IPTables Help

IPTables Help

Post by bk » Thu, 26 Apr 2001 23:40:11



Hello!  I am in need of some advice here.  I have a webserver (uses
SSL), an SQL server, and a Real Streaming server (also running DNS)
located on a co-located network.  I would like to drop a Linux box to
act as a firewall for the network.  I have never dabbled with IPChains
and I would like to go directly to IPTables, but I am having some
trouble finding good explanatory documentation on how to do this
correctly.  These are live websites and I want to get this in place very
soon.  Can someone provide some assistance in how to accomplish this?

Thanks

 
 
 

IPTables Help

Post by bk » Thu, 26 Apr 2001 23:40:58


Forgot to mention that these are all NT4 Servers....

> Hello!  I am in need of some advice here.  I have a webserver (uses
> SSL), an SQL server, and a Real Streaming server (also running DNS)
> located on a co-located network.  I would like to drop a Linux box to
> act as a firewall for the network.  I have never dabbled with IPChains
> and I would like to go directly to IPTables, but I am having some
> trouble finding good explanatory documentation on how to do this
> correctly.  These are live websites and I want to get this in place very
> soon.  Can someone provide some assistance in how to accomplish this?

> Thanks


 
 
 

IPTables Help

Post by Dean Thompso » Thu, 26 Apr 2001 23:35:28


Hi!,

Quote:> Hello!  I am in need of some advice here.  I have a webserver (uses
> SSL), an SQL server, and a Real Streaming server (also running DNS)
> located on a co-located network.  I would like to drop a Linux box to
> act as a firewall for the network.  I have never dabbled with IPChains
> and I would like to go directly to IPTables, but I am having some
> trouble finding good explanatory documentation on how to do this
> correctly.  These are live websites and I want to get this in place very
> soon.  Can someone provide some assistance in how to accomplish this?

You might like to take a look at the documentation located at the following
URL:
http://netfilter.samba.org/unreliable-guides/packet-filtering-HOWTO/i...

This explains the basics of the IPTABLES system.  The first thing you will
have to do is work out what ports you want to make accessible and those that
you want to block.  Additionlly, you will also have to work out what ports
your SQL server is using.

See ya

Dean Thompson

--
+____________________________+____________________________________________+

| Bach. Computing (Hons)     | ICQ     - 45191180                         |
| PhD Student                | Office  - <Off-Campus>                     |
| School Comp.Sci & Soft.Eng | Phone   - +61 3 9903 2787 (Gen. Office)    |
| MONASH (Caulfield Campus)  | Fax     - +61 3 9903 1077                  |
| Melbourne, Australia       |                                            |
+----------------------------+--------------------------------------------+

 
 
 

IPTables Help

Post by Martin Cook » Thu, 26 Apr 2001 23:41:46


My advice would be to drop the box in-line with no services running except ssh
and no packet filtering rules.

Add a cronjob that runs a script every 5 minutes to open the ssh port, if it
is not already open. This is case you mess up and lock and yourself out by
mistake, you will open a hole for yourself, to reset the firewall rules.

Then I would grab a copy of nmap and do UCP, TCP scans of the network to
discover the services that should be filtered. Then I would start playing.

Martin


> Forgot to mention that these are all NT4 Servers....


> > Hello!  I am in need of some advice here.  I have a webserver (uses
> > SSL), an SQL server, and a Real Streaming server (also running DNS)
> > located on a co-located network.  I would like to drop a Linux box to
> > act as a firewall for the network.  I have never dabbled with IPChains
> > and I would like to go directly to IPTables, but I am having some
> > trouble finding good explanatory documentation on how to do this
> > correctly.  These are live websites and I want to get this in place very
> > soon.  Can someone provide some assistance in how to accomplish this?

> > Thanks