Re: Firewall Setup

Mon, 01 Aug 2011 15:31:37 -0700 

On Aug 1, 2011, at 2:56 PM, Paul Stuffins wrote:

> I am trying to set iptables up, but am getting into a right mess editing the 
> rules direct in the init script.
> 
> What are peoples recommendations of a front end, either one that I can run 
> via an Apache VirtualHost, obviously on a secured and locked down VirtualHost 
> so that only I can access it, or via SSH.


What I did was a lot of work up front, but a lot less out back...

I wrote a huge shell script that creates the whole thing. 

INPUT:

> root@server:/etc/ipfilterfiles# pfil status INPUT
> 
>    Running on host: server.slsware.dmz
> 
>       --- FILTER table---
> 
> Chain INPUT (policy DROP 0 packets, 0 bytes)
> num   pkts bytes target     prot opt in     out     source               
> destination         
> 1    35662 9574K ACCEPT     all  --  lo     *       127.0.0.1            
> 0.0.0.0/0           
> 2      112  9916 ACCEPT     all  --  lo     *       192.168.2.218        
> 0.0.0.0/0           
> 3      135  6216 REJECT     tcp  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           state INVALID reject-with icmp-port-unreachable 
> 4    9458K  502M IDS_BLK    all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           
> 5    9458K  502M TMP_BLK    all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           
> 6    9407K  500M ACCEPT     all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           state RELATED,ESTABLISHED 
> 7        0     0 ACCEPT     all  -f  *      *       0.0.0.0/0            
> 0.0.0.0/0           
> 8        0     0 DROP       tcp  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           tcp flags:!0x17/0x02 
> 9       87  7308 ACCEPT     all  --  tun+   *       0.0.0.0/0            
> 192.168.0.204       
> 10   50590 2850K NUISANCES  all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           
> 11   50590 2850K SPOOFQ     all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           
> 12   12874  834K UDPIN      udp  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           
> 13   30513 1813K TCPIN      tcp  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           
> 14    7203  202K ICMP_CHK   icmp --  *      *       0.0.0.0/0            
> 0.0.0.0/0           
> 15       0     0 IGMP_CHK   2    --  *      *       0.0.0.0/0            
> 0.0.0.0/0           
> 16       7   360 REJECT     all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           reject-with icmp-port-unreachable 
> 17       0     0            all  --  *      *       0.0.0.0/0            
> 0.0.0.0/0           /* Loaded Sun Jun 19 07:07:21 MDT 2011 */ 
> 


for example, does a little filtering to get rid of IDS and MS noise and spoofs 
and stuff, then splits on TCP/UDP/ICMP/etc. to locally created chains. In these 
chains, the packets are processed by port number -- traffic to port 24 has 
another chain full of spammers I've seen in the last month or so, and so forth.

The main program has some utilities in it to modify the chains. ssh is a good 
tool for getting to it.

You only have to do it once...

-- 
Glenn English


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/af88ca6a-8678-45df-a374-03a9e041c...@slsware.com

Reply via email to