[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RE: internet firewall

thanks for a fast reply.

>-----Original Message-----
>From: florin@cluj.iiruc.ro [mailto:florin@cluj.iiruc.ro]
>Sent: 18. juni 2001 10:46
>To: Anders Gjære
>Subject: Re: internet firewall
>On Mon, 18 Jun 2001, [iso-8859-1] Anders Gjre wrote:
>> i have a debian box with 2.4.5 kernel and iptables.
>> how should I set up the rules for iptables? 
>> all ip's behind the firewall are valid internetaddresses, and should
>> reached throu the firewall..
>Well, I think that you have to configure properly your routing table
>then to filter ( incoming and/or outgoing ) the traffic which is going
>be forwarded by your box. And if you want to use a default policy of
>DENY(REJECT) or ACCEPT is another matter and is at your personal taste.
>Your rules have to be built thinking of what services on what boxes
>be available and to whom.

it should be default accept, 
and behind the firewall there should be one shell-server(irc) and some
web-servers, and our office.

the only thing i need is a posibility to block ip's if we are victim for
a DoS'attack.

is this a good way to block an ip/ip-range?

iptables -A INPUT -s $IP_TO_BLOCK -j REJECT 

(or just use $1 instead of $IP_TO_BLOCK)

the only thing i need to know, is how do i route from eth0 to eth1,
without masquerading.

>> it should also run zebra/bgp.
>For that ( after looking in /etc/services ) you have to permit
>on port number 179 ( tcp and udp ). And also you should not block
>connections to bgp peers from your box. Anyway in zebra docs you have
>find what ports are they using ( or just run zebra and see which ports
>that uses ).

>> could anoyone help me?
>> it should defalut allow everything, with the possibility to block
>> spesified ip's
>I think you should  turn off every service that you don't need on
>your firewall ( I suggest to keep only ssh for remote connection and
>administration ).

>> for now there is just 2 interfaces, but later upgraded to 4 100mbit
>> 1 1gbps.
>> what hardware should be sufficient?
>> thanks
>> anders gj畣re


Reply to: