firewall ??
Jason Costomiris
jcostom at jasons.org
Fri Jul 2 19:41:19 UTC 2004
On Jul 2, 2004, at 2:57 PM, Bobby Knueven wrote:
>> Well... you need to set up a dhcp server.
>
> I already have a DHCP server, but it's not on the firewall box. Does
> that cause a problem?
>
>
Not a problem, if you want to use DHCP to assign addresses to the
systems behind the firewall, you'll need to do one of 2 things:
1. Install the dhcp package and configure the /etc/sysconfig/dhcrelay
file, then:
chkconfig dhcrelay on
service dhcrelay start
2. Don't supply DHCP addresses on the other server and run one behind
your new firewall.
In your case, #1 seems preferable.
As for the firewall, it's really quite simple in your case:
# These flush any existing rules
iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t mangle
iptables -F -t nat
iptables -X
# These set an initial drop everything policy
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# For connections already deemed OK
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Setup stuff you're allowing to talk directly to the firewall
# eg - ssh to firewall from 10.1.1.0/24:
iptables -A INPUT -p tcp -m state --state NEW -s 10.1.1.0/24 --dport 22
-j ACCEPT
# Setup stuff you're allowing to talk outbound from the firewall
# eg - ssh to anywhere
iptables -A OUTPUT -p tcp -m state --state NEW -d 0/0 --dport 22 -j
ACCEPT
# Setup stuff you're forwarding outbound
# eg - internal net == 192.168.1.0/24, allow everything out
iptables -A FORWARD -p all -m state --state NEW -s 192.168.1.0/24 -j
ACCEPT
# Setup stuff you're forwarding to a particular server
# eg - https to 192.168.1.50
iptables -A FORWARD -p tcp -m state --state NEW -d 192.168.1.50 --dport
443 -j ACCEPT
I'd maintain all that in a shell script for easy mods later down the
line.
Then run the script to setup iptables, then:
service iptables save
service iptables restart
chkconfig iptables on
--j
More information about the fedora-list
mailing list