On December 15, 2004 12:53 pm, O'Neill, Donald (US - Deerfield) wrote: > Larry, > > Why would you use iptables for internal servers? Iptables is a pain to > learn and maintain. You are going to have to setup specific rules for > DNS, HTTP, NTP, RHN and so on.. Use tcp_wrappers, the host.allow/deny > are simpler context to learn. > > If you ignore the above advice, the first place to start is netstat -a. > This will show the active connection state of the server. You'll need to > look for services that are in the 'WAIT' state. This usually indicates > that the service is having trouble communicating. > > These lines below will dump tcp connections into your /var/log/messages > file for review.. > > iptables -I INPUT -p TCP -j LOG > iptables -I OUTPUT -p TCP -j LOG > > > -----Original Message----- > From: redhat-list-bounces@xxxxxxxxxx > [mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of Larry D Sorensen > Sent: Wednesday, December 15, 2004 1:48 PM > To: redhat-list@xxxxxxxxxx > Subject: Re: RedHat security > > Is there a good reference somewhere on how to add iptable rules for > someone who has never done it before? > (I am talking step-by-step) > > Larry > Donald, iptables and tcpwrappers are two different items. Ideally for many services, you can stack them filtering thru iptables, then tcpwrappers (and then maybe even pam). Not all services are tcpwrappers aware, so it is not as simple as just using one or the other. In a trusted environment there is still good reason to use iptables and wrappers, depending on your paranoia level and how much time you have. iptables is not that hard to learn and once you understand the way it works, you can do very creative and usefull things. I personally do not like the front ends because IMHO it makes it more difficult to learn the underlying technology and also not all systems you run into will have (the same) front end. One problem with using the redhat-config-security utliliy is that it really masks the actual iptables rules being created and therefore is not a good learning tool but is good for setting up a workstation with little granularity. maybe I'm just a [stuborn] pureist :-0 "man iptables" and www.netfilter.org would be good starting places for creating your own scripts to use as (or call from) an init script. -- Pete Nesbitt, rhce -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
