Re: setting up iptables

[Glen Mehn <glen@burningman.com>]

Costas Magkos wrote:
> Thank you all for the links and hints.
>
> What I was really looking for was the debian way of doing things, which 
> I managed to locate in the "Securing Debian Manual" [1]. According to 
> this, the iptables initd script should be used. However, the 
> author/package-maintainer disapproves this method:
>
> (from /etc/default/iptables:)
>
> "..
> #Q: You concocted this init.d setup, but you do not like it?
> # A: I was pretty much hounded into providing it. I do not like it.
> #    Don't use it. Use /etc/network/interfaces, use /etc/network/*.d/
> #    scripts use /etc/ppp/ip-*.d/ script. Create your own custom
> #    init.d script -- no need to even name it iptables.  Use ferm,
> #    ipmasq, ipmenu, guarddog, firestarter, or one of the many other
> #    firewall configuration tools available. Do not use the init.d
> #    script.
> .."
>
> The whole thing is a little comfusing (to novice guys like I). There is 
> a manual referring to the use of the script, while the very author of 
> the script discourages the use of it. It seems as a matter of personal 
> taste, but I think he could at least have explained his reasons.
>
> Anyway, I decided to follow the procedures in the manual.

seriously, use shorewall (or something similar). They're all just 
interfacest to iptables, and after ipfw, ipchains, iptables, etc, my 
head's ready to explode with syntax.

there's also nice, updated versions of shorewall for debian at 
shorewall.net, at backports.org, and at apt-get.org...

the author of the script puts it there for compatibility with the debian 
software guidelines, but he recommends other tools in any case.

(I'm sure the others are there, too)

-g