Re: Linuxd firewall distro for Windows People

[Mike808 <mike808@users.sourceforge.net>]

"Singularity[TF]" wrote:
> I wrote a script to do all the IPTables configuring for me because Steve's
> firewalling script wouldn't work for me. ['Twas] attached. [Not now].

Woohoo! I'm writing this from behind my new firewall.

I'm using a stock RH 7.3, and I used your script as a guide.
I setup the following in /etc/sysctl.conf:

# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled.  See sysctl(8) for
# more details.

# Controls IP packet forwarding
# *** mak - 06/03/02 - enabled
net.ipv4.ip_forward = 1

# Controls source route verification
net.ipv4.conf.default.rp_filter = 1

# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0

# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1

# Controls SYN flood DoS (Denial of Service) attack protection
# *** mak - 06/03/02 - added, enabled
net.ipv4.tcp_syncookies = 1

That took care of sending the stuff to /proc/sys/net/ipv4.
I'm going to take a stab here and guess that /etc/sysctl.conf is a RH thing.
The startup rc's just call /sbin/sysctl which readst that file and sets
whatever you like. Nice. No arcane schlepping through /proc.

The rest of the tables, I typed in as you've got them in the script.

But, in RH 7.3, I can type 'service iptables list' and it will list
out the current configuration after I've done what your script does.

BTW, you might want comment what ports you're dropping...
 # 2049 = NFS
 # 6000:6009 = X11
 # 7100 = X Font Server
 # 515 = lpr remote network printer
 # 111 = RPC Portmapper

Even cooler in RH, is 'service iptables save' which will *SAVE* your current
configuration into /etc/sysconfig/iptables, whereupon it will be loaded
and implemented on the next 'service iptables start'. Nifty, eh?

Here's what your configuration looks like after I did a save.
I have a third NIC for the WiFi WAP. That's next to get going.

[root@fw sysconfig]# more /etc/sysconfig/iptables
# Generated by iptables-save v1.2.5 on Mon Jun  3 00:24:59 2002
*nat
:PREROUTING ACCEPT [3:704]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
[0:0] -A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Mon Jun  3 00:24:59 2002
# Generated by iptables-save v1.2.5 on Mon Jun  3 00:24:59 2002
*filter
:INPUT ACCEPT [354:43195]
:FORWARD ACCEPT [2:132]
:OUTPUT ACCEPT [352:28956]
[0:0] -A INPUT -i lo -j ACCEPT
[0:0] -A INPUT -p tcp -m tcp --dport 2049 -j DROP
[0:0] -A INPUT -p udp -m udp --dport 2049 -j DROP
[0:0] -A INPUT -p tcp -m tcp --dport 6000:6009 -j DROP
[0:0] -A INPUT -p tcp -m tcp --dport 7100 -j DROP
[0:0] -A INPUT -p tcp -m tcp --dport 515 -j DROP
[0:0] -A INPUT -p udp -m udp --dport 515 -j DROP
[0:0] -A INPUT -p tcp -m tcp --dport 111 -j DROP
[0:0] -A INPUT -p udp -m udp --dport 111 -j DROP
[0:0] -A FORWARD -i eth1 -j ACCEPT
[0:0] -A FORWARD -i eth2 -j ACCEPT
[0:0] -A OUTPUT -o lo -j ACCEPT
COMMIT
# Completed on Mon Jun  3 00:24:59 2002

And thanks to the Cert BootCamp this weekend, I promptly put 'apt-get'
on it and I'm pretty much good to go.

Building the drive in another machine was one of the BigClues(tm).
Those removable IDE cages from Steve are schweeet.
Don't leave home without 'em.

Next is to add the WiFi and Squid and replace bind and friends with
djbdns. I might put Qmail on it, but maybe not. It doesn't have
sendmail, telnet, and many of the commonly exploited services.
Which, from my standpoint, makes them a complete non-problem.
It ain't even on the box!

Since IE is now a "non-removeable" portion of the Winbloze OS,
you're pretty much stuck with catching MSTDs forever.

Mike808/
-- 
() Join the ASCII ribbon campaign against HTML email and Microsoft-specific
/\ attachments. If I wanted to read HTML, I would have visited your website!
Support open standards.

-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.