To get iptables up and running, in the article it says under the "following commands should get you up and running," there are two commands:
make
make install
Could someone please explain these two commands in a bit more depth? Is this recompiling the kernel?
Thanks,
Jeff
Discussion on:
View:
Show:
Well this small howto is missing the first "make" in the series...make pending-patches /path/to/kernel,which applies the latest patches to your kernel.The second make ( make /path/to/kernel ) is actually building the iptables package,while the lastmake is building the iptables binaries ( iptables,iptables-save,iptables-restore ) and the shared libraries.
L.
L.
we are using gnat-box lite for one of our internal firewalls. It is one of those Linux based firewalls that run on a floppy.
The machine it runs on, it's a hard disk-less 486 p66 w/16MB ram and 2 10MB NIC
Is it worth replacing it with a full linux/*bsd distribution? which means start looking for another machine.
I want to know what you guys use for an internal firewall.
I've been tented at getting a copy of freeBSD or use a redhat linux 7.2 for this but again, I don't want to get into a fruit salad of unixes flavors
Elliott Bujan
The machine it runs on, it's a hard disk-less 486 p66 w/16MB ram and 2 10MB NIC
Is it worth replacing it with a full linux/*bsd distribution? which means start looking for another machine.
I want to know what you guys use for an internal firewall.
I've been tented at getting a copy of freeBSD or use a redhat linux 7.2 for this but again, I don't want to get into a fruit salad of unixes flavors
Elliott Bujan
Any distribution that includes a 2.4 kernel will generally have iptables already compiled in. You only need to worry about this if you use an unusual distribution, such as one that's been compiled for minimum footprint (eg. a floppy-based system). If it comes up, there are HOWTO's for rebuilding the kernel (check the Linux Documentation Project) and the Netfilter site includes information on special considerations for iptable support.
With that attitude he should be dumping Linux in a few minutes. You know, not everyone's been using Linux for years, some people are just getting into it, and I gotta tell you, it's becoming less and less newbie friendly over the years. Jerks like you have always been around, but there seem to be more and more of you. I've known more than a few people "drop out" because of an ever-so-freakin' helpful response like this. Instead of being a prick, how about trying:
"Yeah, they're instructions that are part of the kernel compile process. You can find more information here: http://www.ibiblio.org/pub/Linux/docs/HOWTO/Kernel-HOWTO"
"Yeah, they're instructions that are part of the kernel compile process. You can find more information here: http://www.ibiblio.org/pub/Linux/docs/HOWTO/Kernel-HOWTO"
Thank you for saying what I've been thinking. I've tried to install Linux a few times over the past several years. I would have time to play with it for a month or so, and then work called. Short end of the long story. It never worked. And I kept meeting this stupid attitude RTFM. Well, excuse me. I'm smart - I'm a member of Mensa, so I KNOW I'm smart. I can read, and I can learn better from reading than 98% of the population.
But RTFM don't cut it. That is the SLOOOW way to learn, if at all. The anti-social smart-ass twerps give me heartburn. I hope I get them in the reverse position someday. They won't be happy.
But RTFM don't cut it. That is the SLOOOW way to learn, if at all. The anti-social smart-ass twerps give me heartburn. I hope I get them in the reverse position someday. They won't be happy.
I would highly suggest also blocking well known outgoing ports of trojans. Should your internal system become infected, if the default port is blocked not too much damage will result.
Does anybody know of a current list of known trojan ports?
Does anybody know of a current list of known trojan ports?
IMHO, it is easier and more secure to have a default drop policy for forward and then *only* allow what you require. For instance, TCP ports 80, 443, 110, 119, etc. UDP port 53.
That's what I do, also. It has the nice effect of blocking Kazaa and such things as well. Port 443 is about the only one allowed unrestricted access out to everything. Some other ports are allowed only for certain destinations, port 25 is allowed only from certain "authorized" hosts, and port 80 is redirected to the Squid proxy.
After you've set-up your firewall with IPTABLES, a great tool for checking the integrity of your security is ShieldsUP. This checks the ports and external access to your system. You can access it from http://grc.com/default.htm.
For example, suppose you have an inbound connection on port 25 going to a machine that isn't supposed to be running a mail server? Or an outbound connection on port 80 from a machine that is supposed to be server, and not surfing the web?
If I was a bad guy, then I'd try to put my code on a well known port so that my traffic would look as much as possible like "normal" traffic.
Ain't that a scary thought?
If I was a bad guy, then I'd try to put my code on a well known port so that my traffic would look as much as possible like "normal" traffic.
Ain't that a scary thought?
On page 2 of the article it states that "-i refers to the interface that will be receiving the packets." While this is somewhat true... it does refer to an interface, in iptables it refers more to a specific interface, the input interface. There is also an output interface the -o. This is importatant to distiguish between, because in iptables you can have both or either in a command. In ipchains it did in fact mean interface. In iptables it means input interface.
Is this meant to be a dediated firewall. Or operate in conjunction with server/client?
If you are using Linux based server iptables allows you to make use of the built-in firewalling capabilities (packet-filtering) of the Linux kernel to make your server more secure.
Or you can get an old PC with a floppy drive and two NICs and usea floppy disk that has the kernel, iptables and a shell and use that as a dedicated firewall. It can act as your NAT box too.
Or you can try a server+firewall+NAT combo where all traffic from your internal network accesses the Internet from the machine while it also serves as your mail server or some other Internet service.
Or you can get an old PC with a floppy drive and two NICs and usea floppy disk that has the kernel, iptables and a shell and use that as a dedicated firewall. It can act as your NAT box too.
Or you can try a server+firewall+NAT combo where all traffic from your internal network accesses the Internet from the machine while it also serves as your mail server or some other Internet service.
how to block all port using iptable & allow one by one as per requirement.
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
