Re: Firewall Setup
On Tue, Aug 2, 2011 at 2:37 PM, Camaleón <email@example.com>
There is a good set of firewall/iptables front-ends at debian wiki:
On Mon, 01 Aug 2011 21:56:08 +0100, Paul Stuffins wrote:
> I am trying to set iptables up, but am getting into a right mess editing
> the rules direct in the init script.
> What are peoples recommendations of a front end, either one that I can
> run via an Apache VirtualHost, obviously on a secured and locked down
> VirtualHost so that only I can access it, or via SSH.
Archive: [🔎] firstname.lastname@example.org" target="_blank">http://lists.debian.org/[🔎] email@example.com
I have decided to go with Shorewall as it seems that it is fairly simple to implement.
While that may be the case, I just want to check my setup before I enable it and lock myself out of the server.
My setup really only needs to allow access, from the internet to the server, on ports 80 and 443, for Apache, 60000, for ssh and 3306, for MySQL along with access from the server to the Debian repos and 3306, I have a couple database servers that I manage from one central location hence needing access to and from the server on 3306.
After following the walk through on http://wiki.debian.org/HowTo/shorewall, my /etc/shorewall/policy is:
net all DROP
fw all ACCEPT
all all REJECT
ACCEPT net fw tcp 80,443, 3306,60000
ACCEPT fw net tcp 3306
ACCEPT fw net:126.96.36.199 tcp 80
My /etc/shorewall/zones is:
My /etc/shorewall/interfaces is:
net venet0:0 detect dhcp,routefilter,tcpflags ( I run on an OpenVZ VPS hence venet0:0 for my interface. )
and I have turned on IP_FORWARDING in /etc/shorewall/shorewall.conf
When I run "shorewall check" I get the following output:
ERROR: FOREWARD_CLEAR_MARK=Yes requires MARK Target in your kernel and iptables
What do I need to ask my provider to enable on the host node?
Many thanks for your help