Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { 115.127.27.59; 192.168.100.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; 192.168.100.0/24; };
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
Code:
#!/bin/bash
#Declare interfaces, ip-address, and other things
wan="p4p1"
lan="p4p2"
wanip="115.127.27.59"
lanip="192.168.100.1"
#Cleaning previous chains, rules
iptables -t filter -F # -t for table to go here 'filter' -F is to flash all rules
iptables -t filter -X # -X is to delete rules
iptables -t filter -Z # -Z is to zero counters
iptables -t nat -F # for NAT table
iptables -t nat -X
iptables -t nat -Z
iptables -t mangle -F # for mangle table
iptables -t mangle -X
iptables -t mangle -Z
#Basic policy set to drop in filter
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
#Basic policy set to drop in mangle
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P INPUT ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
iptables -t mangle -P FORWARD ACCEPT
iptables -t mangle -P POSTROUTING ACCEPT
#SSH
# Allow incoming ssh only for wan
iptables -A INPUT -i $wan -p tcp -d $wanip --sport 513:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $wan -p tcp -s $wanip --sport 22 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT
# Allow incoming ssh only for lan
iptables -A INPUT -i $lan -p tcp -d $lanip --sport 513:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $lan -p tcp -s $lanip --sport 22 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT
##############################################################################################################
# Allow outgoing ssh only for wan
iptables -A OUTPUT -o $wan -p tcp -s $wanip --sport 22 --dport 513:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i $wan -p tcp -d $wanip --sport 513:65535 --dport 22 -m state --state ESTABLISHED -j ACCEPT
# Allow outgoing ssh only for lan
iptables -A OUTPUT -o $lan -p tcp -s $lanip --sport 513:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i $lan -p tcp -s $lanip --sport 22 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT
##############################################################################################################
#rDesktop
# Allow outgoing rDesktop only for lan
iptables -A OUTPUT -o $lan -p tcp -s $lanip --sport 513:65535 --dport 3389 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i $lan -p tcp -d $lanip --sport 3389 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT
##############################################################################################################
## WWW
# Allow www outbound to 80.
iptables -A OUTPUT -o $wan -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i $wan -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
# Allow www outbound to 443.
iptables -A OUTPUT -o $wan -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i $wan -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
##############################################################################################################
#DNS
# Allow incoming DNS only
iptables -A INPUT -p udp --dport 53 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp --sport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp --dport 53 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp --sport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
##############################################################################################################
service iptables save
service iptables restart
service iptables status
Distribution: debian 9.8 w/GNOME and KDE dual boot w/Win 10.| debian 7.11 w/Xfce, LFS 7.9, + Multi-boot w/Windows7
Posts: 122
Rep:
Hi johnmaxwell,
Thanks for placing the config files in code tags!
I'm not sure if you asked a question??
Please be clear on what you are asking.
Did you implement this configuration and are having issues?
If so, please state what are they are in detail. Include
any error messages.
Just my two cents: From an administrative point of view I
would tend to configure systems per responsibilities and not
make an "All in one" system. While you can do that, you will find
that all subsystems are software components that may have dependencies.
When these components and/or their dependencies need to be updated
(As often they do) you may need to restart services or even reboot the server.
The more you have going on, the more often this is likely to happen.
Also then you have consider co-dependencies where more than one software
component depends on a certain module or code and what do you do if they need
different versions? Yes, there are ways but that just adds to the admin overhead.
If this is for personal use, OK, you have been warned.
If this is for production, tread carefully and do your research and test, test, test;-)
Or better yet, reconsider dividing responsibilities up between systems. A single point
of failure is never a good thing;-)
So, ... to reiterate, What was your question?
All the best,
Tim
Last edited by Tim Abracadabra; 07-17-2014 at 12:56 AM.
Reason: fix typo "an", add ","
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.