Re: iptables firewall script for linux



Moe Trin <ibuprofin@xxxxxxxxxxxxxxxxxxxxxx> wrote:
On Sun, 12 Nov 2006, John F wrote:
<<snip>>
Thanks for the explanation, Moe. As mentioned in earlier followup
to cobalt69, the machines on my lan do run some services that might
create security holes. Although I tried to clean things up, I can't
fool myself into thinking I know enough to do this securely.
Hopefully, a canned firewall script will mostly protect me from
my shortcomings.

Your original post stated it was a workstation, not a server, but knowing
what port needs to be open, and to "who" can let you set up any rule that
may be needed.

Sorry about that. I think of machines on my lan as workstations
because they're used for development, but I guess they're servers
in the context of this discussion. (Told you I don't know what
I'm doing:)

Thanks for the references. I'd looked at a few when first
running the canned ipchains firewall. Note that yours add up
to 1.15MB, which is about 230 crammed-full printed pages
(at 5KB/page leaving no white space at all). That's a lot
to read just to install a script.

Actually, 'wc -l' shows it to be just over 20,000 lines, or about 334 pages,
but given that there are currently about 450 HOWTOs with 3.8 million words
for about 11,500 pages, you can't read them all. Five years ago, something
like a third of those documents were being updated/changed every six months.
Initially, I decided to read at least 10 HOWTOs a week. Some of them were
either not interesting to me, or not relevant. There after, I set up a
cron-job that checks ibiblio.org (the old "sunsite.unc.edu) comparing file
timestamps nightly. The only way I could keep up is to do a 'diff' of the
old/new HOWTO[s] and scan that. One other thing that helps is using
'grep' to find which document to look at.

I did look through the iptables man page, and even that's 1850 lines.

Well, it's better to have 31 pages than something like 2 or 3. ;-)
Again, use the search function (the '/' key) in your man pager to look
for things.

Some man pages are pretty good, and iptables seems like one of
them, introducing some concepts and terminology up front.
Just what I'm looking for. Some HOWTOs take forever to get
to the point (and some are terrific). I tried finding a short
canned script like the ones you and 59cobalt posted. Maybe I
missed it.
Fooling around and writing my own is how I typically learn
"little languages" that I don't need to know too well. But
iptables firewalls seem a little unique, because there's
actually an intentionally malicious agent just waiting for you
to make a mistake. So trial-and-error isn't quite the fun
it usually is.
--
John Forkosh ( mailto: j@xxxxx where j=john and f=forkosh )
.



Relevant Pages

  • Re: VBS Script vs In-use files
    ... > on a small LAN. ... how can I be sure that the database isn't ... > All machines are XP SP2. ...
    (microsoft.public.scripting.vbscript)
  • CDO message with attachment problems
    ... It works fine on other machines on this network as well as other machines on ... Script to Email attachment hangs on the AddAttachment statement ... Script to Email attachment hangs on the AddAttachment statement ...
    (microsoft.public.scripting.vbscript)
  • Re: Automating password change
    ... All the machines are set up differently from each other ... > use telnet, others I can rlogin or remsh, and still others I can ssh. ... it would not be practical to try to write a complex script ... > to write a simple script to wrap around passwd that would run on each ...
    (comp.unix.shell)
  • Re: Automating password change
    ... All the machines are set up differently from each other ... > use telnet, others I can rlogin or remsh, and still others I can ssh. ... it would not be practical to try to write a complex script ... > to write a simple script to wrap around passwd that would run on each ...
    (comp.unix.solaris)
  • RE: Another overflow exploit for Apache? *RESOLVED*
    ... You must be reviewing already backdoored script. ... > On ALL the machines with the Ddos behavior we found, ... > Ddos binaries, then executing them.. ... > This script is most likely used by CCBILL techs as part of their default ...
    (Incidents)