> with a well commented configuration file.
> It should work with little effort on Debian, too.

> I like it. Much brainwork went in it. I'd love to see something
> similar (based on it?) in Debian.

Have a look at `firehol'. Available in sid but it can also be used for
woody. Upstream source is 

Regards,
Marcus
-- 
"Tu aus das Licht, tu aus. Doch ist erst dein Licht ausgetan,
nie find ich den Prometheusfunken wieder."


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: setting up iptables

2004-03-04 Thread thing 
This might help you,

http://www.thing.dyndns.org/debian/iptables.htm

regards

Thing

Costas Magkos wrote:

Hi all,

Can someone give me some best-practices for setting up iptables on a 
Debian system? I'm looking for things like where should the rules be 
placed, what startup script to use [1], good configuration tools [2] 
and so on. URLs are appreciated, I dont mind reading :-)

I'm currently setting up iptables on a single-server enviroment (no 
routing), but since I will be using iptables a lot, general concepts 
are also welcome.

--

[1] When looking around how to set up iptables, I found in 
/etc/default/iptables some discouraging words (apparently from the 
author) about the usage of the iptables init.d script, which can be 
summarized to this: "Do not use it". Why not? And if not, is there any 
other way?

[2] I tried firestarter, seems nice. However, it produces a large 
ruleset with tones of redundant rules and /proc optimizations (for 
instance, the anti-spoof filtering is activated by default). It 
involves too much editing, which I have no problem doing it if someone 
tells me it's worth it.

Thanks in advance,

~kmag

Costas Magkos
Internet Systematics Lab
Athens, Greece




--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: setting up iptables

2004-03-04 Thread Andreas Demant 

Hi Costas,
I'm using iptables together with the given script /etc/init.d/iptables 
(for Debian Woody): First setting up the iptable and then saving it with 
'/etc/init.d/iptables save active'.


When iptables is started during booting (see in /etc/rc???) then this 
table will be reload.


Yours
Andreas Demant

RE: setting up iptables

2004-03-04 Thread ida4327 

Hi Costas Magkos

I can recommend the webmin module called "Turtle Firewall", it is a very good 
tool for setting up IPTables.

http://www.turtlefirewall.com/

Kim

>Hi all,

>Can someone give me some best-practices for setting up iptables on a
>Debian system? I'm looking for things like where should the rules be
>placed, what startup script to use [1], good configuration tools [2] and
>so on. URLs are appreciated, I dont mind reading :-)

>I'm currently setting up iptables on a single-server enviroment (no
>routing), but since I will be using iptables a lot, general concepts are
>also welcome.

>--

>[1] When looking around how to set up iptables, I found in
>/etc/default/iptables some discouraging words (apparently from the
>author) about the usage of the iptables init.d script, which can be
>summarized to this: "Do not use it". Why not? And if not, is there any
>other way?

>[2] I tried firestarter, seems nice. However, it produces a large
>ruleset with tones of redundant rules and /proc optimizations (for
>instance, the anti-spoof filtering is activated by default). It involves
>too much editing, which I have no problem doing it if someone tells me
>it's worth it.

>Thanks in advance,

>~kmag

>Costas Magkos
>Internet Systematics Lab
>Athens, Greece

Re: setting up iptables

2004-03-04 Thread Lars Ellenberg 
/ 2004-03-04 17:14:50 +0200
\ Costas Magkos:
> Hi all,
> 
> Can someone give me some best-practices for setting up iptables on a 
> Debian system? I'm looking for things like where should the rules be 
> placed, what startup script to use [1], good configuration tools [2] and 
> so on. URLs are appreciated, I dont mind reading :-)
> 
> I'm currently setting up iptables on a single-server enviroment (no 
> routing), but since I will be using iptables a lot, general concepts are 
> also welcome.

If you like editing config files more than clicking some colorful frontend,
you may want to have a look at SuSEfirewall2 by Marc Heuse.
[Note the "2". And, btw, current version of it is 3.1 :)]

This is "only" a bash script wrapper for iptables
with a well commented configuration file.
It should work with little effort on Debian, too.

I like it. Much brainwork went in it. I'd love to see something
similar (based on it?) in Debian.

AFAIK, the most recent version
can be found here, and on the suse mirrors of course:
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/noarch/SuSEfirewall2.rpm
(I don't know of any tgz, sorry,
 but there is rpm2cpio * | cpio --extract --make-dir )

Lars Ellenberg


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: setting up iptables

2004-03-04 Thread s. keeling 
Incoming from Costas Magkos:
> 
> Can someone give me some best-practices for setting up iptables on a 
> Debian system? I'm looking for things like where should the rules be 
> placed, what startup script to use [1], good configuration tools [2] and 

Good question.  I'm using ppp and I have a script in /etc/ppp/ip-up.d
that should be run by /etc/ppp/ip-up:

# This script is run by the pppd after the link is established.
# It uses run-parts to run scripts in /etc/ppp/ip-up.d, so to add routes,
# set IP address, run the mailq etc. you should create script(s) there.

I've yet to see ip-up execute it.  I haven't yet figured out why.  The
script runs fine at the command line.


-- 
Any technology distinguishable from magic is insufficiently advanced.
(*)   http://www.spots.ab.ca/~keeling 
- -


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: setting up iptables

2004-03-04 Thread Andreas Demant 
Hi Costas,
I'm using iptables together with the given script /etc/init.d/iptables 
(for Debian Woody): First setting up the iptable and then saving it with 
'/etc/init.d/iptables save active'.

When iptables is started during booting (see in /etc/rc???) then this 
table will be reload.

Yours
Andreas Demant
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

RE: setting up iptables

2004-03-04 Thread ida4327 

Hi Costas Magkos

I can recommend the webmin module called "Turtle Firewall", it is a very good tool for 
setting up IPTables.

http://www.turtlefirewall.com/

Kim

>Hi all,

>Can someone give me some best-practices for setting up iptables on a
>Debian system? I'm looking for things like where should the rules be
>placed, what startup script to use [1], good configuration tools [2] and
>so on. URLs are appreciated, I dont mind reading :-)

>I'm currently setting up iptables on a single-server enviroment (no
>routing), but since I will be using iptables a lot, general concepts are
>also welcome.

>--

>[1] When looking around how to set up iptables, I found in
>/etc/default/iptables some discouraging words (apparently from the
>author) about the usage of the iptables init.d script, which can be
>summarized to this: "Do not use it". Why not? And if not, is there any
>other way?

>[2] I tried firestarter, seems nice. However, it produces a large
>ruleset with tones of redundant rules and /proc optimizations (for
>instance, the anti-spoof filtering is activated by default). It involves
>too much editing, which I have no problem doing it if someone tells me
>it's worth it.

>Thanks in advance,

>~kmag

>Costas Magkos
>Internet Systematics Lab
>Athens, Greece


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Setting up iptables with 2.4.0test11

2000-11-23 Thread tim 
-- Original Message --
From: Pollywog <[EMAIL PROTECTED]>
Reply-to: Pollywog <[EMAIL PROTECTED]>
Date: Thu, 23 Nov 2000 03:51:21 + (UTC)

>
>On Wed, 22 Nov 100 22:11:33 -0500, tim said:
>
>>  
>>  Can someone provide a step by step procedure for configuring
>>  IP masquerading with iptables with a 2.4.0 kernel.
>>  
>>  thanks a lot to anyone taking time to reply.
>
>These are my Netfilter and related options for my kernel:
>
># Networking options
>
>CONFIG_NETFILTER=y
>CONFIG_NETFILTER_DEBUG=y
>
>
>#   IP: Netfilter Configuration
>#
>CONFIG_IP_NF_CONNTRACK=m
>CONFIG_IP_NF_FTP=m
>CONFIG_IP_NF_IPTABLES=m
># CONFIG_IP_NF_MATCH_LIMIT is not set
>CONFIG_IP_NF_MATCH_MAC=m
>CONFIG_IP_NF_MATCH_MARK=m
>CONFIG_IP_NF_MATCH_MULTIPORT=m
># CONFIG_IP_NF_MATCH_TOS is not set
>CONFIG_IP_NF_MATCH_STATE=m
># CONFIG_IP_NF_MATCH_UNCLEAN is not set
># CONFIG_IP_NF_MATCH_OWNER is not set
>CONFIG_IP_NF_FILTER=m
>CONFIG_IP_NF_TARGET_REJECT=m
># CONFIG_IP_NF_TARGET_MIRROR is not set
>CONFIG_IP_NF_NAT=m
>CONFIG_IP_NF_NAT_NEEDED=y
>CONFIG_IP_NF_TARGET_MASQUERADE=m
># CONFIG_IP_NF_TARGET_REDIRECT is not set
># CONFIG_IP_NF_MANGLE is not set
>CONFIG_IP_NF_TARGET_LOG=m
># CONFIG_IP_NF_COMPAT_IPCHAINS is not set
># CONFIG_IP_NF_COMPAT_IPFWADM is not set
># CONFIG_IPV6 is not set
># CONFIG_KHTTPD is not set
># CONFIG_ATM is not set
>
>When you have compiled the kernel with similar options and installed the
>latest Netfilter package, go to
>
>www.linuxhelp.net  and check out the iptables script there in the
>Tutorials section.
>Edit that script to your needs and you are in business.
>
>--
>Andrew


thanks the compile options

Where is the Tutorials section? I can't find the iptables script.

-Tim.
>
>--  
>To UNSUBSCRIBE, email to [EMAIL PROTECTED]
>with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
>
>

Re: Setting up iptables with 2.4.0test11

2000-11-23 Thread tim 

-- Original Message --
From: Pollywog <[EMAIL PROTECTED]>
Reply-to: Pollywog <[EMAIL PROTECTED]>
Date: Thu, 23 Nov 2000 03:51:21 + (UTC)

>
>On Wed, 22 Nov 100 22:11:33 -0500, tim said:
>
>>  
>>  Can someone provide a step by step procedure for configuring
>>  IP masquerading with iptables with a 2.4.0 kernel.
>>  
>>  thanks a lot to anyone taking time to reply.
>
>These are my Netfilter and related options for my kernel:
>
># Networking options
>
>CONFIG_NETFILTER=y
>CONFIG_NETFILTER_DEBUG=y
>
>
>#   IP: Netfilter Configuration
>#
>CONFIG_IP_NF_CONNTRACK=m
>CONFIG_IP_NF_FTP=m
>CONFIG_IP_NF_IPTABLES=m
># CONFIG_IP_NF_MATCH_LIMIT is not set
>CONFIG_IP_NF_MATCH_MAC=m
>CONFIG_IP_NF_MATCH_MARK=m
>CONFIG_IP_NF_MATCH_MULTIPORT=m
># CONFIG_IP_NF_MATCH_TOS is not set
>CONFIG_IP_NF_MATCH_STATE=m
># CONFIG_IP_NF_MATCH_UNCLEAN is not set
># CONFIG_IP_NF_MATCH_OWNER is not set
>CONFIG_IP_NF_FILTER=m
>CONFIG_IP_NF_TARGET_REJECT=m
># CONFIG_IP_NF_TARGET_MIRROR is not set
>CONFIG_IP_NF_NAT=m
>CONFIG_IP_NF_NAT_NEEDED=y
>CONFIG_IP_NF_TARGET_MASQUERADE=m
># CONFIG_IP_NF_TARGET_REDIRECT is not set
># CONFIG_IP_NF_MANGLE is not set
>CONFIG_IP_NF_TARGET_LOG=m
># CONFIG_IP_NF_COMPAT_IPCHAINS is not set
># CONFIG_IP_NF_COMPAT_IPFWADM is not set
># CONFIG_IPV6 is not set
># CONFIG_KHTTPD is not set
># CONFIG_ATM is not set
>
>When you have compiled the kernel with similar options and installed the
>latest Netfilter package, go to
>
>www.linuxhelp.net  and check out the iptables script there in the
>Tutorials section.
>Edit that script to your needs and you are in business.
>
>--
>Andrew


thanks the compile options

Where is the Tutorials section? I can't find the iptables script.

-Tim.
>
>--  
>To UNSUBSCRIBE, email to [EMAIL PROTECTED]
>with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
>
>


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Setting up iptables with 2.4.0test11

2000-11-23 Thread Florian Friesdorf 
On Wed, Nov 22, 2000 at 10:11:33PM -0500, tim wrote:
> I am trying to setup iptables so that I can MASQUERADE my other boxes with 
> private IPs. 
> I have a DSL connection with a fixed IP.
> 
> Ran iptables-1.1.2's make patch-o-matic
> Recompiled the kernel 2.4.0test11 netfilter enabled.
> "I am not sure if enabled the correct netfilter options"
> 
> Then I have tried 
> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> which returns
> iptables: No chain/target/match by that name
> 
> Can someone provide a step by step procedure for configuring
> IP masquerading with iptables with a 2.4.0 kernel.

There is an excellent Howto available at

http://netfilter.kernelnotes.org/unreliable-guides/

-ff

-- 
 Florian Friesdorf <[EMAIL PROTECTED]>
OpenPGP key available on public key servers

--> Save the future of Open Source <--
-> Online-Petition against Software Patents <-
--> http://petition.eurolinux.org <---


pgpvT3fyGUAf3.pgp
Description: PGP signature

Re: Setting up iptables with 2.4.0test11

2000-11-23 Thread Florian Friesdorf 

On Wed, Nov 22, 2000 at 10:11:33PM -0500, tim wrote:
> I am trying to setup iptables so that I can MASQUERADE my other boxes with private 
>IPs. 
> I have a DSL connection with a fixed IP.
> 
> Ran iptables-1.1.2's make patch-o-matic
> Recompiled the kernel 2.4.0test11 netfilter enabled.
> "I am not sure if enabled the correct netfilter options"
> 
> Then I have tried 
> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> which returns
> iptables: No chain/target/match by that name
> 
> Can someone provide a step by step procedure for configuring
> IP masquerading with iptables with a 2.4.0 kernel.

There is an excellent Howto available at

http://netfilter.kernelnotes.org/unreliable-guides/

-ff

-- 
 Florian Friesdorf <[EMAIL PROTECTED]>
OpenPGP key available on public key servers

--> Save the future of Open Source <--
-> Online-Petition against Software Patents <-
--> http://petition.eurolinux.org <---

 PGP signature

Re: Setting up iptables with 2.4.0test11

2000-11-22 Thread Pollywog 

On Wed, 22 Nov 100 22:11:33 -0500, tim said:

>  
>  Can someone provide a step by step procedure for configuring
>  IP masquerading with iptables with a 2.4.0 kernel.
>  
>  thanks a lot to anyone taking time to reply.

These are my Netfilter and related options for my kernel:

# Networking options

CONFIG_NETFILTER=y
CONFIG_NETFILTER_DEBUG=y


#   IP: Netfilter Configuration
#
CONFIG_IP_NF_CONNTRACK=m
CONFIG_IP_NF_FTP=m
CONFIG_IP_NF_IPTABLES=m
# CONFIG_IP_NF_MATCH_LIMIT is not set
CONFIG_IP_NF_MATCH_MAC=m
CONFIG_IP_NF_MATCH_MARK=m
CONFIG_IP_NF_MATCH_MULTIPORT=m
# CONFIG_IP_NF_MATCH_TOS is not set
CONFIG_IP_NF_MATCH_STATE=m
# CONFIG_IP_NF_MATCH_UNCLEAN is not set
# CONFIG_IP_NF_MATCH_OWNER is not set
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m
# CONFIG_IP_NF_TARGET_MIRROR is not set
CONFIG_IP_NF_NAT=m
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=m
# CONFIG_IP_NF_TARGET_REDIRECT is not set
# CONFIG_IP_NF_MANGLE is not set
CONFIG_IP_NF_TARGET_LOG=m
# CONFIG_IP_NF_COMPAT_IPCHAINS is not set
# CONFIG_IP_NF_COMPAT_IPFWADM is not set
# CONFIG_IPV6 is not set
# CONFIG_KHTTPD is not set
# CONFIG_ATM is not set

When you have compiled the kernel with similar options and installed the
latest Netfilter package, go to

www.linuxhelp.net  and check out the iptables script there in the
Tutorials section.
Edit that script to your needs and you are in business.

--
Andrew

Re: Setting up iptables with 2.4.0test11

2000-11-22 Thread Pollywog 


On Wed, 22 Nov 100 22:11:33 -0500, tim said:

>  
>  Can someone provide a step by step procedure for configuring
>  IP masquerading with iptables with a 2.4.0 kernel.
>  
>  thanks a lot to anyone taking time to reply.

These are my Netfilter and related options for my kernel:

# Networking options

CONFIG_NETFILTER=y
CONFIG_NETFILTER_DEBUG=y


#   IP: Netfilter Configuration
#
CONFIG_IP_NF_CONNTRACK=m
CONFIG_IP_NF_FTP=m
CONFIG_IP_NF_IPTABLES=m
# CONFIG_IP_NF_MATCH_LIMIT is not set
CONFIG_IP_NF_MATCH_MAC=m
CONFIG_IP_NF_MATCH_MARK=m
CONFIG_IP_NF_MATCH_MULTIPORT=m
# CONFIG_IP_NF_MATCH_TOS is not set
CONFIG_IP_NF_MATCH_STATE=m
# CONFIG_IP_NF_MATCH_UNCLEAN is not set
# CONFIG_IP_NF_MATCH_OWNER is not set
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m
# CONFIG_IP_NF_TARGET_MIRROR is not set
CONFIG_IP_NF_NAT=m
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=m
# CONFIG_IP_NF_TARGET_REDIRECT is not set
# CONFIG_IP_NF_MANGLE is not set
CONFIG_IP_NF_TARGET_LOG=m
# CONFIG_IP_NF_COMPAT_IPCHAINS is not set
# CONFIG_IP_NF_COMPAT_IPFWADM is not set
# CONFIG_IPV6 is not set
# CONFIG_KHTTPD is not set
# CONFIG_ATM is not set

When you have compiled the kernel with similar options and installed the
latest Netfilter package, go to

www.linuxhelp.net  and check out the iptables script there in the
Tutorials section.
Edit that script to your needs and you are in business.

--
Andrew


--  
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]