[Courses] [Security] Firewalls: Ipchains syntax and implementation
Raven, corporate courtesan
raven at oneeyedcrow.net
Fri Mar 29 22:36:41 EST 2002
Heya --
Okay, I think we've covered a good bit of theory about what a
firewall should and shouldn't allow now. Time to get to building them.
We'll start with ipchains, since that's simpler than iptables, and move
on up.
There is an excellent how-to that explains the rules of ipchains
firewalling at:
http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO.html
I could go over the syntax (and will if anyone wants me to), but feel
like I'd be reinventing the wheel since I think Rusty's done such a
good, clear job of it already.
http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO-4.html
is particularly helpful, and explains the basics of syntax. Please ask
if anything is unclear or confusing.
So let's try to apply all this knowledge. You are a security
consultant hired by the admin of example.com's network. You have the
(we'll pretend that it's routable) IP block 10.1.1.0/24. Most of your
network is comprised of Windows workstation boxes. You also have some
Linux workstation boxes, an FTP server running under Solaris at
10.1.1.7, a Web server running under Linux at 10.1.1.14, and a file
server for the Windows machines at 10.1.1.21. Your mail server is
hosted on the same machine as your Web server (10.1.1.14). DNS is
handled by a FreeBSD server at 10.1.1.5.
Your Windows users want to be able to "access the Internet".
Your Linux users want to be able to ssh into their workstations from
home so that they can work remotely. The company is worried about the
security of its network, and wants for you to firewall it off from the
Internet, without disrupting business. You decide to use ipchains under
Linux.
What sort of a setup would you recommend? What further
questions would you have for your employers? And what firewall
ruleset(s) would you propose? We will assume for the purposes of this
discussion that the Linux boxes you're using are already built, that
firewalling and IP masquerading support are already built into the
kernel, and that the Linux boxes have been stripped of unnecessary
services and locked down. Post your ideas and rules to the list, and
we'll discuss them and see what the best setup we can come up with is
for example.com.
Cheers,
Raven
"That should be: "If cryptography is outlawed, only bhgynjf jvyy unir
pelcgb!" Or maybe, for maximum effect, "...only pvumbxt xjmm ibwf
dszqup!""
-- Kai, on 'better' cryptography
MD5 (outlaws) = 4c86ccf216da19edcc4b80e3824b67ab
-- my response
More information about the Courses
mailing list