Re: Searching for an appropriate iptables script
I have found an incredibly simple system, that some day should be put into
a debian package. it's call "agt" and can be found at
It installs the configuration files in /boot/fw and they are very well
commented as to the format required. Read them, they are not long and have
a lot of useful information in them. (you can change the location of these
files in the Makefile and defs.h)
Makefile:CONF_PATH = /boot/fw or wherever you want it.
defs.h:#define AGT_DIR "/boot/fw" make this the same as above.
If you want something that is downloaded, built, configured and running in
10 minutes with no prior knowledge of it...
Some day this package might be put into a debian package. It's just a
simple no-frills firewall system for machines on cable/dsl/etc... that make
NAT configuration simple.
Hope this helps,
At 03:16 AM 02/07/2002 -0500, Jeff Bonner wrote:
I'm replacing my current ipchains-based firewall, which serves a small
internal LAN of 3 machines, with one that runs iptables/netfilter.
Since I offer no services (yet), the goal is to make this IP address
invisible to port scans and other grotesques from the internet, while
interfering as little as possible with a variety of protocols that the
internal machines need (ICQ/AIM/MSN/Yahoo, IRC, FTP, HTTP, POP3 etc).
So, I created a new Woody installation on a 486/66 DX2 with 24MB of RAM
and 1GB of hard drive space, separated into various partitions to avoid
overflowing logs and such. Then I applied the objectives outlined in
Securing Debian [http://debian.org/doc/manuals/securing-debian-how-to/].
Next I compiled a custom kernel that has all the appropriate modules
hard-coded, to avoid the additional security risk of loadable modules.
Now I'm ready to actually create the ruleset (or chains, whatever they
are called) for the firewall. I understand the basic concepts behind
iptables/netfilter, but frankly, there are so many variables that I've
decided to start out with a pre-made firewall script, as I did with
I would like some input as to which script(s) the reader considers the
most secure vs ease of use. The one I'm leaning towards is Monmotha's
It seems to satisfy my desire for all-out security paranoia, while still
being simple to configure.
Another candidate was NARC
but its complexity is discouraging. However, if it were to offer better
security than Monmotha's script, I might be willing to take another
I also experimented with FWBuilder [http://www.fwbuilder.org] which is
available directly as a .deb package. While it looks very capable, I'd
essentially have to design the firewall from scratch. Since I might
miss something, I've ruled this out.
Thanks in advance,
To UNSUBSCRIBE, email to firstname.lastname@example.org
with a subject of "unsubscribe". Trouble? Contact email@example.com
Network Security Admin
National White Collar Crime Center
Internet Fraud Complaint Center
Phone (304)363-4312 Ext 2011