Re: [SCIENTIFIC-LINUX-USERS] RHEL/SL and iptables
On 04/20/2011 02:47 PM, Nicolas Kovacs wrote: Le 20/04/2011 02:26, Tom H a écrit : On Tue, Apr 19, 2011 at 12:53 PM, Robert E. Blairr...@anl.gov wrote: There is a sourceforge project called firestarter which has a rather nice script that does lots of iptables config and provides a gui monitor of firewall activity. You could also try APF: http://www.rfxn.com/projects/advanced-policy-firewall/ (I've never used it so this isn't an experienced-based recommendation but I've installed it on a test box to check out its rules and they looked good.) Shorewall's also an option that you could consider. It's another blind recommendation though; I've never even seen its default rules... Thanks very much for the numerous answers. I read through a pile of documentation, and figured out the most simple solution was a handcrafted iptables script from scratch. Here goes : --8--- #!/bin/sh ##/root/bin/firewall-start IPT=/sbin/iptables WAN_IFACE=eth0 LAN_IFACE=eth1 $IPT -F $IPT -t nat -F $IPT -t mangle -F $IPT -X $IPT -t nat -X $IPT -t mangle -X $IPT -P INPUT DROP $IPT -P FORWARD ACCEPT $IPT -P OUTPUT ACCEPT $IPT -A INPUT -i lo -j ACCEPT $IPT -A INPUT -p icmp --icmp-type echo-request -j ACCEPT $IPT -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT $IPT -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT $IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT $IPT -A INPUT -p tcp -i $LAN_IFACE --dport 22 -j ACCEPT $IPT -A INPUT -p udp -i $LAN_IFACE --dport 67 -j ACCEPT $IPT -A INPUT -j LOG --log-prefix +++ IPv4 packet rejected +++ $IPT -A INPUT -j REJECT $IPT -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE /sbin/service iptables save /sbin/service iptables condrestart --8--- Works like a charm so far. Logging (near the end of the script) tells me whenever I'm locking myself out of something. Cheers from South France, Niki Please add the following line BEFORE the RELATED,ESTABLISHED line $IPT -A INPUT -m state --state INVALID -j DROP This will drop any packet whose flags make no sense or whose size is not as advertised. If you are not intending to do any routing, I'd remove the $IPT -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE line as well as $IPT -P FORWARD ACCEPT and instead insert some drops. Adding to the list of firewall management, I'm strangely attached to UFW mostly because I can pre-load application rules into it and it makes limiting connection rates easier[1]. A current(ish) rpm is hiding out at http://www.openmamba.org/distribution/distromatic.html?tag=devel-ercolinuxpkg=ufw.source Pat [1] http://www.snowman.net/projects/ipt_recent/ you can seriously slow brute force logins with this
Re: RHEL/SL and iptables
Le 20/04/2011 02:26, Tom H a écrit : On Tue, Apr 19, 2011 at 12:53 PM, Robert E. Blairr...@anl.gov wrote: There is a sourceforge project called firestarter which has a rather nice script that does lots of iptables config and provides a gui monitor of firewall activity. You could also try APF: http://www.rfxn.com/projects/advanced-policy-firewall/ (I've never used it so this isn't an experienced-based recommendation but I've installed it on a test box to check out its rules and they looked good.) Shorewall's also an option that you could consider. It's another blind recommendation though; I've never even seen its default rules... Thanks very much for the numerous answers. I read through a pile of documentation, and figured out the most simple solution was a handcrafted iptables script from scratch. Here goes : --8--- #!/bin/sh ##/root/bin/firewall-start IPT=/sbin/iptables WAN_IFACE=eth0 LAN_IFACE=eth1 $IPT -F $IPT -t nat -F $IPT -t mangle -F $IPT -X $IPT -t nat -X $IPT -t mangle -X $IPT -P INPUT DROP $IPT -P FORWARD ACCEPT $IPT -P OUTPUT ACCEPT $IPT -A INPUT -i lo -j ACCEPT $IPT -A INPUT -p icmp --icmp-type echo-request -j ACCEPT $IPT -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT $IPT -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT $IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT $IPT -A INPUT -p tcp -i $LAN_IFACE --dport 22 -j ACCEPT $IPT -A INPUT -p udp -i $LAN_IFACE --dport 67 -j ACCEPT $IPT -A INPUT -j LOG --log-prefix +++ IPv4 packet rejected +++ $IPT -A INPUT -j REJECT $IPT -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE /sbin/service iptables save /sbin/service iptables condrestart --8--- Works like a charm so far. Logging (near the end of the script) tells me whenever I'm locking myself out of something. Cheers from South France, Niki -- Microlinux - Solutions informatiques 100% Linux et logiciels libres 7, place de l'église - 30730 Montpezat Web : http://www.microlinux.fr Mail : i...@microlinux.fr Tél. : 04 66 63 10 32
Re: RHEL/SL and iptables
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 There is a sourceforge project called firestarter which has a rather nice script that does lots of iptables config and provides a gui monitor of firewall activity. On 04/16/2011 03:39 PM, Phil Perry wrote: On 16/04/11 20:34, Vaclav Mocek wrote: On 04/16/2011 08:13 PM, Nicolas Kovacs wrote: Hi, Until recently, I've only been using the system-config-securitylevel-tui utility, because it's easy to use while covering all my needs. Now I have to switch to a manual iptables configuration, because 1) the system-config-securitylevel-tui utility has been dumbed down, and 2) some of the things I want to do need a more fine-grained control. What's the most orthodox (e. g. clean) solution to configure iptables manually (in a script, somewhere) with SL ? Cheers, Niki Kovacs A custom script. Very nice how to for RH and Fedora could be find here: http://fedoraunity.org/Members/kanarip/iptables-howto Yes, definitely easiest to control iptables with a short/simple script IMHO. Also take a look at the CentOS Wiki iptables howto page which shows in detail how to implement such a script: http://wiki.centos.org/HowTos/Network/IPTables Once you've created your script, making changes to your firewall are as simple as making a quick edit to the script in your favourite text editor and (re)running the script. - -- Robert E. Blair, Room C221, Building 360 Argonne National Laboratory (High Energy Physics Division) 9700 South Cass Avenue, Argonne, IL 60439, USA Phone: (630)-252-7545 FAX: (630)-252-5047 GnuPG Public Key: http://www.hep.anl.gov/reb/key.asc -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) iEYEARECAAYFAk2tvhUACgkQOMIGC6x7/XSFPACfWcucOqTe8ihAdEA6Q4O+5+nH ZSAAn3cxs4NCSebqDLBeod8CykGhQZyp =i4HN -END PGP SIGNATURE- attachment: reb.vcf smime.p7s Description: S/MIME Cryptographic Signature
Re: RHEL/SL and iptables
On Tue, Apr 19, 2011 at 12:53 PM, Robert E. Blair r...@anl.gov wrote: There is a sourceforge project called firestarter which has a rather nice script that does lots of iptables config and provides a gui monitor of firewall activity. You could also try APF: http://www.rfxn.com/projects/advanced-policy-firewall/ (I've never used it so this isn't an experienced-based recommendation but I've installed it on a test box to check out its rules and they looked good.) Shorewall's also an option that you could consider. It's another blind recommendation though; I've never even seen its default rules...
RHEL/SL and iptables
Hi, Until recently, I've only been using the system-config-securitylevel-tui utility, because it's easy to use while covering all my needs. Now I have to switch to a manual iptables configuration, because 1) the system-config-securitylevel-tui utility has been dumbed down, and 2) some of the things I want to do need a more fine-grained control. What's the most orthodox (e. g. clean) solution to configure iptables manually (in a script, somewhere) with SL ? Cheers, Niki Kovacs -- Microlinux - Solutions informatiques 100% Linux et logiciels libres 7, place de l'église - 30730 Montpezat Web : http://www.microlinux.fr Mail : i...@microlinux.fr Tél. : 04 66 63 10 32
Re: RHEL/SL and iptables
On Apr 16, 2011, at 21:13 , Nicolas Kovacs wrote: Until recently, I've only been using the system-config-securitylevel-tui utility, because it's easy to use while covering all my needs. Now I have to switch to a manual iptables configuration, because 1) the system-config-securitylevel-tui utility has been dumbed down, and 2) some of the things I want to do need a more fine-grained control. What's the most orthodox (e. g. clean) solution to configure iptables manually (in a script, somewhere) with SL ? Probably: creating an initial configuration with system-config-securitylevel[-tui] or at install time, then editing /etc/sysconfig/iptables. The format is that of iptables-save. Stephan -- Stephan Wiesand DESY -DV- Platanenenallee 6 15738 Zeuthen, Germany
Re: RHEL/SL and iptables
On 04/16/2011 08:13 PM, Nicolas Kovacs wrote: Hi, Until recently, I've only been using the system-config-securitylevel-tui utility, because it's easy to use while covering all my needs. Now I have to switch to a manual iptables configuration, because 1) the system-config-securitylevel-tui utility has been dumbed down, and 2) some of the things I want to do need a more fine-grained control. What's the most orthodox (e. g. clean) solution to configure iptables manually (in a script, somewhere) with SL ? Cheers, Niki Kovacs A custom script. Very nice how to for RH and Fedora could be find here: http://fedoraunity.org/Members/kanarip/iptables-howto or here: http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables Vaclav M.
Re: RHEL/SL and iptables
On 16/04/11 20:34, Vaclav Mocek wrote: On 04/16/2011 08:13 PM, Nicolas Kovacs wrote: Hi, Until recently, I've only been using the system-config-securitylevel-tui utility, because it's easy to use while covering all my needs. Now I have to switch to a manual iptables configuration, because 1) the system-config-securitylevel-tui utility has been dumbed down, and 2) some of the things I want to do need a more fine-grained control. What's the most orthodox (e. g. clean) solution to configure iptables manually (in a script, somewhere) with SL ? Cheers, Niki Kovacs A custom script. Very nice how to for RH and Fedora could be find here: http://fedoraunity.org/Members/kanarip/iptables-howto Yes, definitely easiest to control iptables with a short/simple script IMHO. Also take a look at the CentOS Wiki iptables howto page which shows in detail how to implement such a script: http://wiki.centos.org/HowTos/Network/IPTables Once you've created your script, making changes to your firewall are as simple as making a quick edit to the script in your favourite text editor and (re)running the script.
