Basic IPTables / firewall help?

Basic IPTables / firewall help?

[Simon Jester]

Hi everyone,

Joined the list a few weeks ago, and as always, lurked to get a feel... 
glad I did.

Is there a list somewhere that is more for newbies where I can ask dumb 
questions and not feel like I just stepped off a bus at Times Square 
with no clothes on?

;)

Really - IPTables rules mystify me. What I need is some help translating 
plain english (ie, I want to block everything except x, y and z) to the 
appropriate IPTables command/rule. This list appears to be far too 
technical for my needs...

Tia for any pointers or suggestions...

Charles

Re: Basic IPTables / firewall help?

[Grant Taylor]

On 02/20/08 16:10, Simon Jester wrote:
> Is there a list somewhere that is more for newbies where I can ask dumb 
> questions and not feel like I just stepped off a bus at Times Square 
> with no clothes on?

I don't know if there is another list elsewhere or not.  I'm sure there 
are lists but I would have no idea where to look other than Google or 
distribution support pages.

> Really - IPTables rules mystify me. What I need is some help translating 
> plain english (ie, I want to block everything except x, y and z) to the 
> appropriate IPTables command/rule. This list appears to be far too 
> technical for my needs...

IPTables is not that bad.  The thing that you really need is an 
understanding of what you are working with (and trying to filter).  The 
next thing you need is an understanding of how identify what you are 
trying to filter and then decide what to do with it.  Third, you need to 
understand the different ways that you can arrange things in an if match 
accept / drop / jump type logic structure.  (How to translate individual 
packet matching rules in to the """Business Logic""" of IPTables 
firewall rules.)

To sort of answer what you want, you could do something like this:

If <packet(s)> match "x" do "this"
If <packet(s)> match "y" do "that"
If <packet(s)> match "z" do "something"

"this", "that", and "something" can be the same or different actions. 
If you are happy with the simple match(s) you can decide to ACCEPT or 
DROP the packet(s) then and there.  If you need to run other tests on 
just packets you can jump to a different chain where you start your 
different set of matches against just the packets that matched the first 
set.

> Tia for any pointers or suggestions...

*nod*

I guess you can ask away with your questions.  Or if you want to talk 
off list, email me directly.



Grant. . . .

Re: Basic IPTables / firewall help?

[terry white]

... ciao:

> On Wed, 20 Feb 2008, Simon Jester wrote:
> where I can ask dumb questions and not feel like I just stepped
> off a bus at Times Square with no clothes on?

   not to make too fine a point of it, but you'd probably go unnoticed at
Times Square.


> Really - IPTables rules mystify me. What I need is some help translating
> plain english (ie, I want to block everything except x, y and z) to the
> appropriate IPTables command/rule.

   as a suggestion:  http://www.bastille-linux.org

   grab that code, and take a good look at it.  i have a hunch you could
probably "make" it without installing it.  that should generate the script
object, WITH comments.  lots to be learned in reading them.


> This list appears to be far too technical for my needs

   i have difficult relating that, to someone, who, is running linux
with a need to 'modify' firewall behaviour ...


-- 
... it's not what you see ,
    but in stead , notice ...

RE: Basic IPTables / firewall help?

[Rob Sterenborg]

> > Tia for any pointers or suggestions...
> 
> *nod*
> 
> I guess you can ask away with your questions.

I'd like to add that there's a good iptables tutorial explaining most
things there are to know and more when you're just starting with this,
with examples. You can find it here:

http://iptables-tutorial.frozentux.net/iptables-tutorial.html


Grts,
Rob

Re: Basic IPTables / firewall help?

[Simon Jester]

> I don't know if there is another list elsewhere or not. I'm sure
> there are lists but I would have no idea where to look other than
 > Google or distribution support pages.

I have read a few, but most make my head hurt. ;) Maybe this is one of 
those things that just doesn't make sense until one day a light bulb 
goes off.

what I'd like is just a bunch of commonly used rules, with simple, plain 
english explanations of each part of the rule - what it does, and why, 
and how it protects the system.

> To sort of answer what you want, you could do something like this:
> 
> If <packet(s)> match "x" do "this"
> If <packet(s)> match "y" do "that"
> If <packet(s)> match "z" do "something" 

Yes, but... the approach that makes the most sense to me is simply deny 
everything, then just open up what you want. The problem is, I don't 
know enough about the protocols involved (and/or the packets themselves) 
to understand all of the lingo surrounding what you can 'do' with them. 
I'm not a programmer, but I do like running my own servers because of 
the flexibility it provides.

> not to make too fine a point of it, but you'd probably go unnoticed at
> Times Square.

Lol... that would actually pretty much have been true 30 years ago (I 
spent 9 months on Governors Island in the Coast Guard in 78/79, and 
Times Square was extremely bizarre, especially at night) - but from what 
I understand, Guliani pretty much cleaned it up some years ago...

> i have difficult relating that, to someone, who, is running linux
> with a need to 'modify' firewall behaviour ...

Running a small server with only mail and web services running. I just 
want to lock down everything as much as is reasonably possible.

I have a hardware based firewall/router that blocks all incoming 
connections except the ports I am using (25, 443, 587 and 993), but I'd 
also like to know what else I can do local_firewall-wise to protect 
these ports even more from mis-behaving/malicious clients/connections.

One of my main goals right now is to install fail2ban to prevent 
dictionary attacks, but have been hesitant to do so, since I really 
don't understand IPTables...

> I'd like to add that there's a good iptables tutorial explaining most
> things there are to know and more when you're just starting with this,
> with examples. You can find it here:
> 
> http://iptables-tutorial.frozentux.net/iptables-tutorial.html

Thanks for the replies...

I'll try the tutorial this weekend, and come back when I have questions...

Is it considered bad form to post current IPTables rules and ask for 
comments/critiques?

Re: Basic IPTables / firewall help?

[Simon Jester]

Alternatives...
(apologies if this kind of question is considered bad form)

I have also been debating the pros and cons of simply contracting this 
part out to someone/some entity that specializes in security.

Anyone have any suggestions for a skilled security engineer/firm that 
does this professionally?

My needs are simple, and I can't imagine an audit and/or firewall rules 
setup should take very long or be too cost prohibitive...

Thanks again for the replies...