[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Firewall Setup

On Tue, Aug 2, 2011 at 2:37 PM, Camaleón <noelamac@gmail.com> wrote:
On Mon, 01 Aug 2011 21:56:08 +0100, Paul Stuffins wrote:

> I am trying to set iptables up, but am getting into a right mess editing
> the rules direct in the init script.
> What are peoples recommendations of a front end, either one that I can
> run via an Apache VirtualHost, obviously on a secured and locked down
> VirtualHost so that only I can access it, or via SSH.

There is a good set of firewall/iptables front-ends at debian wiki:




To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: [🔎] pan.2011." target="_blank">http://lists.debian.org/[🔎] pan.2011.

Hi Guys,

I have decided to go with Shorewall as it seems that it is fairly simple to implement.

While that may be the case, I just want to check my setup before I enable it and lock myself out of the server.

My setup really only needs to allow access, from the internet to the server, on ports 80 and 443, for Apache, 60000, for ssh and 3306, for MySQL along with access from the server to the Debian repos and 3306, I have a couple database servers that I manage from one central location hence needing access to and from the server on 3306.

After following the walk through on http://wiki.debian.org/HowTo/shorewall, my /etc/shorewall/policy is:
    net all DROP
    fw all ACCEPT
    all all REJECT

    ACCEPT net fw tcp 80,443, 3306,60000
    ACCEPT fw net tcp 3306
    ACCEPT fw net: tcp 80

My /etc/shorewall/zones is:
    fw firewall
    net ipv4

My /etc/shorewall/interfaces is:
    net venet0:0 detect dhcp,routefilter,tcpflags ( I run on an OpenVZ VPS hence venet0:0 for my interface. )

and I have turned on IP_FORWARDING in /etc/shorewall/shorewall.conf

When I run "shorewall check" I get the following output:
    shorewall check
    Processing /etc/shorewall/shorewall.conf...
        ERROR: FOREWARD_CLEAR_MARK=Yes requires MARK Target in your kernel and iptables

What do I need to ask my provider to enable on the host node?

Many thanks for your help

Reply to: