RE: internet firewall

To: <florin@cluj.iiruc.ro>
Cc: "Debian-Firewall \(E-mail\)" <debian-firewall@lists.debian.org>
Subject: RE: internet firewall
From: Anders Gjære <Anders@oslo.kvalito.no>
Date: Mon, 18 Jun 2001 10:58:07 +0200
Message-id: <010B55064719D511AEBD0050048803620D4618@sekunda5.oslo.kvalito.no>

thanks for a fast reply.

>-----Original Message-----
>From: florin@cluj.iiruc.ro [mailto:florin@cluj.iiruc.ro]
>Sent: 18. juni 2001 10:46
>To: Anders Gjære
>Subject: Re: internet firewall
>
>
>On Mon, 18 Jun 2001, [iso-8859-1] Anders Gjre wrote:
>
>Hi,
>
>> i have a debian box with 2.4.5 kernel and iptables.
>> 
>> how should I set up the rules for iptables? 
>> all ip's behind the firewall are valid internetaddresses, and should
be
>> reached throu the firewall..
>>
>Well, I think that you have to configure properly your routing table
and
>then to filter ( incoming and/or outgoing ) the traffic which is going
to
>be forwarded by your box. And if you want to use a default policy of
>DENY(REJECT) or ACCEPT is another matter and is at your personal taste.
>Your rules have to be built thinking of what services on what boxes
should
>be available and to whom.
>



it should be default accept, 
and behind the firewall there should be one shell-server(irc) and some
web-servers, and our office.

the only thing i need is a posibility to block ip's if we are victim for
a DoS'attack.

is this a good way to block an ip/ip-range?


#!/bin/sh
$IP_TO_BLOCK 194.29.102.1
iptables -A INPUT -s $IP_TO_BLOCK -j REJECT 


(or just use $1 instead of $IP_TO_BLOCK)

the only thing i need to know, is how do i route from eth0 to eth1,
without masquerading.



 
>> it should also run zebra/bgp.
>> 
>For that ( after looking in /etc/services ) you have to permit
connections
>on port number 179 ( tcp and udp ). And also you should not block
outgoing
>connections to bgp peers from your box. Anyway in zebra docs you have
to
>find what ports are they using ( or just run zebra and see which ports
>that uses ).

>> could anoyone help me?
>> 
>> it should defalut allow everything, with the possibility to block
>> spesified ip's
>> 
>I think you should  turn off every service that you don't need on
>your firewall ( I suggest to keep only ssh for remote connection and
>administration ).

>> for now there is just 2 interfaces, but later upgraded to 4 100mbit
and
>> 1 1gbps.
>> 
>> what hardware should be sufficient?
>> 
>> 
>> thanks
>> anders gj畣re
>> 
>> 
>Regards,
>
>Florin

thanks
anders

Reply to:

Prev by Date: internet firewall
Next by Date: Iptables a '-t nat' dude
Previous by thread: internet firewall
Next by thread: Iptables a '-t nat' dude
Index(es):
- Date
- Thread