[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] 550 firewall

Subject: RE: [cobalt-users] 550 firewall
From: BSmith@xxxxxxxxxxx
Date: Fri Apr 11 14:08:01 2003
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

-----Original Message-----
From: Manny Tau 
Subject: [cobalt-users] 550 firewall


The 550 has a built-in firewall does it?
If so, how does the 550 approach this?
thnx, Manny
_____________________________________

Firewalls on the 550 are a little tricky.  One may think, no it isn't, just
add the iptables stuff, and away you go.  But, if you look at your cron
directory, you will see that iptables is restart like every 60 minutes.
They use it to pull some information about your interface.  So, the easiest
way is as such.

Using your favorite editor (i.e. pico for me)

	pico /etc/cron.hourly/log_traffic

Search for the following text:
	
	# parse the traffic file and update the log file

	cat $STATUSFILE | awk '

In the middle of that, add this line:
	
	/sbin/firewall restart

Save that file, now it is time to create your firewall.
	
	pico /sbin/firewall

Paste the following lines:

#!/bin/bash
# This is my firewall script for IPTABLES
# chkconfig: 345 98 10

case "$1" in 
start)
  echo -n 'Starting Firewall: '
  echo 1 > /proc/sys/net/ipv4/ip_forward
  iptables -t nat --flush
  iptables -t filter --flush
  iptables -F acctin
  iptables -F acctout
  iptables -X acctin
  iptables -X acctout
  /etc/rc.d/init.d/iptables start
  iptables -t filter -P INPUT DROP
  iptables -t filter -A INPUT -i eth0 -j ACCEPT
  iptables -t filter -A INPUT -i lo -j ACCEPT
  iptables -t filter -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  iptables -t filter -A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
  iptables -t filter -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
  iptables -t filter -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
  iptables -t filter -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
  iptables -t filter -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
  iptables -t filter -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
  iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT
  iptables -t filter -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
  iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -j MASQUERADE  ;;
stop)
  echo -n 'Stopping Firewall: '
  iptables -t filter -P INPUT ACCEPT
  iptables -t nat --flush
  iptables -t filter --flush
  iptables -F acctin
  iptables -F acctout
  iptables -X acctin
  iptables -X acctout
  /etc/rc.d/init.d/iptables start
  echo ' [OK]'
  ;;
restart)
  $0 stop
  $0 start
  ;;
status)
  # This shows the firewall ruleset!
  echo "********************"
  echo "* The Filter Table *"
  echo "********************"
  iptables -t filter --list -n
  echo
  echo "********************"
  echo "* The NAT Table *"
  echo "********************"
  iptables -t nat --list -n
  ;;
*)
  echo 
  echo " Firewall v1.0 for IPTABLES"
  echo "****************************************"
  echo "Usage $0 (start, stop, restart, status)"
  echo
  echo " Start - Starts FW"
  echo " Stop - Stops FW"
  echo " Restart - Restart FW"
  echo " Status - Shows FW"
  echo
  ;;
esac

exit 0

The line "  iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -j MASQUERADE
" is used if you want to use it like a router, and run NAT.  If not, don't
add it!

Have fun.

BTW, This works great for me, if you have problems, I can lend an ear.

Thanks,

Brian

Follow-Ups:
- Re: [cobalt-users] 550 firewall
  - From: Gerald Waugh

Prev by Date: RE: [cobalt-users] spam exploits
Next by Date: RE: [cobalt-users] formmail relaying spam
Previous by thread: RE: [cobalt-users] formmail relaying spam
Next by thread: Re: [cobalt-users] 550 firewall

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index