Firewall (Single Host)

R4z0r · 10-24-2004, 05:56 AM

Hi All,

I have a co-located server which sits on a /24 LAN. I have 5 of these IP's assigned to me and use them by creating multiple virtual interfaces i.e eth0:1, eth0:2, etc.

What I need to do is create firewall rules for each virtual IP. I have CentOS 3.1 and the included "lokkit" tool does not provide this funtionality. Is anyone aware of a tool I can use to set this up? I've looked about and seen this like Shorewall which looks great but it's based on being a router rather than a firewall for a single host.

Thanks

qwijibow · 10-24-2004, 08:01 AM

how complicated does the firewall need to be ?

often, the best sollution is to write your own iptables script, rather than use a defualt one from shorewall or firestarted etc etc.

all these linux firewalls really do, is provide a limited GUI with a few options, then generate an iptables ruleset.

R4z0r · 10-24-2004, 08:39 AM

Thanks for the reply - I think you're right so I'm now using a more basic firewall. Only thing I can't do now is set it up for passive FTP. The ports I need to allow are as below:

Quote:

* INPUT chain:
o tcp
new/established
source port: 1024 - 65535
destination port: 21
o tcp
new/established/related
destination port: pasv_min_port - pasv_max_port

* OUTPUT chain:
o tcp
related/established
source port: 20
destination port: 1024 - 65535
o tcp
established
source port: 21
destination port: 1024 - 65535
o tcp
established
source port: pasv_min_port - pasv_maxport
destination port: 1024 - 65535

I don't understand what this means - could you point me in the right direction?

I also need ip_conntrack_ftp - How can I tell if I have this?

Thanks

jev-bird · 10-24-2004, 02:58 PM

To see if ip_conntrack_ftp is currently running in the kernel do an lsmod and you should see it. If not it may be compiled as a module in that case try doing an insmod modulename

R4z0r · 10-24-2004, 03:15 PM

Thanks. It wasn't running so I just added it and everything is now working perfectly.