[H-GEN] An iptables question ...

Tim Kent tim.kent at vector.net.au
Thu Sep 19 03:50:52 EDT 2002 

[ Humbug *General* list - semi-serious discussions about Humbug and     ]
[ Unix-related topics. Posts from non-subscribed addresses will vanish. ]

Ewan,

I was looking at a RedHat 7.2 box a while back and as far as I remember the
iptables init script looks for a file with the same format iptables-save
gives.  You'll have to look through the script to find out what that file
is.  It could be something like /etc/sysconfig/iptables but I don't have a
RedHat box here to confirm.

Regards
Tim

--
Tim Kent
Systems Administrator
Vector Networks Pty Ltd
Phone: +61 7 3236 9328
Fax: +61 7 3236 9209

-----Original Message-----
From: Majordomo [mailto:majordom at caliburn.humbug.org.au]On Behalf Of
Ewan Edwards
Sent: Thursday, 19 September 2002 5:14 PM
To: general at lists.humbug.org.au
Cc: Robert Brockway
Subject: Re: [H-GEN] An iptables question ...


[ Humbug *General* list - semi-serious discussions about Humbug and     ]
[ Unix-related topics. Posts from non-subscribed addresses will vanish. ]

On Thursday 19 September 2002 16:12, you wrote:

> >
> > The best idea would be to properly firewall the box, so only
> > the services that you wish to provide are open to who you
> > want to provide them to.
>
> You took the words right out my mouth Brad.

I have used the setup utility that is a part of the Redhat 7.3 distribution
to set the Firewall configuration Security Level to "High".  What that
actually means, I really don't know - but it looked good at the time.

Also, I suspect the "Firewall configuration" thing is broken, but I have no
way of knowing if that's right or wrong.  I also haven't spent the time to
read the doco about it.

>
> > Assuming you've gotten the appropriate things compilied into
> > your kernel, the following command should do something like
> > what you want.  I'll leave it to the reader to decide where
>
> The reader may wish to put the firewall up before the web server comes up
> or a window of opportunity it opened for an attack.

As I said, the thing is inside the company firewall and is not otherwise
available from outside.  I'm thinking of putting a firewall between the
router and the whole Brisbane office network at a later date anyway.  But
that's for a whole raft of other reasons.

>
> If no one has made any suggestions Ewan, I'm happy to give some pointers
> later (a bit tied down at work right now).  If I don't post something in a
> few hours nudge me :)

Anything would be appreciated, but don't rush.  I won't see it until
tomorrow
at the earliest.  I am assuming that the command Brad wrote will do what's
needed in the short term, but as Brad says I need to decide where to put it
so it runs on boot.  That's where my problems start.

All the doco I've read about iptables seems to concentrate on constructing
rules and how the rules relate to each other.  What it hasn't told me yet,
is
how I can implement these rules.  Do I use these rules with some utility
that
constructs a script thats run at boot time?  Do these rules get put into a
config file somewhere that kernel refers to at boot time?  Is there some
other daemon that needs to find these rules somewhere?

I just don't know how or where the kernel or "iptables utility" becomes
aware
of the rules.  I don't even know if iptables is a separate program, or a
daemon, or a part of the kernel.

Regards,
Ewan

--
Ewan Edwards BE MIEAust CPEng MCSE
Systems Administrator
MineStar Solutions
Ewan.Edwards at mincom.com
Telephone: +61 (0) 7 3303 3554
Facsimile: +61 (0) 7 3303 3470
___________________________________________________________________

Growing old may be mandatory, but growing up is still optional.
___________________________________________________________________


--
This transmission is for the intended addressee only and is confidential
information.  If you have received this transmission in error, please delete
it and notify the sender.  The contents of this e-mail are the opinion of
the writer only and are not endorsed by the Mincom Group of companies unless
expressly stated otherwise.


--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.  See http://www.humbug.org.au/


--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.  See http://www.humbug.org.au/

More information about the General mailing list