[Cialug] IPTables Concept

Josh More morej at alliancetechnologies.net
Thu Oct 26 15:44:29 CDT 2006 

1) Yes, iptables is capable of this.  It's quite easy to do, in fact.

2) iptables is port-specific, and ssh is encrypted anyway.  There is no
difference between ssh and rsync data over ssh.  It should "just work"

3) The worst that can happen with a firewall like this (if you're not
doing routing) is that you lose access to the server.

Also, I recommend putting the ssh configs in the firewall rules, just
so you have a single spot of administration.
It will make your life easier.  If I were you, I would make sure I have
console access and turn on the deny-all rule first.
Then test to make sure it works.  Then open up each one, one by one,
and test as you go.

In the end, run nmap against it from inside and outside, and make sure
it does what you expect.

If you need a reference, "Red Hat Linux Firewalls" is a good overview
for iptables.
http://www.amazon.com/Red-Linux-Firewalls-Bill-McCarty/dp/0764524631
It is not Red Hat specific.

Once it's built, check out "Troubleshooting Linux Firewalls" for
further reference.
It's very well written. 
http://www.amazon.com/Troubleshooting-LinuxR-Firewalls-Michael-Shinn/dp/0321227239

Hope this helps,




 

-- 
-Josh More, RHCE, CISSP, NCLP 
 morej at alliancetechnologies.net 
 515-245-7701


>>> <lister at kulish.com> 10/26/06 3:02 PM >>> 

I am working on a Security in Depth concept using IPTables as the
firewall.  I have little experience with it due to my backround mostly
being with PF on BSD.

So here is what I am looking to try.

To keep it simple I am going to work on test server that is only
hosting
a single service, ssh.  The server will need to access services on
other
machines. We'll call the server silo.icbm.com for this exercise.

Hosted services (INBOUND):
SSH  Services needs to be accessible from a single host on the
internal
network only.  This can be done via sshd_config, so should have no
impact on the iptable rules other than allowing the traffic in.

Accessed services (OUTBOUND):
SYSLOG to a single host in the internal network.
NTP to a single host in the internal network.
RSYNC (over SSH) to a single host in the internal network.
SMTP to a single host in the internal network.
HTTP to a single host on the Internet for patches.
DNS to 2 hosts on the internal network.

All other packets DROPped.  I do not want any sort of denied response
sent or logged.  This means I wish to drop inbound AND outbound.

And now for my questions.

I assume iptables is capable of this sort of setup?
Will I need some sort of "special" rule to allow the TCP connection to
send data back out on an SSH login?  Or is this automatic?
Will dropping all, not specifically allowed, packets break something
in
the server?  Or potentially cause a security issue?

Does this look like a secure enough firewall for internal servers?

Thanks for any input and helping out a iptables newbie with concepts.

Thanks!
Chris K.
_______________________________________________
Cialug mailing list
Cialug at cialug.org
http://cialug.org/mailman/listinfo/cialug

More information about the Cialug mailing list