[H-GEN] An iptables question ...
Robert Brockway
robert at timetraveller.org
Thu Sep 19 07:45:30 EDT 2002
[ Humbug *General* list - semi-serious discussions about Humbug and ]
[ Unix-related topics. Posts from non-subscribed addresses will vanish. ]
On Thu, 19 Sep 2002, Ewan Edwards wrote:
Hi Ewan,
> > The reader may wish to put the firewall up before the web server comes up
> > or a window of opportunity it opened for an attack.
>
> As I said, the thing is inside the company firewall and is not otherwise
If it's worth putting a firewall in, then it's worth eliminating a window
of opportunity to launch an attack. I remember you said the reason you
were considering the firewall was because someone else doing a probe
internally was concerned they could get to port 80. Imho, it's a good
idea to put the firewall in, especially if the company is of decent size
and you can't control all access points.
> available from outside. I'm thinking of putting a firewall between the
> router and the whole Brisbane office network at a later date anyway. But
> that's for a whole raft of other reasons.
> > If no one has made any suggestions Ewan, I'm happy to give some pointers
> > later (a bit tied down at work right now). If I don't post something in a
> > few hours nudge me :)
>
> Anything would be appreciated, but don't rush. I won't see it until tomorrow
> at the earliest. I am assuming that the command Brad wrote will do what's
> needed in the short term, but as Brad says I need to decide where to put it
> so it runs on boot. That's where my problems start.
>
> All the doco I've read about iptables seems to concentrate on constructing
> rules and how the rules relate to each other. What it hasn't told me yet, is
> how I can implement these rules. Do I use these rules with some utility that
> constructs a script thats run at boot time? Do these rules get put into a
> config file somewhere that kernel refers to at boot time? Is there some
> other daemon that needs to find these rules somewhere?
The iptables command directly modifies the kernel firewall tables. No
daemon process is involved. As for writing the rules, I do it by hand,
but there are utilities to help out. Like anything unix there are 10
different ways... :)
> I just don't know how or where the kernel or "iptables utility" becomes aware
> of the rules. I don't even know if iptables is a separate program, or a
> daemon, or a part of the kernel.
type /sbin/iptables -L
It'll show you the current state of the filter table (where most of the
firewall action goes on).
You can also execute /sbin/iptables -t nat -L to see the nat table.
Cheers,
-Rob
-- Robert Brockway B.Sc. email: robert at timetraveller.org ICQ: 104781119
Linux counter project ID #16440 (http://counter.li.org)
"The earth is but one country and mankind its citizens" -Baha'u'llah
--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'. See http://www.humbug.org.au/
More information about the General
mailing list