firewall ??

Jason Costomiris jcostom at jasons.org
Fri Jul 2 19:41:19 UTC 2004 

On Jul 2, 2004, at 2:57 PM, Bobby Knueven wrote:

>> Well... you need to set up a dhcp server.
>
> I already have a DHCP server, but it's not  on the firewall box. Does 
> that cause a problem?
>
>

Not a problem, if you want to use DHCP to assign addresses to the 
systems behind the firewall, you'll need to do one of 2 things:

1.  Install the dhcp package and configure the /etc/sysconfig/dhcrelay 
file, then:

chkconfig dhcrelay on
service dhcrelay start

2. Don't supply DHCP addresses on the other server and run one behind 
your new firewall.

In your case, #1 seems preferable.

As for the firewall, it's really quite simple in your case:

# These flush any existing rules
iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t mangle
iptables -F -t nat
iptables -X

# These set an initial drop everything policy
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# For connections already deemed OK
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Setup stuff you're allowing to talk directly to the firewall
# eg - ssh to firewall from 10.1.1.0/24:
iptables -A INPUT -p tcp -m state --state NEW -s 10.1.1.0/24 --dport 22 
-j ACCEPT

# Setup stuff you're allowing to talk outbound from the firewall
# eg - ssh to anywhere
iptables -A OUTPUT -p tcp -m state --state NEW -d 0/0 --dport 22 -j 
ACCEPT

# Setup stuff you're forwarding outbound
# eg - internal net == 192.168.1.0/24, allow everything out
iptables -A FORWARD -p all -m state --state NEW -s 192.168.1.0/24 -j 
ACCEPT

# Setup stuff you're forwarding to a particular server
# eg - https to 192.168.1.50
iptables -A FORWARD -p tcp -m state --state NEW -d 192.168.1.50 --dport 
443 -j ACCEPT

I'd maintain all that in a shell script for easy mods later down the 
line.

Then run the script to setup iptables, then:

service iptables save
service iptables restart
chkconfig iptables on

--j

More information about the fedora-list mailing list