I discovered Firestarter (http://firestarter.sourceforge.net/) which is a GUI based script writer for IPTables (Switched from ipchain when I left RH7.2 for RH9). It's Wizard will take you through the basics including setting up NAT. Rule making is really easy with this gem. Dick On Tue, 2003-12-02 at 08:17, Tom=?ISO-8859-1?B?4XMgR2FyY+0=?=a Ferrari wrote: > Hello: > > I'm trying to configure iptables (on RH 9) with a restrictive set of rules, > to leave open only ssh, http, pop3 / imap, smtp and DNS ports and close all > the rest. > > I was reading tons of differents articles and options all over the web, but > none of them gave me a pretty basic and simple way of configuring this > (isn't it that 'black magic' thing, right?) > > Which script do you normally use? Where can I find this information? > > Thanks! > Tomás > > PS: this is the clearest script I found... but my DNS is not responding if I > use it! :( > > +--- starts here > > #!/bin/bash > # > # This is a sample firewall for ip_tables, the tool for doing firewalling > # and masquerading under the 2.3.x/2.4.x series of kernels. > # > # Be warned, this is a very restrictive set of firewall rules (and they > # should be, for proper security). Anything that you do not _specifically_ > # allow is logged and dropped into /dev/null, so if you're wondering why > # something isn't working, check /var/log/messages. > # > # This is about as close as you get to a 'secure' firewall. It's nasty, > # it's harsh, and it will make your machine nearly invisible to the rest > # of the internet world. Have fun. > # > # To run this script you must 'chmod 700 iptables-script' and then execute > # it. To stop it from running, run 'iptables -F' > > #Point this to your copy of ip_tables > IPT="/usr/local/bin/iptables" > > #Load the module. > modprobe ip_tables > > #Flush old rules, delete the firewall chain if it exists > $IPT -F > $IPT -F -t nat > $IPT -X firewall > > #Setup Masquerading. Change the IP to your internal network and uncomment > #this in order to enable it. > #$IPT -A POSTROUTING -t nat -s 192.168.1.0/24 -j MASQUERADE > #$IPT -P FORWARD ACCEPT > #echo 1 > /proc/sys/net/ipv4/ip_forward > > #Set up the firewall chain > $IPT -N firewall > $IPT -A firewall -j LOG --log-level info --log-prefix "Firewall:" > $IPT -A firewall -j DROP > > > #Accept ourselves > $IPT -A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT > #If you're using IP Masquerading, change this IP to whatever your internl > #IP addres is and uncomment it > #$IPT -A INPUT -s 192.168.1.1/32 -d 0/0 -j ACCEPT > > #Accept DNS, 'cause it's warm and friendly > $IPT -A INPUT -p udp --source-port 53 -j ACCEPT > $IPT -A INPUT -p tcp --source-port 113 -j ACCEPT > $IPT -A INPUT -p tcp --destination-port 113 -j ACCEPT > > #Allow ftp to send data back and forth. > $IPT -A INPUT -p tcp ! --syn --source-port 20 --destination-port 1024:65535 > -j ACCEPT > > #Accept SSH. Duh. > $IPT -A INPUT -p tcp --destination-port 22 -j ACCEPT > > #Send everything else ot the firewall. > $IPT -A INPUT -p icmp -j firewall > $IPT -A INPUT -p tcp --syn -j firewall > $IPT -A INPUT -p udp -j firewall > > +--- ends here > > +-- --+ > Tomás García Ferrari > Bigital > http://bigital.com/ > +-- --+ > -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
