PDA

View Full Version : Anyone can help me for more secure. firewall.


pratchaya
25th January 2006, 07:56 PM
Hi, All

Now, I make my server as internet-gateway/firewall.

I need your help and you suggestion about more security.
Caz. i know my INPUT / OUTPUT Chain is open.
How can i make it more secure ?


Thank you very much
Pratchaya



My Network Diagram.
===============


ADSL Router <===> { eth1::: My Server :::: eth0 <===> Local network
(192.168.0.xx )


================================================== =========================*======================== ======
My Command line
===============


service iptables stop
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
--to-port 3128
iptables -P FORWARD DROP
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -s 192.168.0.0/24 -m multiport -p
tcp --dport 53,80,110,143,443,993,995,3128 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -s 192.168.0.0/24 -m multiport -p
udp --dport 53,110,143,993,995,1863 -j ACCEPT
service iptables save


================================================== =========================*======================== ======
My Iptable List
===============


[root@firewall ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination


Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT tcp -- 192.168.0.0/24 anywhere multiport
dports domain,http,pop3,imap,https,imaps,pop3s,squid
ACCEPT udp -- 192.168.0.0/24 anywhere multiport
dports domain,pop3,imap,imaps,pop3s,1863


Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@firewall ~]#

giulix
26th January 2006, 04:40 PM
Go to this (http://www.shorewall.net) site, download the software, install the two-interface setup configuration example and start playing with it :)

brandor
26th January 2006, 09:27 PM
Alternatively, check out http://easyfwgen.morizot.net/gen/

It will generate a script based on your input for a decent firewall.

foobar47
1st February 2006, 02:57 PM
And why not ipcop... ;)
www.ipcop.org

brandor
1st February 2006, 03:00 PM
Another good choice.

Also there is http://www.m0n0.ch/wall/

:)

Kallakkurichchi - Ranchi Photos on Instagram - Ivatsevichy Photos on Instagram