Re: some reality about iptables, please

To: debian-user@lists.debian.org
Subject: Re: some reality about iptables, please
From: HdV@DTO.TUDelft.NL
Date: Wed, 27 Aug 2003 10:51:18 +0200 (MEST)
Message-id: <[🔎] Pine.GSO.4.44.0308271033270.20775-100000@sanders.rc.tudelft.nl>
In-reply-to: <[🔎] 1061946734.3524.23.camel@ganesha>

On 26 Aug 2003, Bret Comstock Waldow wrote:

> I can find all the sites and advice I want about how to form iptables
> rules, but I can't find any decent discussion of how to enable the damn
> things.
>
> I get the idea that an iptables firewall is set up by actually running a
> bunch of "iptables -options" lines, presumably from a script.

Correct.

> But where do I put the script(s)?

Depends. For networkcards use the pre-up and post-down directives in
/etc/network/interfaces. I seem to recall that for ppp you would do
this through the /etc/ppp/ip-up and /etc/ppp/ip-down scripts. I think
man pppd will help you out in that case. Sorry, I haven't used ppp ever
before...

> For crissake!  Can anyone point me at some sensible discussion of how
> the hell to go about putting firewall rules in place?  I've got a
> laptop, usually on a cable modem, but sometimes using dial-up.

Well, this is only for "plain" NICs (e.g. ethx) and does not explain NAT,
but maybe this is of some help to you:

http://huizen.dto.tudelft.nl/devries/security/iptables_example.html

> I know generally about the /etc/init.d/rcX.d runlevel mechanism.  Now I
> need a sensible discussion of when and HOW to run what sorts of
> iptables-rules-containing scripts so I can figure out how to protect my
> system.  Please don't just tell me about "runlevels" - I know they exist
> already.

Hmm, I am a proponent of not burdening the system unnecessarily. So,
most of the time I advice against initializing the firewall from
run-level x. I would suggest doing this where/when it is most
appropriate (to me that is }:-), which to me is just before the
interface is activated.

> Someone somewhere speaks to issue of the actual plumbing to implement
> iptables.  Can anyone point me?

<plug class="shameless-but-well-meant">read the page on the above
URL</plug> I wrote it in the hope it would be clear enough for people in
just the situation you're finding yourself in right now. If you think it
is missing something I'll try to improve it.

HTH

P.S. I just checked it and found that zless
/usr/share/doc/iptables/README.Debian.gz will give you some useful
examples.

Grx HdV

Reply to:

References:
- some reality about iptables, please
  - From: Bret Comstock Waldow <bwaldow@alum.mit.edu>

Prev by Date: Re: lilo vga= problems after new kernel build
Next by Date: Re: spamassassin
Previous by thread: Re: some reality about iptables, please
Next by thread: Re: some reality about iptables, please
Index(es):
- Date
- Thread