Hello again everyone,
I have been working on making my own firewall with iptables, and I need some advice.. again!
I am trying to come up with a good way to secure the firewall machine while it is booting.
One of the challenges I am facing is that I have to wait for the public network devices to come up before I can apply some of the rules. This is because it is receiving its address via DHCP, and I need its address before I can write the rules that apply to it.
My setup is simple:
eth0 (public interface)
eth1 (private interface)
So far, the best I can come up with is to do the following in the /etc/network/interfaces file.
The idea is that everything will be set to drop before the interfaces come up, except in and out on eth1 (private), and it will be that way until the full rules are calculated and applied.
I'm not worried about being locked out of eth0 because I will always be on the eth1 side.
/etc/network/interfaces
Code:
auto lo
iface lo inet loopback
pre-up iptables-restore < /etc/iptables_startup_rules
-- eth1 config --
allow-hotplug eth0
iface eth0 inet dhcp
post-up /etc/iptables_full_rules.sh
/etc/iptables_startup_rules looks something like this. (from memory. syntax may not be 100%):
Code:
*filter
:INPUT DROP
:FORWARD DROP
:OUTPUT DROP
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A OUTPUT -o eth1 -j ACCEPT
The /etc/iptables_full_rules script retrieves the IP address from the eth0 interface - after it has come up - and uses it while building some additional rules.
So, does anyone have a better, more secure way I could protect the machine at start up?
Thanks for you time.
Bookmarks