Re: Security, Distributed firewalling application...long ;-)
- From: "Samuel R. Baskinger" <sbaskinger@xxxxxxxxxx>
- Date: Thu, 01 Dec 2005 11:37:52 -0500
> Why I need a GUI & policy based framework for implementing my firewalls, > when my requirements are static? Well, I may need to add additional role > to a server on the LAN, if any other server fails. In fact, I intend to > keep the services prepared on alternate servers, only not deploy them > redundantly. Secondly, never know when needs change and something that > is easily configured and deployed would adapt better.
No clue how to do this, I've never cared for anything like this.
My personal way of doing this is to write a small script that does 3 things:
1. Brings things to a safe init state (Flush all rules, turn off forwarding, etc.) 2. Brings things to a normal running state. 3. Brings things to a locked down state (drop everything but administrative stuff, increase logging, etc).
Then you can version the script in CVS (with comments!) which lets other people more clearly understand why you have what may ostensibly seem to be an odd rule. You also push the script around your network more easily. Finally, and most importantly, if you ever have to rebuild or upgrade getting the pretty (but admittedly nice) GUI up and running is often really annoying.
It's been my constant experience that to do things once or twice, a GUI is much nicer but to do things in a repeatable and traceable way, a script is your best friend.
Below is a short example script that may get you started.
Sam
#!/bin/bash
# ---- short *example* of an iptables script suitable for personal use # ---- Obviously, this comes with no guarantee etc etc etc. # ---- It is a teaching example only.
IPT='sudo /sbin/iptables'
flush()
{
echo -n "Flushing rules and locking down filter rules... "$IPT -P INPUT DROP $IPT -P OUTPUT DROP $IPT -P FORWARD DROP
$IPT -F INPUT $IPT -F OUTPUT $IPT -F FORWARD
echo done. }
default()
{flush
echo -n "Applying default profile... "
$IPT -A INPUT -i lo -j ACCEPT # allow lo to talk to us. :)
$IPT -A OUTPUT -p tcp --tcp-flags SYN SYN -j ACCEPT # TCP out OK
$IPT -A OUTPUT -p udp -j ACCEPT # UDP out OK
$IPT -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT # echo out ok
$IPT -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT # reply in ok
$IPT -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT # Conntrack
$IPT -A INPUT -m conntrack --ctstate RELATED -j ACCEPT # Conntrack
$IPT -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT # Conntrack
$IPT -A OUTPUT -m conntrack --ctstate RELATED -j ACCEPT # Conntrack
echo done.
}
stop()
{
echo -n "Putting filters into typical default states (ACCEPT w/ no rules)... "$IPT -P INPUT ACCEPT $IPT -P OUTPUT ACCEPT $IPT -P FORWARD ACCEPT $IPT -t nat -P PREROUTING ACCEPT $IPT -t nat -P POSTROUTING ACCEPT $IPT -t nat -P OUTPUT ACCEPT
$IPT -t nat -F PREROUTING $IPT -t nat -F POSTROUTING $IPT -t nat -F OUTPUT $IPT -F INPUT $IPT -F OUTPUT $IPT -F FORWARD
echo done. }
status()
{
$IPT -L
echo ""
$IPT -t nat -L
}help()
{
cat<<EOF
Ussage: $0 <profile>
flush - set the rules to drop everything. Typically run 1st by a profile.
default - set the iprules to be very tight. Flush is called automatically.
stop - set the rules to be their default, very open, state.
EOF
}# NOTE: This line is slightly dangerous. :) You really should validate input. :) $@
- References:
- Re: Security, Distributed firewalling application...long ;-)
- From: Joachim Schipper
- Re: Security, Distributed firewalling application...long ;-)
- Prev by Date: Re: Security, Distributed firewalling application...long ;-)
- Next by Date: Re: Re: Kryptor for Linux released
- Previous by thread: Re: Security, Distributed firewalling application...long ;-)
- Next by thread: RE: Security, Distributed firewalling application...long ;-)
- Index(es):
Relevant Pages
|
|
