Re: sarge firewall

To: debian-firewall@lists.debian.org
Subject: Re: sarge firewall
From: Dave Ewart <davee@sungate.co.uk>
Date: Tue, 8 Feb 2005 22:16:10 +0000
Message-id: <[🔎] 20050208221610.GA1682@sungate.co.uk>
Mail-followup-to: debian-firewall@lists.debian.org
In-reply-to: <[🔎] 002701c50e1c$520b69c0$220c6751@genesis>
References: <[🔎] 002701c50e1c$520b69c0$220c6751@genesis>

On Tuesday, 08.02.2005 at 20:25 -0000, Kitsonik Design wrote:

> Hi gang,
> 
> I have just installed the latest version of 'Sarge' the install went very 
> smooth, which I am pleased about. Basically this is how I want my setup to 
> be.
> 
> Internet <->cablemodem<->debain(web/email/ftp server)<->hub<->Windows
> 
> 1). Run a small web/email/ ftp server from the debain box
> 2). Access the Internet from my windows box.
> 
> I've been looking for a simple firewall/NAT ruleset, so far this is what I 
> have found. (192.168.10.45 is the ip on eth0, 192.168.20.1 is the ip on 
> eth1)
> 
> iptables -F
> iptables -N FIREWALL
> iptables -F FIREWALL
> iptables -A INPUT -j FIREWALL
> iptables -A FORWARD -j FIREWALL
> iptables -A FIREWALL -p tcp -m tcp --dport 25 --syn -j ACCEPT
> iptables -A FIREWALL -p tcp -m tcp -s 192.168.20.1/24 --dport 22 --syn -j 
> ACCEPT
> iptables -A FIREWALL -i lo -j ACCEPT
> iptables -A FIREWALL -p udp -m udp --sport 53 -j ACCEPT
> iptables -A FIREWALL -p tcp -m tcp --sport 53 -j ACCEPT
> iptables -A FIREWALL -p udp -m udp --dport 123 -j ACCEPT
> iptables -A FIREWALL -p udp -m udp --sport 6277 -j ACCEPT
> iptables -A FIREWALL -p udp -m udp --sport 24441 -j ACCEPT
> iptables -A FIREWALL -p tcp -m tcp --syn -j REJECT
> iptables -A FIREWALL -p udp -m udp -j REJECT
> iptables-save > /etc/firewall-rules
> iptables-restore < /etc/firewall-rules
> 
> Can anyone tell me, if using the above ruleset, I can access the net using 
> my windows computer via the debian box? If not, what rules do I need to add.

I will make an assumptions, which you have not actually stated: the
firewall will reside on the Debian box, the same machine that you are
running web, email, FTP;

The rest of what you include is confusing.

1. It appears your Debian box has two interfaces, eth0 and eth1.  Which
is which? i.e. Which is the interface to the cable modem, and which is
the interface to the local network?

2. Why are you using a FIREWALL table above, and sending *both* INPUT and
FORWARD rules to it?  You need to treat INPUT and FORWARD traffic
differently.

3. What is the '--syn' parameter for?  This will allow an initial
connection but not any subsequent traffic.

4. Why are you allowing *source* UDP port 53?

5. What is the default policy for the INPUT, OUTPUT and FORWARD
rulesets?

6. You have no NAT rules listed.  You will need some!

I recommend reading the IP Tables HOWTO guides, which includes some
examples, at http://www.netfilter.org/

Dave.

-- 
Dave Ewart - davee@sungate.co.uk - jabber: davee@jabber.org
All email from me is now digitally signed, key from http://www.sungate.co.uk/
Fingerprint: AEC5 9360 0A35 7F66 66E9 82E4 9E10 6769 CD28 DA92

Attachment: signature.asc
Description: Digital signature

Reply to:

References:
- sarge firewall
  - From: "Kitsonik Design" <techmind@kitsonik.com>

Prev by Date: Re: sarge firewall
Next by Date: Re: sarge firewall
Previous by thread: Re: sarge firewall
Next by thread: Re: sarge firewall
Index(es):
- Date
- Thread