LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 05-31-2005, 07:33 AM   #1
ddaas
Member
 
Registered: Oct 2004
Location: Romania
Distribution: Ubuntu server, FreeBsd
Posts: 453

Rep: Reputation: 30
iptables good practice - 2 questions


Hi all,
1) I've just read in another thread that iptables script should not be in root home directory. It should be in /etc. Why that? What's wrong with iptables script being in the /root directory?



2) iptables scripts should be run before any network interface comes up. How can I set the rules based source or destination address associated with a domain? (ex: iptables -A OUTPUT -d www.yahoo.com -p tcp --dport 80 -j DROP).
I could use the the IP instead of the domain name, but what can I do when I use dyndns and I always have a domain name which points to the IP which changes every day? If the network interface is down iptables canít make the dns request for that domain.


best regards,
ddaas
 
Old 05-31-2005, 08:09 AM   #2
jtshaw
Senior Member
 
Registered: Nov 2000
Location: Seattle, WA USA
Distribution: Ubuntu @ Home, RHEL @ Work
Posts: 3,892
Blog Entries: 1

Rep: Reputation: 66
1) I don't really see a problem with this, other then the fact I personally don't like to clutter root's home directory with system configuration files. In general /etc is the "correct" place for system configuration files to live.

2) If you want to do it by domain then the only thing I can think of is a two stage iptables script system. Stage 1 drops everything incoming accept replies to outgoing requests.... then you bring up the interface... then the stage 2 script does all the specific dropping such as your www.yahoo.com rule. This will give a very small window during boot up where a user could get to www.yahoo.com, but it allows you to bring up your interfaces without having any window for external attacks. If this box is a router you could always bring up the local network routing rules in the second stage so that nobody could get through the box till all to the outside world until all your other rules were applied.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Is this good iptables practice ? michaelsanford Linux - Security 1 05-21-2005 10:32 PM
IPTABLES Firewall (Good enough????) wardialer Linux - Security 10 03-01-2005 10:29 AM
installing and managing new apps. good practice! bikov_k Linux - Newbie 4 10-02-2004 05:23 PM
A good practice for compiling? Micro420 Mandriva 29 08-09-2004 04:36 AM
Good Old IPTABLES Question jrmann1999 Linux - Networking 2 06-20-2001 10:59 AM


All times are GMT -5. The time now is 01:38 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration