Re: How to work with my iptables script
On 25 Aug 2004, Jacob Friis Larsen wrote:
> Sorry, I'm a novice :)
Don't be sorry - I was too, once. You are happy to admit it and to
learn, which is a great start.
>> You could increase security by limiting traffic to exclude forged or
>> invalid packets, and limit outbound traffic appropriately.
>
> How do I do that?
OK. To protect against forged packets, put in rules that prevent
packets that claim to be from your network (or machine) but that have
come in from the Internet.
So, '-i ppp0 -s <my ip>' should be dropped, or whatever.
Likewise, things like 10.0.0.0/8 and 192.168.0.0/16 should be dropped as
they are not "routable" IP ranges - they are for private use only.
>> Logging would probably also be useful.
>
> How do I do that?
the 'LOG' or 'ULOG' targets. 'LOG' is easier to use initially, and the
iptables manual page covers it.
It writes messages about packets that match that rule to your kernel
message log, which feeds into syslog.
>> You may find that using a higher level tool, of which there are a wide
>> range in Debian, would make it easier to achieve this goal.
>
> Do you mean ipfwadmin?
I was thinking of things like firehol (which I use), shorewall or
fwbuilder that let you work at a higher level than raw iptables rules.
iptables calls are pretty much the "assembly language" of firewalling
under Linux. You can do everything, but it takes lots of work.
Using something like 'firehol' you get most of the hard stuff done "for
free" -- by the software, or in one line, rather than hand-writing
complex rules.
Also, you can review the output at the low level and learn how these
best practice tools actually build their rules.
Regards,
Daniel
--
As in Rome there is, apart from the Romans, a population of statues, so apart
from this real world there is a world of illusion, almost more potent, in
which most men live.
-- Goethe
Reply to: