LinuxQuestions.org
Help answer threads with 0 replies.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
Reload this Page Firewall (Giptables) Can't seem to work...
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 09-08-2004, 10:13 PM   #1
ImAnEwBiE
Member
 
Registered: Jul 2003
Location: Philippines
Posts: 31

Rep: Reputation: 15
Firewall (Giptables) Can't seem to work...

# DEBUG
#

DEBUG="off"

# ----------------------------------------------------------------------------
# Some definitions for easy maintenance
# Edit these to suit your system
#

MONOLITIC_KERNEL="no"

# Interface 0: This is our external network interface
# It is directly connected to Internet

INTERFACE0="eth0"
INTERFACE0_IPADDR="`/sbin/ifconfig | grep -A 4 eth0 | awk '/inet/ { print $2
} ' | sed -e s/addr://`"
ANY_IPADDR="0/0"

# Interface 1: This is our internal network interface
# It is directly connected to our private network
INTERFACE1="eth1"
INTERFACE1_IPADDR="`/sbin/ifconfig | grep -A 4 eth1 | awk '/inet/ { print $2
} ' | sed -e s/addr://`"
ANY_IPADDR="0/0"

# Your name servers ip address

ISP_PRIMARY_DNS_SERVER="`fgrep nameserver /etc/resolv.conf | sed -n '1 p' |
cut -f 2 -d ' '`"
ISP_SECONDARY_DNS_SERVER="`fgrep nameserver /etc/resolv.conf | sed -n '2 p'
| cut -f 2 -d ' '`"

# SYSLOG client ip address

SYSLOG_CLIENT="d.d.d.d"

# Loopback interface

LOOPBACK_INTERFACE="lo" # Loopback interface

# Port declarations, do not change them

PRIV_PORTS="0:1023"

Loading custom firewall rules from /etc/rc.d/rc.giptables.custom
#

LOAD_CUSTOM_RULES="yes"

# ----------------------------------------------------------------------------
# Logging
# Limit the amount of incoming dropped packets that gets sent to the logs
#

# We log & drop all the packets that are not expected. In order to avoid
# our logs beeing flooded, we rate limit the logging

# Interface 0 log dropped packets

INTERFACE0_LOG_DROPPED_PACKETS="yes"
INTERFACE0_LOG_LIMIT="5/m"
INTERFACE0_LOG_LIMIT_BURST="7"

# Interface 1 log dropped packets

INTERFACE1_LOG_DROPPED_PACKETS="yes"
INTERFACE1_LOG_LIMIT="7/m"
INTERFACE1_LOG_LIMIT_BURST="9"

# ----------------------------------------------------------------------------
# Network Ghouls
# Refuse any connection from problem sites
#

# The /etc/rc.d/rc.giptables.blocked file contains a list of ip addresses that
# will be blocked from having any kind of access to your server on all your
# interfaces if the next option is "yes"

NETWORK_GHOULS="yes"

# ----------------------------------------------------------------------------
# Syn-flood protection
# Limit the number of incoming tcp connections
#

SYN_FLOOD_PROTECTION="yes"

# Interface 0 incoming syn-flood protection
INTERFACE0_IN_SYN_FLOOD_PROTECTION="yes"
INTERFACE0_IN_TCP_CONN_LIMIT="10/s"
INTERFACE0_IN_TCP_CONN_LIMIT_BURST="20"

# Interface 1 incoming syn-flood protection

INTERFACE1_IN_SYN_FLOOD_PROTECTION="yes"
INTERFACE1_IN_TCP_CONN_LIMIT="7/s"
INTERFACE1_IN_TCP_CONN_LIMIT_BURST="11"

# ----------------------------------------------------------------------------
# Sanity check
#

SANITY_CHECK="yes"

# Make sure NEW incoming tcp connections are SYN packets

INTERFACE0_IN_DROP_NEW_WITHOUT_SYN="yes"
INTERFACE1_IN_DROP_NEW_WITHOUT_SYN="yes"

# Drop all incoming fragments
INTERFACE0_IN_DROP_ALL_FRAGMENTS="yes"
INTERFACE1_IN_DROP_ALL_FRAGMENTS="yes"

# Drop all incoming malformed XMAS packets

INTERFACE0_IN_DROP_XMAS_PACKETS="yes"
INTERFACE1_IN_DROP_XMAS_PACKETS="yes"

# Drop all incoming malformed NULL packets

INTERFACE0_IN_DROP_NULL_PACKETS="yes"
INTERFACE1_IN_DROP_NULL_PACKETS="yes"

# ----------------------------------------------------------------------------
# Spoofing and bad addresses
#

REFUSE_SPOOFING="yes"

# Refuse incoming packets claiming to be from the ip addresses of our interfaces

REFUSE_SPOOFING_IPADDR[0]=$INTERFACE0_IPADDR
INTERFACE0_IN_REFUSE_SPOOFING[0]="yes"

REFUSE_SPOOFING_IPADDR[0]=$INTERFACE1_IPADDR
INTERFACE1_IN_REFUSE_SPOOFING[0]="yes"

# Refuse incoming packets claiming to be from broadcast-src address range

REFUSE_SPOOFING_IPADDR[1]="0.0.0.0/8"
INTERFACE0_IN_REFUSE_SPOOFING[1]="yes"

# Refuse incoming packets claiming to be from reserved loopback address range

REFUSE_SPOOFING_IPADDR[2]="127.0.0.0/8"
INTERFACE0_IN_REFUSE_SPOOFING[2]="yes"

# Refuse incoming packets claiming to be from class A private network

REFUSE_SPOOFING_IPADDR[3]="10.0.0.0/8"
INTERFACE0_IN_REFUSE_SPOOFING[3]="yes"

# Refuse incoming packets claiming to be from class B private network

REFUSE_SPOOFING_IPADDR[4]="172.16.0.0/12"
INTERFACE0_IN_REFUSE_SPOOFING[4]="yes"

# Refuse incoming packets claiming to be from class C private network

REFUSE_SPOOFING_IPADDR[5]="192.168.0.0/16"
INTERFACE0_IN_REFUSE_SPOOFING[5]="yes"

# Refuse incoming packets claiming to be from class D, E, and unallocated

REFUSE_SPOOFING_IPADDR[6]="224.0.0.0/3"
INTERFACE0_IN_REFUSE_SPOOFING[6]="yes"

# ****************************************************************************
# *
# A N Y *
# *
# ****************************************************************************

ACCEPT_ANY="no"

# ****************************************************************************
# *
# D N S *
:
ACCEPT_DNS="yes"

# ----------------------------------------------------------------------------
# DNS outgoing client request
#

# Interface 0 DNS outgoing client request

INTERFACE0_DNS_CLIENT="yes"

INTERFACE0_DNS_OUT_SRC_IPADDR[0]=$INTERFACE0_IPADDR
INTERFACE0_DNS_OUT_DST_IPADDR[0]=$ISP_PRIMARY_DNS_SERVER
INTERFACE0_DNS_OUT_UDP_REQUEST[0]="yes"
INTERFACE0_DNS_OUT_TCP_REQUEST[0]="yes"
INTERFACE0_DNS_OUT_SPORT53_REQUEST[0]="no"

INTERFACE0_DNS_OUT_SRC_IPADDR[1]=$INTERFACE0_IPADDR
INTERFACE0_DNS_OUT_DST_IPADDR[1]=$ISP_SECONDARY_DNS_SERVER
INTERFACE0_DNS_OUT_UDP_REQUEST[1]="yes"
INTERFACE0_DNS_OUT_TCP_REQUEST[1]="yes"
INTERFACE0_DNS_OUT_SPORT53_REQUEST[1]="no"

# ****************************************************************************
# *
# F T P *
# *
# ****************************************************************************

ACCEPT_FTP="no"

# ----------------------------------------------------------------------------
# FTP outgoing client request
#

# Interface 0 FTP outgoing client request

INTERFACE0_FTP_CLIENT="yes"

INTERFACE0_FTP_OUT_SRC_IPADDR[0]=$INTERFACE0_IPADDR
INTERFACE0_FTP_OUT_DST_IPADDR[0]=$ANY_IPADDR
INTERFACE0_FTP_OUT_PASIVE[0]="yes"
INTERFACE0_FTP_OUT_ACTIVE[0]="no"

# ****************************************************************************
# *
# S S H *
# *
# ****************************************************************************

ACCEPT_SSH="yes"

# ----------------------------------------------------------------------------
# SSH outgoing client request
#

# Interface 0 SSH outgoing client request

INTERFACE0_SSH_CLIENT="no"

INTERFACE0_SSH_OUT_SRC_IPADDR[0]=$INTERFACE0_IPADDR
INTERFACE0_SSH_OUT_DST_IPADDR[0]=$ANY_IPADDR

# ----------------------------------------------------------------------------
# SSH incoming client request
# Interface 0 SSH incoming client request

INTERFACE0_SSH_SERVER="yes"

INTERFACE0_SSH_IN_SRC_IPADDR[0]=$ANY_IPADDR
INTERFACE0_SSH_IN_DST_IPADDR[0]=$INTERFACE0_IPADDR

INTERFACE1_SSH_SERVER="yes"

INTERFACE1_SSH_IN_SRC_IPADDR[0]=$ANY_IPADDR
INTERFACE1_SSH_IN_DST_IPADDR[0]=$INTERFACE1_IPADDR

# ****************************************************************************
# *
# T E L N E T *
# *
# ****************************************************************************

ACCEPT_TELNET="no"

# ----------------------------------------------------------------------------
TELNET outgoing client request
#

# Interface 0 TELNET outgoing client request

INTERFACE0_TELNET_CLIENT="yes"

INTERFACE0_TELNET_OUT_SRC_IPADDR[0]=$INTERFACE0_IPADDR
INTERFACE0_TELNET_OUT_DST_IPADDR[0]=$ANY_IPADDR

# ****************************************************************************
# *
# T E L N E T S *
# *
# ****************************************************************************

ACCEPT_TELNETS="no"

# ****************************************************************************
# *
# S M T P *
# *
ACCEPT_SMTP="yes"

# ----------------------------------------------------------------------------
# SMTP outgoing client request
#

# Interface 0 SMTP outgoing client request

INTERFACE0_SMTP_CLIENT="yes"

INTERFACE0_SMTP_OUT_SRC_IPADDR[0]=$INTERFACE0_IPADDR
INTERFACE0_SMTP_OUT_DST_IPADDR[0]=$ANY_IPADDR

INTERFACE1_SMTP_CLIENT="yes"

INTERFACE1_SMTP_OUT_SRC_IPADDR[0]=$INTERFACE1_IPADDR
INTERFACE1_SMTP_OUT_DST_IPADDR[0]=$ANY_IPADDR

ANY_SMTP_CLIENT="yes"

ANY_SMTP_OUT_SRC_IPADDR[0]=$INTERFACE1_IPADDR
ANY_SMTP_OUT_DST_IPADDR[0]=$ANY_IPADDR
# ----------------------------------------------------------------------------
# SMTP incoming client request
#

# Interface 0 SMTP incoming client request

INTERFACE0_SMTP_SERVER="yes"

INTERFACE0_SMTP_IN_SRC_IPADDR[0]=$ANY_IPADDR
INTERFACE0_SMTP_IN_DST_IPADDR[0]=$INTERFACE0_IPADDR

INTERFACE1_SMTP_SERVER="yes"

INTERFACE1_SMTP_IN_SRC_IPADDR[0]=$ANY_IPADDR
INTERFACE1_SMTP_IN_DST_IPADDR[0]=$INTERFACE1_IPADDR

# ****************************************************************************
# *
# S M T P S *
# *
# ****************************************************************************
ACCEPT_SMTPS="no"

# ----------------------------------------------------------------------------
# SMTPS outgoing client request
#

# Interface 0 SMTPS outgoing client request

INTERFACE0_SMTPS_CLIENT="yes"

INTERFACE0_SMTPS_OUT_SRC_IPADDR[0]=$INTERFACE0_IPADDR
INTERFACE0_SMTPS_OUT_DST_IPADDR[0]=$ANY_IPADDR

# ----------------------------------------------------------------------------
# SMTPS incoming client request
#

# Interface 0 SMTPS incoming client request

INTERFACE0_SMTPS_SERVER="yes"
INTERFACE0_SMTPS_IN_SRC_IPADDR[0]=$ANY_IPADDR
INTERFACE0_SMTPS_IN_DST_IPADDR[0]=$INTERFACE0_IPADDR

# ****************************************************************************
# *
# Q M Q P *
# *
# ****************************************************************************

ACCEPT_QMQP="no"

# ----------------------------------------------------------------------------
# QMQP outgoing client request
#

# Interface 0 QMQP outgoing client request

INTERFACE0_QMQP_CLIENT="yes"

INTERFACE0_QMQP_OUT_SRC_IPADDR[0]=$INTERFACE0_IPADDR
INTERFACE0_QMQP_OUT_DST_IPADDR[0]=$ANY_IPADDR

# ****************************************************************************
# *
# H T T P *
# *
# ****************************************************************************

ACCEPT_HTTP="yes"

# ----------------------------------------------------------------------------
# HTTP outgoing client request
#

# Interface 0 HTTP outgoing client request

INTERFACE0_HTTP_CLIENT="yes"

INTERFACE0_HTTP_OUT_SRC_IPADDR[0]=$INTERFACE0_IPADDR
INTERFACE0_HTTP_OUT_DST_IPADDR[0]=$ANY_IPADDR

INTERFACE1_HTTP_CLIENT="yes"

INTERFACE1_HTTP_OUT_SRC_IPADDR[0]=$INTERFACE1_IPADDR
INTERFACE1_HTTP_OUT_DST_IPADDR[0]=$ANY_IPADDR

# ----------------------------------------------------------------------------
# HTTP incoming client request
#

# Interface 0 HTTP incoming client request

INTERFACE0_HTTP_SERVER="yes"

INTERFACE0_HTTP_IN_SRC_IPADDR[0]=$ANY_IPADDR
INTERFACE0_HTTP_IN_DST_IPADDR[0]=$INTERFACE0_IPADDR

# Interface 1 HTTP incoming client request

INTERFACE1_HTTP_SERVER="yes"

INTERFACE1_HTTP_IN_SRC_IPADDR[0]=$ANY_IPADDR
INTERFACE1_HTTP_IN_DST_IPADDR[0]=$INTERFACE1_IPADDR

# ****************************************************************************
# *
# S Q U I D *
# *
# ****************************************************************************

ACCEPT_SQUID="yes" # Squid in Proxy-Caching Mode

Here is my configuration friends!i just attached squid and http...i cant seem to make squid work.But when giptables is off,i can access the server as my proxy server....Hope you guys help me out!im a newbie in Linux,and im still trying to learn the tricks..y'know..God bless you all!

Thanks!
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Hardware Firewall - Will this work? phillips321 Linux - Networking 1 02-24-2005 07:16 AM
SYN_RECV flood still happening with giptables micro_sucks Linux - Security 4 06-15-2004 07:24 PM
problem whit Giptables little_ball Linux - Networking 0 11-16-2003 12:01 PM
Giptables custom problem pazvant Linux - Networking 0 11-10-2003 03:58 AM
Why wont this work? (Firewall) Patryn999 Linux - Security 2 09-14-2003 10:59 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 01:11 AM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration