sslug-teknik team mailing list archive

Thread
Date

Re: Hardwarevalg til firewall?

To: <sslug-teknik@xxxxxxxx>
From: "Valdemar Lemche" <valdemar@xxxxxxxxxx>
Date: Tue, 9 Sep 2003 13:37:24 +0200
Delivered-to: mailing list sslug-teknik@xxxxxxxx
Mailing-list: contact sslug-teknik-help@xxxxxxxx; run by ezmlm

> Var det evt. muligt at man måtte se dit firewall script?

Du har egentlig ikke brug for at see hele mit script. Basalt set bruger jeg
Debians håndtering af iptables. Men jeg kan give dig et hurtigt exempel på
et 'active' regelsæt:

4 webserverer plus ftp adgang. eth0 er ydre og eth1 er indre, denne
konfiguration bruger NAT til reserveret addresser.

---
#
# /var/lib/iptables/active
#
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:PUBLIC - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -s <management_server_ip> -m mac --mac
<management_server_arp> -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m state --state NEW -m icmp --icmp-type 8 -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -i eth1 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -d <webserver1_private_ip> -j PUBLIC
-A FORWARD -i eth0 -o eth1 -d <webserver2_private_ip> -j PUBLIC
-A FORWARD -i eth0 -o eth1 -d <webserver3_private_ip> -j PUBLIC
-A FORWARD -i eth0 -o eth1 -d <webserver4_private_ip> -j PUBLIC
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p icmp -m state --state NEW -m icmp --icmp-type
8 -j ACCEPT
-A OUTPUT -p icmp -m state --state INVALID -j DROP
-A PUBLIC -p tcp -m tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
-A PUBLIC -p tcp -m tcp --dport 21 -m state --state NEW,ESTABLISHED -j
ACCEPT
-A PUBLIC -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m
state --state ESTABLISHED -j ACCEPT
-A PUBLIC -p tcp -m tcp --dport 80 -m state --state NEW -m length --length
0:32 -m unclean -j DROP
-A PUBLIC -p tcp -m tcp --dport 80 -j ACCEPT
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -i eth0 -d <webserver1_public_ip> -j DNAT --to-destination
<webserver1_private_ip>
-A PREROUTING -i eth0 -d <webserver2_public_ip> -j DNAT --to-destination
<webserver2_private_ip>
-A PREROUTING -i eth0 -d <webserver3_public_ip> -j DNAT --to-destination
<webserver3_private_ip>
-A PREROUTING -i eth0 -d <webserver4_public_ip> -j DNAT --to-destination
<webserver4_private_ip>
-A POSTROUTING -o eth0 -s <webserver1_private_ip> -j SNAT --to-source
<webserver1_public_ip>
-A POSTROUTING -o eth0 -s <webserver2_private_ip> -j SNAT --to-source
<webserver2_public_ip>
-A POSTROUTING -o eth0 -s <webserver3_private_ip> -j SNAT --to-source
<webserver3_public_ip>
-A POSTROUTING -o eth0 -s <webserver4_private_ip> -j SNAT --to-source
<webserver4_public_ip>
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
---

References

Hardwarevalg til firewall?
From: Thomas D, 2003-09-08
Re: Hardwarevalg til firewall?
From: Valdemar Lemche, 2003-09-08
Re: Hardwarevalg til firewall?
From: Jesper Lund, 2003-09-08
Re: Hardwarevalg til firewall?
From: Valdemar Lemche, 2003-09-09
Re: Hardwarevalg til firewall?
From: Thomas D, 2003-09-09