On Monday 24 March 2003 10:54 am, Scott Melnyk wrote: > Hello, I hope this is not to simple to post. I have not quite got > IPTABLEs use down. > > I am looking at setting up local firewalls on a cluster of machines > (almost 100 linux boxes running RH 7.3 and 8.0). The login nodes for > the cluster have extensive hardware based firewalling rules. > > On the rest of the cluster I would like to set IPTABLEs to accept > everything within the subnet and drop the anything from and outside > address. > > My thought for setting the rules on each machine is by pushing out and > running a bash script. > Is it possible to simply set up a firewall with something as simple > as: > > > #!/bin/bash > # > > service iptables stop > > iptables -F > > iptables -A INPUT -m limit -j LOG > iptables -A OUTPUT -m limit -j LOG Are you sure this is what you want? It will log 5 entries the first hour, then 3/hour after that. (presuming you have at least that many to log) > iptables -A INPUT -s 130.xxx.xxx.128/25 ACCEPT > #rule here to drop all non 130.xxx.xxx.128/25 Two things here - first, the DROP policy below will drop anything not already accepted, so you don't need and explicit DROP. Second, you can specify this DROP (if you really want it) with iptables -A INPUT -s ! 130.x.x.128/25 -j DROP > iptables -P FORWARD DROP > iptables -P INPUT DROP > > service iptables save > > > We have a subnet of 130.xxx.xxx.128/255.255.255.128 > How can I define a mandatory drop of everything not in > 130.xxx.xxx.128/255.255.255.128? Just the DROP policy is all that is needed, so long as you specify the source IP in ACCEPT rules. > Finally what risks am I taking by doing this? Other than if someone > hacks into one of the login nodes, I realize this would then give them > access to the rest of the cluster. The only risk I see is of someone spoofing one of your IPs. If all communications will take place with specific ports or protocols, you can tighten the ACCEPT rule to only allow that in. But as you have it, the only thing that these boxes would accept communications from would be their own subnet, and if you doun't have unnecessary services running you shouldn't have much to worry about. j
