Firewall Wizards mailing list archives
RE: Red Hat 7.1 and Iptables
From: Bruce Platt <Bruce () ei3corp com>
Date: Mon, 11 Jun 2001 16:09:29 -0400
I'm a few days behind on mail, so ... What's the general feeling of the group regarding the robustness of an iptables based fw? That's rather open-ended, what I am really interested in is how reliable is an iptables based implementation built on top of Bastille, for example, in terms of: reliability -- does what it's rules are defined to do, repeatability -- does the same thing each time, ease of adding general proxies -- e.g. squid, ease of adding in Free S/Wan, integration with tools like Snort robustness to attack if one has done the set-up well. Casual conversation as well as reading suggests that this can work quite well, but ... Regards -----Original Message----- From: tony bourke [mailto:tony () vegan net] Sent: Saturday, June 09, 2001 7:33 PM To: Bill Asher Cc: 'firewall-wizards () nfr com' Subject: Re: [fw-wiz] Red Hat 7.1 and Iptables Hi Bill, You need to recompile the kernel with iptables enabled if you havn't done so already. I would recommend compiling it into the kernel, rather than a module option, that way there is not question on whether the module is loaded. Under networking options: [*] Packet socket x x [ ] Packet socket: mmapped IO x x [ ] Kernel/User netlink socket x x [*] Network packet filtering (replaces ipchains) Network packet filtering is the option. There is also an option in that menu for: IP: Netfilter Configuration ---> Select that menu. In it, enable connection tracking, probably want to enable FTP support, IP tables support, packet filtering, reject target support. x x [*] Connection tracking (required for masq/NAT) x x [*] FTP protocol support x x [*] IP tables support (required for filtering/masq/NAT) -------- [*] Packet filtering [*] REJECT target support Also, VERY IMPORTANT is to select Connection state match support: [*] Connection state match support This allows you to let inbound EST connections on random ports, so you cant block all ports > 1022 completely in your ruleset, while still allowiong outgoing connections to grab a local > 1022 port. I'm not certain but I think connection state support wasn't an option in either ipfwadm or ipchains (2.0 and 2.2, resp.) This alone is why I upgraded to 2.4.x Check out the other options as they pertain to what you are trying to do. I've got an example host firewall config, but it doesn't take into account NAT. I'd be happy to forward it to you. Tony On Thu, 7 Jun 2001, Bill Asher wrote:
I'm running RedHat 7.1, kernel 2.4.2-2. Does anyone know how to enable iptables instead of the default ipchains. I am trying to set up a firewall for a small business network 2 nics, eth0-internet, eth1 - LAN. I'd like to begin using iptables,but am unsure how to enable iptables. If I run command: iptables -L I get: /lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/ip_tables.o: init_module: Device or resource busy Hint: insmod errors can be caused by incorrect module parameters,
including
invalid IO or IRQ parameters /lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/ip_tables.o: insmod /lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/ip_tables.o failed /lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/ip_tables.o: insmod
ip_tables
failed iptables v1.2.1a: can't initialize iptables table `nat': iptables who? (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. ipchains -L works fine so it is up and running... any help would be GREAT! B . A s h e r IT Manager S C H U L T Z D E S I G N (636)936-2900 www.schultz-design.com _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
-- -------------- -- ---- ---- --- - - - - - -- - - - - - - Tony Bourke tony () vegan net _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Red Hat 7.1 and Iptables Bill Asher (Jun 08)
- Re: Red Hat 7.1 and Iptables Martin Peikert (Jun 11)
- Re: Red Hat 7.1 and Iptables Peter Lukas (Jun 12)
- Re: Red Hat 7.1 and Iptables Luca Berra (Jun 11)
- Re: Red Hat 7.1 and Iptables tony bourke (Jun 11)
- Re: Red Hat 7.1 and Iptables tony bourke (Jun 11)
- <Possible follow-ups>
- RE: Red Hat 7.1 and Iptables mark . wiater (Jun 11)
- RE: Red Hat 7.1 and Iptables Chris 'Chipper' Chiapusio (Jun 12)
- RE: Red Hat 7.1 and Iptables Bruce Platt (Jun 12)
- Re: Red Hat 7.1 and Iptables Martin Peikert (Jun 14)
- RE: Red Hat 7.1 and Iptables Swift Griggs (Jun 14)
- Re: Red Hat 7.1 and Iptables Martin Peikert (Jun 11)