[techtalk] Fwd: Question re: Firewalls

Nils Philippsen nils at wombat.dialup.fht-esslingen.de
Sun May 13 20:43:56 EST 2001 

On Mon, 14 May 2001, Mary Gardiner wrote:

> On Sun, May 13, 2001 at 03:15:46AM -0500, Kriselda Jarnsaxa wrote:
> > Basic general protection to and from the Internet.  I'm running Linux on an
> > individual computer that, technically, is linked to two other computers in
> > the house (the Windows side is networked fine, the Linux side isn't yet
> > speaking to the other two computers), but I'm not worried about security
> > there, since it's just me and my hubby.  I just don't want to leave it
> > totally open to marauding strangers, eh?  :)
> >
> > Kriselda
>
> So basic first step is port closing (as always) and second step is firewalling
> rules ie ipchains/tables.
>
> Hopefullly info provided is all you need to get started. I'm sure there's
> plenty of ipchains expertise on this list.

I would seriously recommend using iptables/netfilter firewalling to anyone
thinking about setting up a firewall. It's very much easier to grasp than
ipchains firewalling and at the same time much more powerful (stateful
firewalling, source and destination NAT(*), ability to filter on input
and output interfaces, limited logging). Of course you'd have to bite into
the apple (ehm penguin) of using a kernel 2.4.x.

(*): AKA "masquerading" and "port redirection" -- the latter one is needed
for transparent proxying if the proxy's not on the firewall itself.

Basically, my setup is something along these lines (intentionally using
pseudo code and not real iptables commands (left as an exercise to the
reader)):

"filter" table
==============

"OUTPUT" chain
--------------
- "ACCEPT" policy (packets originating from the firewall are not to be
  filtered)

"FORWARD" chain
---------------
- "DROP" policy
1. accept anything coming in through eth0 (pointing to my internal
   network)
2. accept any packet with the state 'ESTABLISHED' or 'RELATED'

"INPUT" chain
-------------
- "DROP" policy
1. accept anything coming in through interface eth0
2. accept anything coming in through interface lo (loopback, VERY
   important)
3. accept anything contacting our TCP port 22 (secure shell)
4. accept any packet with the state 'ESTABLISHED' or 'RELATED'
5. reject(*) any packet contacting our TCP or UDP ports 113 (ident/auth)
   -- some servers out there are nosy and we don't want them to wait on a
   timeout before they serve us
6. Log any packet that came this far (before dropping it)

"nat" table
===========

POSTROUTING chain
-----------------
1. masquerade anything leaving through interfaces ippp+ (matches
   interfaces beginning with "ippp")
2. masquerade anything leaving through interfaces ippp+ (matches
   interfaces beginning with "ppp")

Nils
-- 
 Nils Philippsen / Berliner Straße 39 / D-71229 Leonberg // +49.7152.209647
nils at wombat.dialup.fht-esslingen.de / nils at redhat.de / nils at fht-esslingen.de
   The use of COBOL cripples the mind; its teaching should, therefore, be
   regarded as a criminal offence.                  -- Edsger W. Dijkstra

More information about the Techtalk mailing list