Balls to the Firewall
November 4, 2005 10:18 AM
linuxfilter: Good place to go for help with IPTABLES firewall? I'm inheriting a linux firewall at work and can't afford much (if any) downtime. I miss the simplicity of the hardware-based one I used to have, but need to turn on the ability to do RDP on 3389 to multiple hosts and also the ability to test from inside the network. I know almost nothing about this, so I'd like a nice friendly place. linux.ask.metafilter.com?
Yep, it does.
Actually, the best way to learn is take a network where you can afford to have some downtime (like a subnet), put up a test mule, and try and get routing and IP masquerading, port forwarding, packet mangling, ping filtering, etc. work.
Where most novices run into trouble are the following points:
* Forgetting to turn IP forwarding on in the kernel
* Forgetting about the nat table
* Forgetting to run iptables_save and outputting the iptables configuration to the proper place in /etc so that the firewall works when you reboot the box
posted by SpecialK at 10:42 AM on November 4, 2005
Actually, the best way to learn is take a network where you can afford to have some downtime (like a subnet), put up a test mule, and try and get routing and IP masquerading, port forwarding, packet mangling, ping filtering, etc. work.
Where most novices run into trouble are the following points:
* Forgetting to turn IP forwarding on in the kernel
* Forgetting about the nat table
* Forgetting to run iptables_save and outputting the iptables configuration to the proper place in /etc so that the firewall works when you reboot the box
posted by SpecialK at 10:42 AM on November 4, 2005
I'd also recommend going with smoothwall. The web interface is easy to use and will be familiar to one that has used linksys or d-link's web interface.
But if this isn't possible I recommend ubuntu's online forum even if you are using a different distro. The community is extremely friendly and helpful.
posted by meta87 at 10:49 AM on November 4, 2005
But if this isn't possible I recommend ubuntu's online forum even if you are using a different distro. The community is extremely friendly and helpful.
posted by meta87 at 10:49 AM on November 4, 2005
Also, what distribution is it? This would help with the advice a little.
posted by meta87 at 10:51 AM on November 4, 2005
posted by meta87 at 10:51 AM on November 4, 2005
Here are some linux firewall links I collected on del.icio.us a while ago that might help.
posted by Zed_Lopez at 10:53 AM on November 4, 2005
posted by Zed_Lopez at 10:53 AM on November 4, 2005
I'm assuming you've already checked the HOWTO? I'm no network admin, but IPTABLES is pretty simple (compared to IPFWADM and IPCHAINS of yesteryear), *if* you understand the basics of IP routing. I think you'll be blown away -- hopefully not "overwhelmed", heh -- by what a linux router can do.
Also, what SpecialK said.
posted by LordSludge at 11:03 AM on November 4, 2005
Also, what SpecialK said.
posted by LordSludge at 11:03 AM on November 4, 2005
there used to be a good o'reilly book. for some reason i think it had bsd in the title, but covered both bsd and linux.
suse has a very nice front end to iptables, incidentally, that makes simple configurations (and even moderately complex ones) a walk in the park.
posted by andrew cooke at 11:06 AM on November 4, 2005
suse has a very nice front end to iptables, incidentally, that makes simple configurations (and even moderately complex ones) a walk in the park.
posted by andrew cooke at 11:06 AM on November 4, 2005
oops. i was wrong. it's this wiley book. the oreilly one really is just bsd (not iptables). anyway, i recommend that book. very good - includes both background and explicit examples.
posted by andrew cooke at 11:08 AM on November 4, 2005
posted by andrew cooke at 11:08 AM on November 4, 2005
hmmm. with the caveat that i used it years ago. the amazon reviews suggest that some of it may be outdated (although i think it's more the bsd workd that's changed than linux iptables).
posted by andrew cooke at 11:10 AM on November 4, 2005
posted by andrew cooke at 11:10 AM on November 4, 2005
I just used Firestarter to configure it on a couple of machines I manage for a friend.
posted by mrbill at 11:40 AM on November 4, 2005
posted by mrbill at 11:40 AM on November 4, 2005
I'm doing some work right now with IPTables and the bridging utilities. I found that the PacketFlow.png image clears up a lot of ambiguity in the netfilter HOWTOs.
It's not entirely complete anymore (for example, it's missing the raw table) but it's still handy. I'd bookmark it in case you get confused.
posted by sbutler at 1:29 PM on November 4, 2005
It's not entirely complete anymore (for example, it's missing the raw table) but it's still handy. I'd bookmark it in case you get confused.
posted by sbutler at 1:29 PM on November 4, 2005
Don't write iptables rules by hand. There are lots of front-ends that make it much easier. I like shorewall a lot, but there are many, many programs/front-ends in this general category.
With shorewall you essentially take the stock config file and modify it to suit your needs. In most cases, there is a stock config that will be very close to what you need, the only thing you have to modify is the rules/policies to suit your particular needs (e.g. allowing specified traffic on specific ports.) This is much easier than trying to do iptables directly.
posted by Rhomboid at 5:48 PM on November 4, 2005
With shorewall you essentially take the stock config file and modify it to suit your needs. In most cases, there is a stock config that will be very close to what you need, the only thing you have to modify is the rules/policies to suit your particular needs (e.g. allowing specified traffic on specific ports.) This is much easier than trying to do iptables directly.
posted by Rhomboid at 5:48 PM on November 4, 2005
I haven't tried it yet, but FireHOL seems very nice.
posted by Sharcho at 10:20 PM on November 4, 2005
posted by Sharcho at 10:20 PM on November 4, 2005
This thread is closed to new comments.
posted by phearlez at 10:25 AM on November 4, 2005