Anyone can help me for more secure. firewall.



Hi, All

Now, I make my server as internet-gateway/firewall.

I need your help and you suggestion about more security.
Caz. i know my INPUT / OUTPUT Chain is open.
How can i make it more secure ?


Thank you very much
Pratchaya



My Network Diagram.
===============


ADSL Router <===> { eth1::: My Server :::: eth0 <===> Local network
(192.168.0.xx )


===========================================================================­==============================

My Command line
===============


service iptables stop
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
--to-port 3128
iptables -P FORWARD DROP
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -s 192.168.0.0/24 -m multiport -p
tcp --dport 53,80,110,143,443,993,995,3128 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -s 192.168.0.0/24 -m multiport -p
udp --dport 53,110,143,993,995,1863 -j ACCEPT
service iptables save


===========================================================================­==============================

My Iptable List
===============


[root@firewall ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination


Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT tcp -- 192.168.0.0/24 anywhere multiport
dports domain,http,pop3,imap,https,imaps,pop3s,squid
ACCEPT udp -- 192.168.0.0/24 anywhere multiport
dports domain,pop3,imap,imaps,pop3s,1863


Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@firewall ~]#

.



Relevant Pages

  • Re: Iptables not saving...
    ... Chain FORWARD (policy ACCEPT) ... Chain OUTPUT ... You want to direct its output to where iptables normally ...
    (Fedora)
  • Re: Iptables not saving...
    ... Chain FORWARD (policy ACCEPT) ... Chain OUTPUT ... You want to direct its output to where iptables normally ...
    (Fedora)
  • Re: some reality about iptables, please
    ... > That's the 'plumbing' level access to iptables which works for all Linux kernels supporting iptables, ... Chain POSTROUTING (policy DROP) ... DROPl all --!192.168.174.0/24 anywhere ...
    (Debian-User)
  • Re: IP Masquerading
    ... here's the first third of the iptables listing (I'll send more if ... Chain FORWARD (policy DROP) ... The windows boxes seem to be getting their ...
    (alt.os.linux.suse)
  • Google Summer of Code 2009: Student applies to create a Better IPTables Management Tool
    ... a student) and select the Linux Foundation ... The tool focuses on helping the user to perceive what a particular chains of rules in a particular table does to a user specified packet. ... As the project aims for better IPtables management tool, I can contribute with my hard earned 3 years experience in maintenance of firewalls. ... The tools helps the user to either select all the rules in the chain or some particular rules and tells the impact of the application of selected rules upon the incoming/outgoing packet. ...
    (Linux-Kernel)