Re: setting up iptables

To: Debian Security <debian-security@lists.debian.org>
Subject: Re: setting up iptables
From: Costas Magkos <kmag@lab.epmhs.gr>
Date: Mon, 08 Mar 2004 18:00:48 +0200
Message-id: <[🔎] 404C98B0.3090501@lab.epmhs.gr>
In-reply-to: <[🔎] 404747EA.3030107@lab.epmhs.gr>
References: <[🔎] 404747EA.3030107@lab.epmhs.gr>

Thank you all for the links and hints.

What I was really looking for was the debian way of doing things, whichI managed to locate in the "Securing Debian Manual" [1]. According tothis, the iptables initd script should be used. However, theauthor/package-maintainer disapproves this method:


(from /etc/default/iptables:)

"..
#Q: You concocted this init.d setup, but you do not like it?
# A: I was pretty much hounded into providing it. I do not like it.
#    Don't use it. Use /etc/network/interfaces, use /etc/network/*.d/
#    scripts use /etc/ppp/ip-*.d/ script. Create your own custom
#    init.d script -- no need to even name it iptables.  Use ferm,
#    ipmasq, ipmenu, guarddog, firestarter, or one of the many other
#    firewall configuration tools available. Do not use the init.d
#    script.
.."

The whole thing is a little comfusing (to novice guys like I). There isa manual referring to the use of the script, while the very author ofthe script discourages the use of it. It seems as a matter of personaltaste, but I think he could at least have explained his reasons.


Anyway, I decided to follow the procedures in the manual.

~kmag

[1]http://www.debian.org/doc/manuals/securing-debian-howto/ch-sec-services.en.html#s-firewall-setup(section 5.14.3.1 Doing it the Debian way)


On 04/03/04 17:14, Costas Magkos wrote:

Hi all,
Can someone give me some best-practices for setting up iptables on aDebian system? I'm looking for things like where should the rules beplaced, what startup script to use [1], good configuration tools [2]and so on. URLs are appreciated, I dont mind reading :-)
I'm currently setting up iptables on a single-server enviroment (norouting), but since I will be using iptables a lot, general conceptsare also welcome.
--
[1] When looking around how to set up iptables, I found in/etc/default/iptables some discouraging words (apparently from theauthor) about the usage of the iptables init.d script, which can besummarized to this: "Do not use it". Why not? And if not, is there anyother way?
[2] I tried firestarter, seems nice. However, it produces a largeruleset with tones of redundant rules and /proc optimizations (forinstance, the anti-spoof filtering is activated by default). Itinvolves too much editing, which I have no problem doing it if someonetells me it's worth it.
Thanks in advance,

~kmag

Costas Magkos
Internet Systematics Lab
Athens, Greece

Reply to:

Follow-Ups:
- Re: setting up iptables
  - From: Glen Mehn <glen@burningman.com>

References:
- setting up iptables
  - From: Costas Magkos <kmag@lab.epmhs.gr>

Prev by Date: Re: Disk Encryption on bf2.4
Next by Date: Re: I have a big problem
Previous by thread: RE: setting up iptables
Next by thread: Re: setting up iptables
Index(es):
- Date
- Thread