Re: IPTABLES & TCP WRAPPERS

From: Llanzlan Klazmon (Klazmon_at_llurdiaxorb.govt)
Date: 05/11/05 

Date: 11 May 2005 15:21:32 +1200

justin <pryn@olk.net> wrote in news:98s181tgh68tgoi92008rlll46a8j4u0db@
4ax.com:

> On Tue, 10 May 2005 19:32:16 +0200, Jose Maria Lopez Hernandez
> <jkerouac@bgsec.com> wrote:
>
<SNIP>

>
> Ok with your response you have raised another question for me: How do
> you bypass an IPTABLES firewall rule? Even if I have a statement like:
>
> # iptables -A INPUT -i external_interface -s My_IP_address -j REJECT
>

I personally think that you should DROP not REJECT. If you get hit by a
DDOS attack, doing a reject will double the load on your system caused by
the ip stack processing. It will also dump useless reject packets back
onto the net, generally wasting bandwidth.

> Also I have another question in this area: for example let us say you
> have 3 systems:
> 2 Linux web servers and 1 Linux dedicated IPTABLES firewall/router
> system.
>
> Would you enable IPTABLES on the two web servers behind the Linux
> firewal/routerl? Or just TCP Wrappers? Is that making it too
> complicated to manage?
>
> Just using this simple example what would be a recommended
> configuration? Is there documentation somewhere I could read about
> recommended topology config based on the number of systems and their
> function you could point me to?

I believe there are some pretty good howto's out there. Also note that
there are iptables front end's such as Guarddog and Shorewall that are
supposed to make it easier to set up iptables (I Haven't used them
myself). A really useful tool is webmin, which allows you to configure
iptables (and a lot of other stuff like apache, samba etc) via a web
browser.

Klazmon.

>
> Or
>
>

Relevant Pages

  • Re: How to specify iptables log file?
    ... > I have a few rules in my iptables firewall for logging packets. ... which will cause syslogd to put all messages with priority debug to ... and all other messages (level info and below) to ...
    (comp.os.linux.security)
  • How can I trace a broken port forward?
    ... iptables firewall. ... # service iptables status | grep -i xxxx ...
    (comp.os.linux.networking)
  • RE: Firewall Review
    ... You can also import an already existing iptables firewall in FWBuilder. ... Subject: Firewall Review ... This message was sent using IMP, the Internet Messaging Program. ...
    (Security-Basics)
  • Re: Allowing ESP and IPSec/TCP
    ... ipsec uses tcp ports 50 and 51 and udp 500 ... > I'm running an iptables firewall on a RedHat 7.2 box running a 2.4.16 ... > kernel compiled with all iptables' support. ... but I do not know how to open IP protocol 50 or IPSec/TCP. ...
    (comp.security.firewalls)
  • Re: RH router-firewall reality check needed
    ... > I have two boxes outside of our DMZ that don't run anything but iptables. ... > doing thier business. ... I typically have the web servers that sit behind the firewall also run ...
    (linux.redhat)