* Basic IPTables / firewall help? @ 2008-02-20 22:10 Simon Jester 2008-02-21 0:45 ` Grant Taylor 2008-02-21 3:53 ` terry white 0 siblings, 2 replies; 6+ messages in thread From: Simon Jester @ 2008-02-20 22:10 UTC (permalink / raw) To: netfilter Hi everyone, Joined the list a few weeks ago, and as always, lurked to get a feel... glad I did. Is there a list somewhere that is more for newbies where I can ask dumb questions and not feel like I just stepped off a bus at Times Square with no clothes on? ;) Really - IPTables rules mystify me. What I need is some help translating plain english (ie, I want to block everything except x, y and z) to the appropriate IPTables command/rule. This list appears to be far too technical for my needs... Tia for any pointers or suggestions... Charles ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Basic IPTables / firewall help? 2008-02-20 22:10 Basic IPTables / firewall help? Simon Jester @ 2008-02-21 0:45 ` Grant Taylor 2008-02-21 6:19 ` Rob Sterenborg 2008-02-22 14:22 ` Simon Jester 2008-02-21 3:53 ` terry white 1 sibling, 2 replies; 6+ messages in thread From: Grant Taylor @ 2008-02-21 0:45 UTC (permalink / raw) To: Mail List - Netfilter On 02/20/08 16:10, Simon Jester wrote: > Is there a list somewhere that is more for newbies where I can ask dumb > questions and not feel like I just stepped off a bus at Times Square > with no clothes on? I don't know if there is another list elsewhere or not. I'm sure there are lists but I would have no idea where to look other than Google or distribution support pages. > Really - IPTables rules mystify me. What I need is some help translating > plain english (ie, I want to block everything except x, y and z) to the > appropriate IPTables command/rule. This list appears to be far too > technical for my needs... IPTables is not that bad. The thing that you really need is an understanding of what you are working with (and trying to filter). The next thing you need is an understanding of how identify what you are trying to filter and then decide what to do with it. Third, you need to understand the different ways that you can arrange things in an if match accept / drop / jump type logic structure. (How to translate individual packet matching rules in to the """Business Logic""" of IPTables firewall rules.) To sort of answer what you want, you could do something like this: If <packet(s)> match "x" do "this" If <packet(s)> match "y" do "that" If <packet(s)> match "z" do "something" "this", "that", and "something" can be the same or different actions. If you are happy with the simple match(s) you can decide to ACCEPT or DROP the packet(s) then and there. If you need to run other tests on just packets you can jump to a different chain where you start your different set of matches against just the packets that matched the first set. > Tia for any pointers or suggestions... *nod* I guess you can ask away with your questions. Or if you want to talk off list, email me directly. Grant. . . . ^ permalink raw reply [flat|nested] 6+ messages in thread
* RE: Basic IPTables / firewall help? 2008-02-21 0:45 ` Grant Taylor @ 2008-02-21 6:19 ` Rob Sterenborg 2008-02-22 14:19 ` Simon Jester 2008-02-22 14:22 ` Simon Jester 1 sibling, 1 reply; 6+ messages in thread From: Rob Sterenborg @ 2008-02-21 6:19 UTC (permalink / raw) To: 'Mail List - Netfilter' > > Tia for any pointers or suggestions... > > *nod* > > I guess you can ask away with your questions. I'd like to add that there's a good iptables tutorial explaining most things there are to know and more when you're just starting with this, with examples. You can find it here: http://iptables-tutorial.frozentux.net/iptables-tutorial.html Grts, Rob ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Basic IPTables / firewall help? 2008-02-21 6:19 ` Rob Sterenborg @ 2008-02-22 14:19 ` Simon Jester 0 siblings, 0 replies; 6+ messages in thread From: Simon Jester @ 2008-02-22 14:19 UTC (permalink / raw) To: 'Mail List - Netfilter' > I don't know if there is another list elsewhere or not. I'm sure > there are lists but I would have no idea where to look other than > Google or distribution support pages. I have read a few, but most make my head hurt. ;) Maybe this is one of those things that just doesn't make sense until one day a light bulb goes off. what I'd like is just a bunch of commonly used rules, with simple, plain english explanations of each part of the rule - what it does, and why, and how it protects the system. > To sort of answer what you want, you could do something like this: > > If <packet(s)> match "x" do "this" > If <packet(s)> match "y" do "that" > If <packet(s)> match "z" do "something" Yes, but... the approach that makes the most sense to me is simply deny everything, then just open up what you want. The problem is, I don't know enough about the protocols involved (and/or the packets themselves) to understand all of the lingo surrounding what you can 'do' with them. I'm not a programmer, but I do like running my own servers because of the flexibility it provides. > not to make too fine a point of it, but you'd probably go unnoticed at > Times Square. Lol... that would actually pretty much have been true 30 years ago (I spent 9 months on Governors Island in the Coast Guard in 78/79, and Times Square was extremely bizarre, especially at night) - but from what I understand, Guliani pretty much cleaned it up some years ago... > i have difficult relating that, to someone, who, is running linux > with a need to 'modify' firewall behaviour ... Running a small server with only mail and web services running. I just want to lock down everything as much as is reasonably possible. I have a hardware based firewall/router that blocks all incoming connections except the ports I am using (25, 443, 587 and 993), but I'd also like to know what else I can do local_firewall-wise to protect these ports even more from mis-behaving/malicious clients/connections. One of my main goals right now is to install fail2ban to prevent dictionary attacks, but have been hesitant to do so, since I really don't understand IPTables... > I'd like to add that there's a good iptables tutorial explaining most > things there are to know and more when you're just starting with this, > with examples. You can find it here: > > http://iptables-tutorial.frozentux.net/iptables-tutorial.html Thanks for the replies... I'll try the tutorial this weekend, and come back when I have questions... Is it considered bad form to post current IPTables rules and ask for comments/critiques? ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Basic IPTables / firewall help? 2008-02-21 0:45 ` Grant Taylor 2008-02-21 6:19 ` Rob Sterenborg @ 2008-02-22 14:22 ` Simon Jester 1 sibling, 0 replies; 6+ messages in thread From: Simon Jester @ 2008-02-22 14:22 UTC (permalink / raw) To: Mail List - Netfilter Alternatives... (apologies if this kind of question is considered bad form) I have also been debating the pros and cons of simply contracting this part out to someone/some entity that specializes in security. Anyone have any suggestions for a skilled security engineer/firm that does this professionally? My needs are simple, and I can't imagine an audit and/or firewall rules setup should take very long or be too cost prohibitive... Thanks again for the replies... ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Basic IPTables / firewall help? 2008-02-20 22:10 Basic IPTables / firewall help? Simon Jester 2008-02-21 0:45 ` Grant Taylor @ 2008-02-21 3:53 ` terry white 1 sibling, 0 replies; 6+ messages in thread From: terry white @ 2008-02-21 3:53 UTC (permalink / raw) To: netfilter ... ciao: > On Wed, 20 Feb 2008, Simon Jester wrote: > where I can ask dumb questions and not feel like I just stepped > off a bus at Times Square with no clothes on? not to make too fine a point of it, but you'd probably go unnoticed at Times Square. > Really - IPTables rules mystify me. What I need is some help translating > plain english (ie, I want to block everything except x, y and z) to the > appropriate IPTables command/rule. as a suggestion: http://www.bastille-linux.org grab that code, and take a good look at it. i have a hunch you could probably "make" it without installing it. that should generate the script object, WITH comments. lots to be learned in reading them. > This list appears to be far too technical for my needs i have difficult relating that, to someone, who, is running linux with a need to 'modify' firewall behaviour ... -- ... it's not what you see , but in stead , notice ... ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2008-02-22 14:22 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2008-02-20 22:10 Basic IPTables / firewall help? Simon Jester 2008-02-21 0:45 ` Grant Taylor 2008-02-21 6:19 ` Rob Sterenborg 2008-02-22 14:19 ` Simon Jester 2008-02-22 14:22 ` Simon Jester 2008-02-21 3:53 ` terry white
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox