LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (http://www.linuxquestions.org/questions/slackware-14/)
-   -   firewall sample (http://www.linuxquestions.org/questions/slackware-14/firewall-sample-55396/)

cijunet 04-16-2003 05:26 PM

firewall sample
 
Hi all

I'm looking up for a sample of firewall considering that Slackware comes with none. Could you recommand me a site from where I can download or take as example a firewall? I have just started to study iptables, but I can not afford to have my comp unprotected until I am able to build a firewall by myself.... ;)

Thanks a lot

AltF4 04-16-2003 06:33 PM

check:
http://www.netfilter.org/documentati...ing-HOWTO.html
http://www.netfilter.org/documentati...g-HOWTO-5.html

5. Rusty's Really Quick Guide To Packet Filtering

Most people just have a single PPP connection to the Internet, and don't want anyone coming back into their network, or the firewall:

## Insert connection-tracking modules (not needed if built into kernel).
# insmod ip_conntrack
# insmod ip_conntrack_ftp

## Create chain which blocks new connections, except if coming from inside.
# iptables -N block
# iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT
# iptables -A block -j DROP

## Jump to that chain from INPUT and FORWARD chains.
# iptables -A INPUT -j block
# iptables -A FORWARD -j block

AltF4 04-16-2003 06:35 PM

.. and if you need NAT:
http://www.netfilter.org/documentati...g-HOWTO-9.html

9. Mixing NAT and Packet Filtering

It's common to want to do Network Address Translation (see the NAT HOWTO) and packet filtering. The good news is that they mix extremely well.

You design your packet filtering completely ignoring any NAT you are doing. The sources and destinations seen by the packet filter will be the `real' sources and destinations. For example, if you are doing DNAT to send any connections to 1.2.3.4 port 80 through to 10.1.1.1 port 8080, the packet filter would see packets going to 10.1.1.1 port 8080 (the real destination), not 1.2.3.4 port 80. Similarly, you can ignore masquerading: packets will seem to come from their real internal IP addresses (say 10.1.1.1), and replies will seem to go back there.

You can use the `state' match extension without making the packet filter do any extra work, since NAT requires connection tracking anyway. To enhance the simple masquerading example in the NAT HOWTO to disallow any new connections from coming in the ppp0 interface, you would do this:

# Masquerade out ppp0
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

# Disallow NEW and INVALID incoming or forwarded packets from ppp0.
iptables -A INPUT -i ppp0 -m state --state NEW,INVALID -j DROP
iptables -A FORWARD -i ppp0 -m state --state NEW,INVALID -j DROP

# Turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

cijunet 04-16-2003 07:30 PM

Thanks! It is just what I need

AltF4 04-16-2003 07:48 PM

no problem


All times are GMT -5. The time now is 02:42 PM.