[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Linuxd firewall distro for Windows People



Bleh.  I'm running RH7.2 on my Linux router (and, yes, there are Windoze
b0xes behind it).
Two NICs, a hard drive, and that's about all that's required.

I wrote a script to do all the IPTables configuring for me because Steve's
firewalling script wouldn't work for meh.
'Tis attached.
----- Original Message -----
From: "Flood Randy Capt AFCA/TCAA" <Randy.Flood@scott.af.mil>
To: <silug-discuss@silug.org>
Sent: Monday, June 03, 2002 8:14 AM
Subject: Linuxd firewall distro for Windows People


>
> By the way, if you have any friends who are primarily Windows poeple (why
would they be your firends?), but want to set up a Linux firewall, I'd
recomend:
> Cyote Linux ( http://www.dalantech.com/coyote.shtml ).  They have a
Windows Disk Creator program that allows you to generate a Linux boot floppy
with all the appropriate firewall configuration stuff using a wizard-like
interface.  See pictures here: http://www.dalantech.com/coyote-win.shtml
>
> Ofcourse, we know *you* would never do this.  You would just type all the
binary for the floppy into dd, or edit the floppy directly using edline or
something.  But, you might have a friend who is less proficient at Linux
that this will enable to easily use a Linux-based firewall.
>
> Randy
>
> -----Original Message-----
> From: Nate Reindl [mailto:reindlnr@apci.net]
> Sent: Saturday, June 01, 2002 10:00 AM
> To: silug-discuss@silug.org
> Subject: Re: Firewall distro
>
>
> Quoting Mike808 <mike808@users.sourceforge.net>:
>
> > Any pointers/recommendations on a Firewall distro?
> >
> > SuSE?
> >
> > Trustix?
> >
> > SmoothWall?
> >
> > WhiteGlove?
> >
> > IPCop?
> >
> > LRP?
> >
> > fwfloppy?
>
> Go with Gentoo if you're enterprising enough.  I've found it rather decent
for
> a desktop distro and a server distro, so firewalling with it ought to be
rather
> trivial.  Also, that 1.3G disk ought to fit real well into things.
>
> URL:  http://gentoo.org/
>
> --
> Nate Reindl  <<  Help me out, damnit.  I need employment.
>  '---> email:  go bug reindlnr at apci dot net, will yah?
> ==
> GAT d-- s a--- C++ UL+++>++++ P++++ L+++>++++ E+++ W+++ N++ o+ K---- w---
O-
> M-- V-- PS+++ PE+++ Y PGP+ t+@ 5++ X R* tv-- b++ DI+ D+++ G+++>++++ e* h!
r% z?
> ~~
> "New, what do you own?  The world?  How do you own disorder?" --SOAD
"Toxicity"
>
> -
> To unsubscribe, send email to majordomo@silug.org with
> "unsubscribe silug-discuss" in the body.
>
> -
> To unsubscribe, send email to majordomo@silug.org with
> "unsubscribe silug-discuss" in the body.
#!/bin/sh

# ------------------------------------
# IP-Tables Configure Script.
# Written for RH7.2 by Eric Peterson.
# Modify as you want.
# ------------------------------------

# Turn on IP Forwarding and DOS Protection,
# Provided that you compiled kernal support.
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/ip_forward

echo "Clearing IP-Tables rules..."

# Flush All Tables
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --tables nat --delete-chain

echo "Setting up base IP-Tables..."
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --aooend FORWARD --in-interface eth1 -j ACCEPT

echo "Setting up firewalling rules..."

# Allow loopback access.
# THIS MUST COME BEFORE ANYTHING DENYING PORT ACCESS.
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A OUTPUT -o lo -p all -j ACCEPT

# Set up port-blocking.
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 2049 -j DROP
iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 2049 -j DROP
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 6000:6009 -j DROP
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 7100 -j DROP
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 515 -j DROP
iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 515 -j DROP
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 111 -j DROP
iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 111 -j DROP

# Generate Port Forwarding Rules
# I would put iptables commands here if I knew how to port-forward using it.
# Anyone?

echo "Finished."

-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.