[Cialug] Firewall/Virtual Interfaces (multiple ips)

Aaron Porter atporter at gmail.com
Sat Jan 2 23:07:56 CST 2010 

On Fri, Jan 1, 2010 at 6:27 PM, Matt Stanton
<inflatablesoulmate at brothersofchaos.com> wrote:
> So, if someone doesn't mind looking over this /etc/network/interfaces
> file for me and letting me know if it looks like it should work, that
> would be awesome.

If all of your sub-interfaces are on the same network (sounds like
they are) then you only need/want one gatway statement.

> Currently, eth1 is connected to my LAN with the static ip 192.168.1.42.
> When I type ifconfig on the server, eth0 does not show any of the
> virtual interfaces, and the listing for eth0 has no address (only
> hardware information).  I am just hoping that the reason behind this is
> because I don't have a cable plugged into the port that corresponds to
> eth0, and that they will just magically show up when it's connected to
> the proper network.

Try ifconfig -a, but yes. By default ifconfig doesn't display down interfaces

> Also, I didn't bother using the 'network' or 'broadcast' lines... Do I need them, or should it figure them out on its own?

These can be inferred from your netmask

> Next, I need to set up a firewall.

I like to use the "pre-up" option in my /etc/network/intefaces to do
this, but a strong case could also be made for /etc/network/if-up.d:

  pre-up /sbin/iptables-restore < /var/lib/iptables/active

itpables-restore file from a server that does anon-ftp & ssh, the
"--dport 22" line is what you'd want to replicate for other services:

-A OUTPUT  -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp --sport 1024: --dport 1024: -m state --state
ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state
ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -s my.public.ip/my.local.subnet -j ACCEPT
-A INPUT -j block
-A FORWARD -j block
-A block -m state --state RELATED,ESTABLISHED -j ACCEPT
-A block -i ! eth0 -m state --state NEW -j ACCEPT
-A block -j DROP
COMMIT

> ??  Is there reason to block outgoing traffic?

It's difficult to predict what source/target ports outgoing traffic
will need. Can cause all sorts of headaches.

More information about the Cialug mailing list