Firewall behind Router
Brian Densmore
DensmoreB at ctbsonline.com
Wed Jan 2 14:56:42 CST 2002
> -----Original Message-----
> From: jose sanchez [mailto:j_r_sanchez at yahoo.com]
> Sent: Tuesday, January 01, 2002 7:46 PM
> To: kclug at kclug.org
> Subject: Firewall behind Router
>
>
> Hello All:
>
> Happy New Year!
>
> My first posting of the year: I am in the process of
> building a Linux firewall at work. We currently have a
> Netopia Router/Modem that acts as a
> router/firewall/modem. I would like to offer some
> services (WWW and FTP) and have more control of the
> whole network. I am having difficulties implementing
> it and coming up with a solution on how to get the
> firewall up and running.
>
> I want both Servers (WWW & FTP, and soon SMTP) to be
> accessible by the outside world as well as from
> inside. I can have our ISP forward any WWW request to
> any internal IP. This is how I am currently running
> the server. I really don't know how secure our LAN is.
> My boss just wants a firewall installed and that's my
> job to get this done. With your help, ideas, input,
> etc... I would be able to have a better designed and
> less vulnerable network.
>
> I was thinking of using -ipchains- and forward any WWW
> & FTP requests to it's respective server. Is this the
> way to do it?
>
> Thanks in advance for your help.
>
> Jose
>
Don't use ipchains. Use iptables
Read the netfilter howto (http://netfileter.samba.org/).
here is what a very simple configuration looks like:
# iptables -L
chain INPUT (policy ACCEPT)
target prot source destination
ACCEPT all anywhere anywhere state RELATED,ESTABLISHED
ACCEPT TCP anywhere anywhere TCP dpt:ssh
flags::FIN,SYN,RST,PSH,ACK,URG/SYN
ACCEPT TCP anywhere anywhere TCP dpt::www
flags::FIN,SYN,RST,PSH,ACK,URG/SYN
LOG TCP anywhere anywhere LOG level warning prefix `DENY '
DROP TCP anywhere anywhere
What this does is allows port 80 and 22 traffic, logs other traffic and
drops it. This is of course only a starting point. This would be good
enough to start a firewall for a webserver, leaving access to administer
remotely.
Happy New Year,
Brian
More information about the Kclug
mailing list