Re: some reality about iptables, please
Bret, I will address your question, but first: before delving into
constructing your own iptables rules, I suggest you seriously look at
might want to look at what some of the firewall tools can do for you
unless you really understand what you're doing. I suggest you look at
Shorewall and Bastille for IP filtering firewalls.(Bastille has some
great scripts for platform hardening but I prefer shorewall's firewall
configuration.) Zorp is an application-layer firewall that has gotten
some attention lately but I haven't evaluated it myself -- I expect it
might be good as a personal firewall to complement my site firewall,
especially for catching unauthorized outbound traffic as might originate
from a sploit, trojan or spyware.
Assuming you already have your tables, policies and chain rulesets
defined and assigned targets, you can use the iptables-save and
iptables-restore commands (and/or their respective ip6tables
counterparts) to save and restore the configuration. Once you've
manually saved the iptables configuration, the /etc/init.d/iptables
script can be used to restore a saved configuration at boot time. Better
yet (as recommended in the bit of documentation you quoted), you can
bind an initialization script to the device startup. For example, I use
the "up" and "down" parameters on the iface statement in my network
interface definition for my ppp connection (in the file
/etc/network/interfaces), for example:
auto ppp0
iface ppp0 inet ppp
up /etc/init.d/firewall start
down /etc/init.d/firewall stop
Hope this helps. ...Murray
On Tue, 2003-08-26 at 21:12, Bret Comstock Waldow wrote:
> I can find all the sites and advice I want about how to form iptables
> rules, but I can't find any decent discussion of how to enable the damn
> things.
>
> I get the idea that an iptables firewall is set up by actually running a
> bunch of "iptables -options" lines, presumably from a script.
>
> But where do I put the script(s)?
>
> There's a mechanism set up in /etc/default/iptables. I quote from the
> file:
>
> # A: I was pretty much hounded into providing it. I do not like it.
> # Don't use it. Use /etc/network/interfaces, use /etc/network/*.d/
> # scripts use /etc/ppp/ip-*.d/ script. Create your own custom
> # init.d script -- no need to even name it iptables. Use ferm,
> # ipmasq, ipmenu, guarddog, firestarter, or one of the many other
> # firewall configuration tools available. Do not use the init.d
> # script.
> ...
> # Q: How do I get started?
> # A: (Did I mention "do not use it" already? Oh well.)
>
> For crissake! Can anyone point me at some sensible discussion of how
> the hell to go about putting firewall rules in place? I've got a
> laptop, usually on a cable modem, but sometimes using dial-up.
>
> I know generally about the /etc/init.d/rcX.d runlevel mechanism. Now I
> need a sensible discussion of when and HOW to run what sorts of
> iptables-rules-containing scripts so I can figure out how to protect my
> system. Please don't just tell me about "runlevels" - I know they exist
> already.
>
> The Debian Security manual is useless. It only give examples of a few
> iptables rules, says that's not enough, and speaks not at all (that I've
> found yet) about how to implement the damn things.
>
> Someone somewhere speaks to issue of the actual plumbing to implement
> iptables. Can anyone point me?
>
> thanks much in advance,
> Bret
>
> --
> bwaldow at alum dot mit dot edu
>
Reply to: