iptable-rules and DNS-setup
iptable-rules and DNS-setup
Hi,
I plan to set up a small box as firewall. Since this project is in phase of planning and I don't already have the hardware, I can't just do some experiments - and therefore have to ask some stupid questions to find out if and how things are possible I want to do:
Assumed this box has an eth0 which is connected to the outer world and a eth1 which is connected to my inner network which has to be secured:
1. How should an IP-Table rule look like that blocks all incoming connections on eth0?
2. How should an IP-Table rule look like that allows a connection on eth1 to the outer world on some specific ports only (e.g. port 22, 80, 443) as long as none of a blocked IP is accessed?
3. How should an IP-table rule look like that blocks an IP or an IP range for all accesses?
4. How should a local DNS-server configuration look like that is available for all connections on eth1 and itself accesses an other (outer) DNS to resolve the request?
5. How should a IP-table rule look like that blocks all DNS requests on eth1 that are for an other DNS than the one running locally?
Any help is appreciated
I plan to set up a small box as firewall. Since this project is in phase of planning and I don't already have the hardware, I can't just do some experiments - and therefore have to ask some stupid questions to find out if and how things are possible I want to do:
Assumed this box has an eth0 which is connected to the outer world and a eth1 which is connected to my inner network which has to be secured:
1. How should an IP-Table rule look like that blocks all incoming connections on eth0?
2. How should an IP-Table rule look like that allows a connection on eth1 to the outer world on some specific ports only (e.g. port 22, 80, 443) as long as none of a blocked IP is accessed?
3. How should an IP-table rule look like that blocks an IP or an IP range for all accesses?
4. How should a local DNS-server configuration look like that is available for all connections on eth1 and itself accesses an other (outer) DNS to resolve the request?
5. How should a IP-table rule look like that blocks all DNS requests on eth1 that are for an other DNS than the one running locally?
Any help is appreciated
-
- Posts: 10642
- Joined: 2005/08/05 15:19:54
- Location: Northern Illinois, USA
Re: iptable-rules and DNS-setup
Just buy a router.
Re: iptable-rules and DNS-setup
For about US$100 you can buy a 3 port gigabit "Ubiquiti Edgerouter Lite" firewall that's specifically designed to be a firewall/router. It uses far less power than a full blown PC and is hardened and designed to be a firewall.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: iptable-rules and DNS-setup
OK, the hardware is not a problem, there are small boxes with embedded AMD CPUs available that consume less than 20 W. Nevertheless I do NOT want to have something premanufactured since one can't trust all these closed devices. So...how can this be done using a plain Linux system?
Re: iptable-rules and DNS-setup
Not to add fuel to the fire, but there are several small routers that run open source firmware and I think that Ubiquity router mentioned above is one of them.
http://en.wikipedia.org/wiki/DD-WRT
http://en.wikipedia.org/wiki/DD-WRT
Re: iptable-rules and DNS-setup
OK, to come back to my original question: I DEFINITELY do not want to use anything else than CentOS on a special low-power box. So...anybody able to to help with my question?
-
- Posts: 10642
- Joined: 2005/08/05 15:19:54
- Location: Northern Illinois, USA
Re: iptable-rules and DNS-setup
You want simple answers to complex questions.
Making a secure edge router will require years of experience with Linux security.
You should get a dedicated router distribution, or buy a dedicated router.
Making a secure edge router will require years of experience with Linux security.
You should get a dedicated router distribution, or buy a dedicated router.
Re: iptable-rules and DNS-setup
So in this case...any distribution you can recommend and that is a full open source project with no custom/commercial/closed source extensions?gerald_clark wrote:You should get a dedicated router distribution, or buy a dedicated router.
Re: iptable-rules and DNS-setup
PFSense, IPCOP are two of many.
Just to recap, there is NO WAY you can harden a full blown distro (like CentOS or any other Linux/BSD OS) like a specially made (by experts) hardened, stripped down to the bare essentials, tested, tested again, tested by their user base firewall appliance. To try is just plain stupid. Security is not a few IPTABLE rules and a minimal Distro install, it goes far far far far beyond simple configuration hacks.
Just to recap, there is NO WAY you can harden a full blown distro (like CentOS or any other Linux/BSD OS) like a specially made (by experts) hardened, stripped down to the bare essentials, tested, tested again, tested by their user base firewall appliance. To try is just plain stupid. Security is not a few IPTABLE rules and a minimal Distro install, it goes far far far far beyond simple configuration hacks.
For the 2.5^15th time :: Better Details = Better Answers