On Mon, 24 Dec 2001 11:18:07 -0500 (EST) Scott <[EMAIL PROTECTED]> studiouisly spake these words to ponder:
> On Mon, 24 Dec 2001, Mark Weaver wrote: > > If you want to get bastille-firewall running, in Mandrake Control Center there is >a firewall config utility that gets the process started. It's called Tiny Firewall. >run this wizard and it will configure and start Bastille-firewall running. I'd then >suggest getting to know the in's and out's of iptables and manually tweak the chains >and ruleset to suit your machine's unique needs. > > if you need any further assistance just give a holler. > > Mark: > > I am hollering :) So, say I want to 'tweak' my settings after I have run > the Tiny Firewall script where do I head to? I know there is a > /etc/Bastille/conf file I have been playing with, but is there an iptables > script file somewhere else? I want to open port 8000 internally for my > icecast stream and make a few other tweaks. How about documentation? The > bastille site does not have much. > > Thanks, > > -Scott Scott, The ports that get opened and closed what ever the case/need may be is done primarily in the bastille-firewall.cfg file. It's within config block #3 that this happens and on these lines: TCP_PUBLIC_SERVICES="22 20 21 25 80 443 53 109 110 119 143 3306" MINIMAL/SAFEST UDP_PUBLIC_SERVICES="53" MINIMAL/SAFEST TCP_INTERNAL_SERVICES="22 20 21 25 80 443 53 109 110 119 143 3306 8000" MINIMAL/SAFEST UDP_INTERNAL_SERVICES="" above is an excerpt from a file I keep handy here on my machine for demonstration purposes, however it should be understood that this file was taken from a completely functional and running installation of bastille-firewall. The TCP_PUBLIC_SERVICES is the point at which anything coming in from the internet, or the $OUTERNET as I have a liking to define it when using a script to load rules into the firewall. If, you wish to use Icecast on your LAN, but not have it accessible to folks on the $OUTERNET then you would "not" place the port # in the line TCP_PUBLIC_SERVICES, but rather TCP_INTERNAL_SERVICES. I should point out though that "if" everything is not just the way it should be in your configuration this method doesn't always work. You may have to do this bit of routing using tables and chains. (iptables and chains - rulesets) to grab the incoming traffic at the INPUT table of iptables and forward the packets to a chain(s) controlling that traffic. This is a method that I prefer since it allows more control over the traffic, but requires the administrator to know what he's doing. Thats where that tutorial I sent along comes in handy. In case anyone reading hasn't seen this yet, here is one of the URL's where the worlds best getting started iptables tutorial can be found: http://www.boingworld.com/workshops/linux/iptables-tutorial/iptables-tutorial/iptables-tutorial.html In a nutshell the packets destined for port 8000 on your machine coming in will either come in from the $OUTERNET, or if coming to the firewall on your LAN will hit the wall on INT_IN (INTERFACE_IN). If they're coming in on $OUTERNET then a rule to handle that might look something like this: iptables -A INPUT -p tcp -s 0/0--dport 8000 -j DROP this rule is saying that anything with an equivilant IP address of 0/0 which means any and all is sumarily dropped and not allowed through the firewall. this presents somewhat of a problem though if you're running a network with only one ethernet. you could also do it like this. you can change the sense of the -s (source --source) IP number by using an (!) before the -s xxx.xxx.xxx.xxx which basically is say; if IP address not = subnet 192.168.0.0/24 then DROP all incoming packets. subnet 192.168.0.0 includes all numbers between 192.168.0.1 - 192.168.0.255. iptables -A INPUT -p tcp --source ! 192.168.0.0/24 --dport 8000 -j DROP you will of course want to check and make certain that my sytax and usage is correct. I've tested it on my system here and it works just fine. this is the method that I favor for closing out the $OUTERNET to services that I don't want anyone to access except those on my immediate subnet/mask. -- daRcmaTTeR --------------------------------------------------------------------- If at first you don't succeed do what your wife told you to do the first time! Registered Linux User 182496 Mandrake 8.1 --------------------------------------------------------------------- 2:05pm up 8 days, 5:54, 1 user, load average: 0.05, 0.08, 0.08
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
