On Sun, 6 Apr 2003, jdow wrote: > From: "D. D. Brierton" <darren@xxxxxxxxxxx> > > > > Before making any changes: > > > > > > You do want to visit http://www.netfilter.org/ and > http://ipmasq.cjb.net/ > > > and read what they have to offer. > > > You do want to plan your firewall setup. Many utilities exist to help. > > > > Well I was hoping for something pretty simple, because this stuff > > confuses me no end. Basically the ONLY connections I want to allow are > > from VMware VMs running on the same machine. Therefore I was really > > hoping that redhat-config-securitylevel would do it for me. I just don't > > understand the relationship between "Trusted devices" and "Allow > > incoming". > > Some of the links point to simple configuration tools. > > The absolute simplest way to achieve the simple task you mentioned > above is to isolate the machine by unplugging any network wire on any > of its NICs. Then the only connections possible are from VM to VM or > VM to host even if you do not run a firewall. I am sure you want more > than this. Defining what you want takes you a long way down the road > to getting what you want. here's something i used to get started. start with an excerpt of an iptables config script, like i did: #!/bin/sh # # Some handy variables. # IPT=/sbin/iptables # # Clear current chains. # $IPT -F $IPT -F -t nat $IPT -F -t mangle # # Reset all policies to DROP. # $IPT -P INPUT DROP $IPT -P OUTPUT DROP $IPT -P FORWARD DROP # # All established or related traffic is accepted. # $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # # Loopback policies. # $IPT -A INPUT -i lo -j ACCEPT $IPT -A OUTPUT -o lo -j ACCEPT ... here's where you'll start adding rules ... # # Log what's left. # $IPT -A OUTPUT -j LOG --log-prefix "Output dropped by default: " $IPT -A INPUT -j LOG --log-prefix "Input dropped by default: " now, invoke the above (which pretty much kills any useful networking you could possibly do). in another window, start tailing the /var/log/messages file with # tail -f /var/log/messages now, as you try to do things like ftp, browse, etc., you'll see your errors getting logged in /var/log/messages. based on what you see, start adding rules one by one to open up *only* what you need. this guarantees that, not only will you have an absolutely minimal configuration, you'll also learn what services correspond to what ports. it's fun -- give it a shot. rday
