LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 07-03-2009, 11:37 AM   #1
vaibhavs
Member
 
Registered: Jun 2008
Posts: 113

Rep: Reputation: 15
Pls review my firewall


Hi,

I have an FC9 box with 2 NICs.
Running proxy server on FC9 (Dansguardian + Squid) for LAN users.
Running Apache server for outside users.

Requirement:
(1) Allow HTTP access from WAN & LAN to FC9.
(2) Block everything from WAN to FC9.
(3) Allow everything from LAN to FC9

This is my `first` and very simple firewall.

Please let me know if this is good enough or if I need to modify this.

Code:
#LAN: eth0 -- Range (192.168.1.1 - 192.168.1.254)
#WAN: eth1

# FLUSH ALL PREVIOUS RULES
iptables -t nat -F
iptables -t filter -F
iptables -t mangle -F

# ALLOW ALL ON lo
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# ALLOW Out to In which went from inside -- stateful
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i eth0 -j ACCEPT 
iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT 

# ALLOW HTTP FROM OUTSIDE
iptables -A INPUT -i eth1 -p tcp --dport 22 --sport 1024:65535 -j ACCEPT

# MASQUERADE RULE FOR NATTING
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j MASQUERADE

# FOR SQUID / DG
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3128 -j REDIRECT --to-port 8080

# BLOCK EVERYTHING ELSE
iptables -A INPUT -i eth1 -j DROP
iptables -A FORWARD -i eth1 -j REJECT

I look forward to feedback & suggestions from members.

Thx
Vai
 
Old 07-03-2009, 11:58 AM   #2
rbees
Member
 
Registered: Mar 2004
Location: northern michigan usa
Distribution: Debian Squeeze, Whezzy, Jessie
Posts: 881

Rep: Reputation: 45
Have you checked out Arno's Firewall?

http://rocky.eld.leidenuniv.nl/

The default setup does a pretty good job of locking down a machine. All you have to do is make a few edits to the config file for the servers and ports you want open.
 
Old 07-03-2009, 12:11 PM   #3
vaibhavs
Member
 
Registered: Jun 2008
Posts: 113

Original Poster
Rep: Reputation: 15
I did check Arno's Firewall but I think my requirement is very specific and very minimal.
Hence I crafted the above firewall.

Please send me your observation on the above script.

If anything is wrong or missing to safe guard my server.

Thx
Vai
 
Old 07-04-2009, 12:33 AM   #4
vaibhavs
Member
 
Registered: Jun 2008
Posts: 113

Original Poster
Rep: Reputation: 15
@bump
Any help here pls...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
firewall ip tables help pls pvavr Linux - Networking 3 02-28-2007 11:29 AM
Shorewall Firewall Help Pls kumarsundaram Linux - Security 1 07-16-2005 01:32 AM
Trouble running firewall script - pls help Wags Linux - Security 1 07-29-2004 08:19 AM
Simple firewall script. pls help Wags Slackware 5 02-18-2004 04:13 PM
pls comment on my firewall mcalizo Linux - Security 5 09-05-2003 04:14 AM


All times are GMT -5. The time now is 04:54 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration