Searching for an appropriate iptables script
I'm replacing my current ipchains-based firewall, which serves a small
internal LAN of 3 machines, with one that runs iptables/netfilter.
Since I offer no services (yet), the goal is to make this IP address
invisible to port scans and other grotesques from the internet, while
interfering as little as possible with a variety of protocols that the
internal machines need (ICQ/AIM/MSN/Yahoo, IRC, FTP, HTTP, POP3 etc).
So, I created a new Woody installation on a 486/66 DX2 with 24MB of RAM
and 1GB of hard drive space, separated into various partitions to avoid
overflowing logs and such. Then I applied the objectives outlined in
Securing Debian [http://debian.org/doc/manuals/securing-debian-how-to/].
Next I compiled a custom kernel that has all the appropriate modules
hard-coded, to avoid the additional security risk of loadable modules.
Now I'm ready to actually create the ruleset (or chains, whatever they
are called) for the firewall. I understand the basic concepts behind
iptables/netfilter, but frankly, there are so many variables that I've
decided to start out with a pre-made firewall script, as I did with
ipchains.
I would like some input as to which script(s) the reader considers the
most secure vs ease of use. The one I'm leaning towards is Monmotha's
[http://monmotha.mplug.org/firewall/firewall/2.3/rc.firewall-2.3.8-pre4]
.
It seems to satisfy my desire for all-out security paranoia, while still
being simple to configure.
Another candidate was NARC
[http://www.knowplace.org/netfilter/narc.html]
but its complexity is discouraging. However, if it were to offer better
security than Monmotha's script, I might be willing to take another
look.
I also experimented with FWBuilder [http://www.fwbuilder.org] which is
available directly as a .deb package. While it looks very capable, I'd
essentially have to design the firewall from scratch. Since I might
miss something, I've ruled this out.
Thanks in advance,
Jeff Bonner
Reply to: