[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RE: iptables q:


I am not sure about Shorewall-based iptables, but there are a few items
that any firewall must have to control the flow of traffic in or out.
(There is an excellent Article in the Linux Journal May 03 and June 03
that would go into more depth about setting up a Firewall using Firewall
Builder, great tool).

The steps needed to setup a firewall policy can be broken down into a
three-step process: 1)Create objects, 2)Create Rule Base, 3)Compile rule
base into policy and install. (Assuming that you have Netfilter/iptables

Objects - You will need to define all your objects for your internal and
external networks. Objects represent hosts, networks, address ranges,
TCP/IP services, your firewall. An object is usually defined by an IP
address and subnet mask or IP address. Define an object for your
loopback device too, i.e., mask

Now that you have your objects defined, you can create your rule base
and/or policies. Here are a few questions when creating rules for your
rule base:

Source - where is this request coming from? Inside or outside your
network. This is very important to know and should be based on who wants
access to your firewall or network.

Destination - where or what is this request trying to get too.

Service - what service is this request trying to utilize: SMTP, POP,
www, ssh.

Action - what will be the outcome, based on the above information and
what should the firewall do with the request: accept, reject, deny.

A Policy Example: (Note it is assumed you have your objects already

Number	Source		Destination			Service
Action	Notes
1		Internal_LAN	Your_Firewall		Any
Accept	Allow internal access to your firewall
2		Any			Your_Firewall		ssh
Accept	Allow outside ssh access to your firewall
3		Internal_LAN	Any				www
Accept	Allow internal access out
4		Any			Any
Any			Deny		Clean up rule

* Note: some times you may have rules that conflict with each other or
overlap, you may have to put rule 2 before rule 1. 

After you have your rule base then you can compile and install on your
firewall. If your policy does not allow it, normally it will not be
allowed, you have to turn services on for them to work.

I hope this helps.


Joe Maroney

-----Original Message-----
From: Tinus Nijmeijers [mailto:tinus@deephosting.com] 
Sent: Monday, August 25, 2003 3:05 AM
To: debian-firewall@lists.debian.org
Subject: iptables q:

I have this great shorewall-based iptables setup that I have screwed up
and reading it I have to admit that I have no idea really where to
(Started reading the iptables-tutorial but I'm als in a hurry here.)

Could someone divulge how I do this:

eth0: internet
eth1: internal net

-allow anything from the internal net to the firewall
-allow port 22 from the outside to the firewall
-masquerade ONLY port 80 from internal to internet.

everything else should be closed.



To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact

Reply to: