From: kevin lyda (kevin at domain ie.suberic.net)
Date: Wed 19 Jun 2002 - 01:09:50 IST
first, the following is how i set up the network security on my 7.3 box.
not sure if this is the best way to do it - particularly in light of
the problems i describe later on. comments?
ok, so i used redhat's lokkit to do the initial creation of my firewall
rules and then tweaked it (mainly to add in the masqing rules).
it's rather simple:
(do your firewall settings)
# ipchains -P forward deny
# ipchains -A forward -i eth0 -j ACCEPT
# ipchains -A forward -i eth1 -j MASQ
# ipchains -A forward -i cipcb0 -j ACCEPT
# service ipchains save
and you're all done for firewall settings. the results are saved in
/etc/sysconfig/ipchains and are brought up and down with the ipchains
service (see chkconfig or serviceconf).
the nice part about this is that it reuses pretty much all of the
setup i had on my old 2.2 box.
the downside are the following two issues. the two lines i need to
get dns to work, and getting masquarading to work with irc.
i run a dns server on this box. w/o these two lines in
/etc/sysconfig/ipchains, the dns server fails to work:
-A input -s 0.0.0.0/0.0.0.0 53:53 -d 0.0.0.0/0.0.0.0 -p 6 -j ACCEPT -y
-A input -s 0.0.0.0/0.0.0.0 53:53 -d 0.0.0.0/0.0.0.0 -p 17 -j ACCEPT
don't really like those lines since it seems to kind of kill the rest
of the rules. is there a way to make them narrower? ah, wait...
i appended -l to the second rule and discovered responses were always
going back to port 1025. so now i have these. again, comments?
-A input -s 0.0.0.0/0.0.0.0 53:53 -d 0.0.0.0/0.0.0.0 1025 -p 6 -j ACCEPT -y
-A input -s 0.0.0.0/0.0.0.0 53:53 -d 0.0.0.0/0.0.0.0 1025 -p 17 -j ACCEPT
second problem is that this all uses ipchains. it doesn't seem
like the irc tracking s/w works with this (it's needed for dcc).
iptables works with the ip_conntrack + ip_conntrack_irc modules.
is there an alternative to lokkit - or an easy way to convert
ipchains style rules to iptables style rules? or does linux 2.4 +
ipchains have an equiv irc module that works (ip_nat_irc won't load)?
-- kevin at domain suberic.net that a believer is happier than a skeptic is no more to fork()'ed on 37058400 the point than the fact that a drunken man is happier meatspace place: inle than a sober one. the happiness of credulity is a http://suberic.net/~kevin cheap & dangerous quality -- g.b. shaw
This archive was generated by hypermail 2.1.6 : Thu 06 Feb 2003 - 13:17:20 GMT