On Thu, 27 Oct 2005, James wrote: > Question 1: > I'm planning on using nmap and nessus to test from the outside(internet) > inward). On the inside I plan on using snort, an monitoring the various > log files. Any further suggestions on testing?
Plain ole telnet works for testing protocols too ;-) > /etc/init.d/firewall is the default file where where you put your rules you > have written or grabbed elsewhere and modified to meet your specific needs. Not sure where this script came from - it doesn't come with iptables. > /var/lib/iptables/rules-save is the file that will save out from kernel memory > the actual rulesets being used. This file is also reloaded as necessary. Avoid > direct modifications to this. > > Is this explanation correct? Did I miss something or get something confused. > I could not really find any documentation on this, so much was inference > from various linux sites, some very old, and a few gentoo specific sites. Not much to it. Make your rules and use "/etc/init.d/iptables save" to save 'em. When you restart iptables it will automatically load them from /var/lib/iptables/rules-save if it finds that file. > Assuming this is correct, I have seen many command line options and > differing recommendations on how to modify the rules and when to save > them out and to what file. Any details one can provide, that are gentoo > specific, are most welcome. None of these are Gentoo specific (there aren't any Gentoo specifics in iptables AFAIK). Some notes: I wrote all the rules out "by hand" and tested them. Any tweaks I did directly on the command line. Bear in mind that the order of the rules is pretty important (I use the --line-numbers option so you know what line numbers to insert/delete after when changing the ordering of rules, i.e. iptables -L -n --line-numbers). Obviously you'll be doing this from the console directly. I broke rules down into various groups that I separated out into chains. So the first chain (called SCRUB) gets rid of obvious bogus packets (like packets from 192.168.x.x etc etc). Another chain is called BANNED (for obvious reasons). And so on. When working with chains its easier to make the chain and rules first and then "activate" them by adding a rule to the INPUT chain to send all packets through it, e.g. iptables -A INPUT -j SCRUB Dont forget to set default policies for your chains. Often its better to start with a completely locked down machine and add rules for those ports you want to open. Make use of of the state module if you can (it understands FTP, IRC and a few other protocols) which makes it trivial to write state tracking rules. If you iptables extensions are built as modules (not recommended - if one fails to load you might compromise security) then make sure they are loaded - some rules do NOT load the corresponding modules automatically so beware. If you need any help, post on this list. -- -- gentoo-user@gentoo.org mailing list