From: Joel Newkirk <netfilter@newkirk.us>
To: Scott Melnyk <scott@sbc.su.se>, netfilter@lists.netfilter.org
Subject: Re: newbie question
Date: Mon, 24 Mar 2003 11:27:59 -0500 [thread overview]
Message-ID: <200303241127.59577.netfilter@newkirk.us> (raw)
In-Reply-To: <1048521242.10333.55.camel@razor>
On Monday 24 March 2003 10:54 am, Scott Melnyk wrote:
> Hello, I hope this is not to simple to post. I have not quite got
> IPTABLEs use down.
>
> I am looking at setting up local firewalls on a cluster of machines
> (almost 100 linux boxes running RH 7.3 and 8.0). The login nodes for
> the cluster have extensive hardware based firewalling rules.
>
> On the rest of the cluster I would like to set IPTABLEs to accept
> everything within the subnet and drop the anything from and outside
> address.
>
> My thought for setting the rules on each machine is by pushing out and
> running a bash script.
> Is it possible to simply set up a firewall with something as simple
> as:
>
>
> #!/bin/bash
> #
>
> service iptables stop
>
> iptables -F
>
> iptables -A INPUT -m limit -j LOG
> iptables -A OUTPUT -m limit -j LOG
Are you sure this is what you want? It will log 5 entries the first
hour, then 3/hour after that. (presuming you have at least that many to
log)
> iptables -A INPUT -s 130.xxx.xxx.128/25 ACCEPT
> #rule here to drop all non 130.xxx.xxx.128/25
Two things here - first, the DROP policy below will drop anything not
already accepted, so you don't need and explicit DROP. Second, you can
specify this DROP (if you really want it) with
iptables -A INPUT -s ! 130.x.x.128/25 -j DROP
> iptables -P FORWARD DROP
> iptables -P INPUT DROP
>
> service iptables save
>
>
> We have a subnet of 130.xxx.xxx.128/255.255.255.128
> How can I define a mandatory drop of everything not in
> 130.xxx.xxx.128/255.255.255.128?
Just the DROP policy is all that is needed, so long as you specify the
source IP in ACCEPT rules.
> Finally what risks am I taking by doing this? Other than if someone
> hacks into one of the login nodes, I realize this would then give them
> access to the rest of the cluster.
The only risk I see is of someone spoofing one of your IPs. If all
communications will take place with specific ports or protocols, you can
tighten the ACCEPT rule to only allow that in. But as you have it, the
only thing that these boxes would accept communications from would be
their own subnet, and if you doun't have unnecessary services running
you shouldn't have much to worry about.
j
next prev parent reply other threads:[~2003-03-24 16:27 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-03-24 15:54 newbie question Scott Melnyk
2003-03-24 16:27 ` Joel Newkirk [this message]
-- strict thread matches above, loose matches on Subject: below --
2009-07-30 18:03 Gergely Buday
2004-06-08 4:16 Newbie Question mafioso1823
2004-06-08 11:09 ` John A. Sullivan III
2004-04-08 11:57 newbie question M. Ahmad Ijaz
2004-04-08 12:02 ` Antony Stone
2004-04-08 12:32 ` M. Ahmad Ijaz
2004-04-08 12:41 ` Antony Stone
2004-04-08 12:43 ` ro0ot
2004-04-08 12:32 ` Jeffrey Laramie
2004-04-08 12:47 ` Antony Stone
2004-04-08 12:09 ` Frank Gruellich
2004-04-09 4:33 ` M. Ahmad Ijaz
2004-04-08 16:26 ` Alexis
[not found] <385FE68A-FB2E-11D7-B96A-000393B2CBCE@apple.com>
2003-10-10 14:43 ` Newbie question Arvanitis Kostas
2003-03-26 17:37 Newbie Question Carlos Cajina
2003-03-26 18:53 ` Joel Newkirk
2003-02-24 16:23 Jeffrey Corbit
2003-02-24 16:50 ` Aldo S. Lagana
2003-02-16 7:04 Newbie question Shankar; Hari
2003-02-16 7:57 ` Joel Newkirk
2003-02-16 22:50 ` Shankar; Hari
[not found] <20030120105301.22841.47459.Mailman@kashyyyk>
2003-01-20 15:58 ` newbie question regina
2003-01-20 19:02 ` Maciej Soltysiak
2002-12-08 23:37 Newbie question Glen Spidal
2002-12-10 13:09 ` Bart
2002-11-03 18:51 CVS Respository failures Noah
2002-11-04 9:15 ` Newbie Question Louie
2002-10-22 2:47 William L. Childers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200303241127.59577.netfilter@newkirk.us \
--to=netfilter@newkirk.us \
--cc=netfilter@lists.netfilter.org \
--cc=scott@sbc.su.se \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox