Re: Firewall Setup

To: debian-user@lists.debian.org
Subject: Re: Firewall Setup
From: Paul Stuffins <paul.stuffins@orqoo.com>
Date: Tue, 2 Aug 2011 15:20:27 +0100
Message-id: <[🔎] CAEe=7LgMogK9cJA4rAf36809GHVWYHTgUYHBG3FUg9nTFRvamQ@mail.gmail.com>
In-reply-to: <[🔎] pan.2011.08.02.13.37.35@gmail.com>
References: <[🔎] CAEe=7Li3a_EsWc=btFtRd8OGGFfbU96iWmujPpq2xjrA9oFnRA@mail.gmail.com> <[🔎] pan.2011.08.02.13.37.35@gmail.com>

On Tue, Aug 2, 2011 at 2:37 PM, Camaleón <noelamac@gmail.com> wrote:

On Mon, 01 Aug 2011 21:56:08 +0100, Paul Stuffins wrote:

> I am trying to set iptables up, but am getting into a right mess editing
> the rules direct in the init script.
>
> What are peoples recommendations of a front end, either one that I can
> run via an Apache VirtualHost, obviously on a secured and locked down
> VirtualHost so that only I can access it, or via SSH.

There is a good set of firewall/iptables front-ends at debian wiki:

http://wiki.debian.org/Firewalls

Greetings,

--
Camaleón

--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: [🔎] pan.2011.08.02.13.37.35@gmail.com" target="_blank">http://lists.debian.org/[🔎] pan.2011.08.02.13.37.35@gmail.com

Hi Guys,

I have decided to go with Shorewall as it seems that it is fairly simple to implement.

While that may be the case, I just want to check my setup before I enable it and lock myself out of the server.

My setup really only needs to allow access, from the internet to the server, on ports 80 and 443, for Apache, 60000, for ssh and 3306, for MySQL along with access from the server to the Debian repos and 3306, I have a couple database servers that I manage from one central location hence needing access to and from the server on 3306.

After following the walk through on http://wiki.debian.org/HowTo/shorewall, my /etc/shorewall/policy is:
    net all DROP
    fw all ACCEPT
    all all REJECT

    ACCEPT net fw tcp 80,443, 3306,60000
    ACCEPT fw net tcp 3306
    ACCEPT fw net:128.101.240.212 tcp 80

My /etc/shorewall/zones is:
    fw firewall
    net ipv4

My /etc/shorewall/interfaces is:
    net venet0:0 detect dhcp,routefilter,tcpflags ( I run on an OpenVZ VPS hence venet0:0 for my interface. )

and I have turned on IP_FORWARDING in /etc/shorewall/shorewall.conf

When I run "shorewall check" I get the following output:
    shorewall check
    Checking...
    Processing /etc/shorewall/shorewall.conf...
        ERROR: FOREWARD_CLEAR_MARK=Yes requires MARK Target in your kernel and iptables

What do I need to ask my provider to enable on the host node?

Many thanks for your help
--Paul

Reply to:

Follow-Ups:
- Re: Firewall Setup
  - From: Bob Proulx <bob@proulx.com>

References:
- Firewall Setup
  - From: Paul Stuffins <paul.stuffins@orqoo.com>
- Re: Firewall Setup
  - From: Camaleón <noelamac@gmail.com>

Prev by Date: Re: [Fwd: Re: gdm3 - cant find X confige file]
Next by Date: Re: GDM3's prejudiced against a picture of me
Previous by thread: Re: Firewall Setup
Next by thread: Re: Firewall Setup
Index(es):
- Date
- Thread