Re: some reality about iptables, please

From: Steve Lamb (grey_at_dmiyu.org)
Date: 08/30/03

  • Next message: Arnt Karlsen: "Re: [OT] open source distribution" 
    Date: Fri, 29 Aug 2003 16:59:58 -0700
To: debian-user@lists.debian.org

    On Fri, 29 Aug 2003 14:42:46 -0700
    Cam Ellison <cam@ellisonet.ca> wrote:
    > * Steve Lamb (grey@dmiyu.org) wrote:
    > I beg to differ. When I installed shorewall, it gave some
    > not-very-comprehensible options, and then did not give me what I
    > wanted or needed.

        Erm, how hard can it be? For a single box, 1 interface:

    Edit interfaces. Add it as zone net, interface, detect.
    Now edit policy. Accept $FW to net and net to $FW. Drop net to all, and all
    to all.
    Type shorewall restart.

        You've now got your network interface accepting packets to the $FW (aka,
    the machine you're sitting on) and allowing packets out from the $FW to the
    net.

        Need a 2nd interface and NAT?

    Edit interfaces. Add 2nd interface as loc, interface, detect.
    Edit policy again. Accept loc to $FW, $FW to loc, loc to net and net to loc.
    Edit masq. Tell it the interface you want to masq out of and the interface
    you want to masq.
    Edit shorewall.conf, make sure that masq is turned on and packet forwarding is
    turned on.
    Type shorewall restart.

        Congrats. You now have a machine doing NAT. Need to lock it down a bit?
    Either edit policy to change the defaults of accept to reject or leave it. Go
    into rules. Common tasks:

    Port forward for NATed game machines and the like:
    DNAT net loc:192.168.0.1 tcp 9090

    Locking down a service to the outside world:
    REJECT net $FW tcp 139

    Accepting a service when policy is reject:
    ACCEPT net $FW tcp 139

        There, in about 5 minutes I just gave a primer that covers about 80-90% of
    installs using Shorewall. I doubt you could do the same. Shorewall is not
    that hard. 

    -- 
         Steve C. Lamb         | I'm your priest, I'm your shrink, I'm your
       PGP Key: 8B6E99C5       | main connection to the switchboard of souls.
-------------------------------+---------------------------------------------



    -- 
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
  • Next message: Arnt Karlsen: "Re: [OT] open source distribution"

    Relevant Pages

    • Re: more annyoing OSX stuff.
      ... How often do you edit a URL? ... is to use the Keyboard Shortcut and type away, ... If you're going to edit the current URL, then the Windows default IE ... interface of highlighting the entire URL represents a waste of time ... ...
      (comp.sys.mac.advocacy)
    • Re: reiser4 plugins
      ... >> use some special purpose editor. ... >> able to use Gimp to edit a thumbnail or icon attribute. ... the regular interface and the metas interface -- before ... >> application icon, information about the application, etc.). ...
      (Linux-Kernel)
    • A simple way to add a new contact?
      ... I am writing an application that will interface with the POOM via the ... create a FIle As and save the contact and then use the display ... Well that plan almost works, the contact comes up, but not in EDIT ...
      (microsoft.public.dotnet.framework.compactframework)
    • DB Updates Dont
      ... Using the DWI I have created the interface which lets me log in, wiew, ... when I try to edit an ...
      (microsoft.public.frontpage.programming)
    • Re: shorewall setup issue with Mandrake 10C and sagem eagle usb modem
      ... > I am confused how to setup shorewall with this usb modem. ... That interface doesn't even need an IP address. ... If this is a Shorewall configuration file then it's highly likely that ...
      (comp.os.linux.networking)