Securing-Optimizing-RH-Linux-1_2_108
Comments and suggestions concerning this book should be mailed to gmourani@videotron.ca
© Copyright 1999-2000 Gerhard Mourani and Open Network Architecture ®
108
NOTE: Dont forget to exclude your own IP address from outgoing packets blocked.
The rest of the rules
Other rules used in the firewall scripts files are:
·
Accessing a Service from the Outside World
·
Offering a Service to the Outside World
·
Masquerading the Internal Machines
The firewall scripts files
The tool ipchains allows you to set up firewalls, IP masquerading, etc. Ipchains talks to the kernel
and tells it what packets to filter. Therefore all your firewall setups are stored in the kernel, and
thus will be lost on reboot. To avoid this, we recommend using the System V init scripts to make
your rules permanent. To do this, create a firewall script file like show bellow in your
/etc/rc.d/init.d/ directory for each servers you have. Of course, each server has different services
to offer and need different firewall setup. For this reason, we provide you tree different firewall
setting, which you can play, examine and fit your needs. Also I assume that you have a minimum
knowledge on how filtering firewall and firewall rules works.
Configuration of the /etc/rc.d/init.d/firewall script file for the Web Server
This is the configuration script file for our Web Server machine. This configuration allow, unlimited
traffic on the Loopback interface, ICMP, DNS Caching and Client Server (53), SSH Server (22),
HTTP Server (80), HTTPS Server (443), SMTP Client (25), FTP Server (20, 21), and
OUTGOING TRACEROUTE requests by default.
If you dont want some services listed in the firewall rules files for the Web Server that I make ON
by default, comment them out with a "#" at the beginning of the line. If you want some other
services that I commented out with a "#", then remove the "#" at the beginning of their lines.
Create the firewall script file (touch /etc/rc.d/init.d/firewall) on your Web Server and add:
#!/bin/sh
#
# ----------------------------------------------------------------------------
# Last modified by Gerhard Mourani: 02-01-2000
# ----------------------------------------------------------------------------
# Copyright (C) 1997, 1998, 1999 Robert L. Ziegler
#
# Permission to use, copy, modify, and distribute this software and its
# documentation for educational, research, private and non-profit purposes,
# without fee, and without a written agreement is hereby granted.
# This software is provided as an example and basis for individual firewall
# development. This software is provided without warranty.
#
# Any material furnished by Robert L. Ziegler is furnished on an
# "as is" basis. He makes no warranties of any kind, either expressed
# or implied as to any matter including, but not limited to, warranty
# of fitness for a particular purpose, exclusivity or results obtained
# from use of the material.
# ----------------------------------------------------------------------------
#
# Invoked from /etc/rc.d/init.d/firewall.
# chkconfig: - 60 95
# description: Starts and stops the IPCHAINS Firewall \
# used to provide Firewall network services.