Re: setting up iptables
Thank you all for the links and hints.
What I was really looking for was the debian way of doing things, which
I managed to locate in the "Securing Debian Manual" [1]. According to
this, the iptables initd script should be used. However, the
author/package-maintainer disapproves this method:
(from /etc/default/iptables:)
"..
#Q: You concocted this init.d setup, but you do not like it?
# A: I was pretty much hounded into providing it. I do not like it.
# Don't use it. Use /etc/network/interfaces, use /etc/network/*.d/
# scripts use /etc/ppp/ip-*.d/ script. Create your own custom
# init.d script -- no need to even name it iptables. Use ferm,
# ipmasq, ipmenu, guarddog, firestarter, or one of the many other
# firewall configuration tools available. Do not use the init.d
# script.
.."
The whole thing is a little comfusing (to novice guys like I). There is
a manual referring to the use of the script, while the very author of
the script discourages the use of it. It seems as a matter of personal
taste, but I think he could at least have explained his reasons.
Anyway, I decided to follow the procedures in the manual.
~kmag
[1]
http://www.debian.org/doc/manuals/securing-debian-howto/ch-sec-services.en.html#s-firewall-setup
(section 5.14.3.1 Doing it the Debian way)
On 04/03/04 17:14, Costas Magkos wrote:
Hi all,
Can someone give me some best-practices for setting up iptables on a
Debian system? I'm looking for things like where should the rules be
placed, what startup script to use [1], good configuration tools [2]
and so on. URLs are appreciated, I dont mind reading :-)
I'm currently setting up iptables on a single-server enviroment (no
routing), but since I will be using iptables a lot, general concepts
are also welcome.
--
[1] When looking around how to set up iptables, I found in
/etc/default/iptables some discouraging words (apparently from the
author) about the usage of the iptables init.d script, which can be
summarized to this: "Do not use it". Why not? And if not, is there any
other way?
[2] I tried firestarter, seems nice. However, it produces a large
ruleset with tones of redundant rules and /proc optimizations (for
instance, the anti-spoof filtering is activated by default). It
involves too much editing, which I have no problem doing it if someone
tells me it's worth it.
Thanks in advance,
~kmag
Costas Magkos
Internet Systematics Lab
Athens, Greece
Reply to: