Renai, > Can someone give me some advice on how to setup some simple rules as well as > having them refreshed when I restart?
I'd be happy to send you my iptables script if you like. But it's
really best to craft one yourself so you'll really understand what
you are doing along the way. That way when something breaks, you'll
have an understanding of how to fix it. Here's how I did it:
* Set up four chains:
in_yes -- new connections we allow from the outside. This
includes things like a mail server, web server, and any local
traffic I want to allow
in_out -- connections we allow to contact our machine once
we've initiated a connection. For example, if I hit a
web site, I need to let the web server send me the information
I request. With iptables connection tracking, this is easy
(-m state --state ESTABLISHED,RELATED)
logger -- By the time we've reached this chain, the packet
shouldn't be allowed in, so we should be logging it so we
can keep track of what people are trying to do
in_no -- Drop everything that gets here (except port 113
requests, which you should reject so mail servers don't hang
while waiting for a response).
* Connect these chains, in this order, to the INPUT chain:
iptables -A INPUT --source 0.0.0.0/0 -j in_yes
iptables -A INPUT --source 0.0.0.0/0 -j in_out
iptables -A INPUT --source 0.0.0.0/0 -j logger
iptables -A INPUT --source 0.0.0.0/0 -j in_no
* Open a new window, 'tail -f /var/log/syslog' and start
doing what you normally do.
* When you see iptables complaining about something, either
add a rule to allow that connection / protocol / etc.,
or decide that it's a hacking attempt and consider yourself
lucky that you've blocked him or her.
Expect to break things. A lot! And then expect to be very surprised
at how many scans, and hack attempts you discover. . .
As far as getting it to run automatically when you restart, you might
look at the ipchains script that appeared recently in woody / sid.
Personally, I put all my rules into a shell script and then have
an init.d script call this file when I boot. That way it goes into
effect on boot, but it's easy for me to tweak it when I discover I
want a new rule or want to block something special. The first thing my
shell script does is to flush the chains so I'm always starting fresh.
Chris
--
Christopher S. Swingley 930 Koyukuk Drive
System / Network Manager University of Alaska Fairbanks
IARC -- Frontier Program Fairbanks, AK 99775
phone: 907-474-2689 fax: 907-474-2643
email: [EMAIL PROTECTED] GNUPG and PGP2 keys at my web site
web: http://www.frontier.iarc.uaf.edu/~cswingle
pgpiCRs3JemEP.pgp
Description: PGP signature
