thanks for a fast reply. >-----Original Message----- >From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] >Sent: 18. juni 2001 10:46 >To: Anders GjÃre >Subject: Re: internet firewall > > >On Mon, 18 Jun 2001, [iso-8859-1] Anders Gjre wrote: > >Hi, > >> i have a debian box with 2.4.5 kernel and iptables. >> >> how should I set up the rules for iptables? >> all ip's behind the firewall are valid internetaddresses, and should be >> reached throu the firewall.. >> >Well, I think that you have to configure properly your routing table and >then to filter ( incoming and/or outgoing ) the traffic which is going to >be forwarded by your box. And if you want to use a default policy of >DENY(REJECT) or ACCEPT is another matter and is at your personal taste. >Your rules have to be built thinking of what services on what boxes should >be available and to whom. >
it should be default accept, and behind the firewall there should be one shell-server(irc) and some web-servers, and our office. the only thing i need is a posibility to block ip's if we are victim for a DoS'attack. is this a good way to block an ip/ip-range? #!/bin/sh $IP_TO_BLOCK 194.29.102.1 iptables -A INPUT -s $IP_TO_BLOCK -j REJECT (or just use $1 instead of $IP_TO_BLOCK) the only thing i need to know, is how do i route from eth0 to eth1, without masquerading. >> it should also run zebra/bgp. >> >For that ( after looking in /etc/services ) you have to permit connections >on port number 179 ( tcp and udp ). And also you should not block outgoing >connections to bgp peers from your box. Anyway in zebra docs you have to >find what ports are they using ( or just run zebra and see which ports >that uses ). >> could anoyone help me? >> >> it should defalut allow everything, with the possibility to block >> spesified ip's >> >I think you should turn off every service that you don't need on >your firewall ( I suggest to keep only ssh for remote connection and >administration ). >> for now there is just 2 interfaces, but later upgraded to 4 100mbit and >> 1 1gbps. >> >> what hardware should be sufficient? >> >> >> thanks >> anders gjçre >> >> >Regards, > >Florin thanks anders
