[prev in list] [next in list] [prev in thread] [next in thread]
List: debian-user
Subject: Re: Iptables at boot
From: Bob Weber <bobrweber () gmail ! com>
Date: 2018-01-31 21:00:34
Message-ID: d69955f5-11a8-f8b0-7b28-3a81878e5d4a () gmail ! com
[Download RAW message or body]
On 1/31/18 12:28 PM, Jacques Rodary wrote:
>
> Hi
>
> Many things happened since my first message: I first had to get rid of connman
> (connection manager), which insisted to preset iptables rules without any
> notice. My Debian box is uset as a DNS chrooted server (also I had to modify
> bind9.service behaviour), and I use iptables to do NAT, since I have one
> routable address for several clients. With Jessie I managed to have all this
> working. When upgrading to stretch, because of a stupid error with grub on my
> RAID system, and of an insufficient backup, I lost most of my config. Thanks
> for your help. When everything will be OK, I surely will have the use for your
> answers.
>
> Jacques
>
Have you looked at shorewall? I use it on all my debian linux installs.
Basically its a front end to the kernel iptables network filters. It sets up
the iptables entries and then goes away so that there is no additional program
running after it does its job. It starts up on boot after you have set up the
rules the way you want. You have to set a parameter in the
/etc/default/shorewall file to have it start since you don't want to loose
connection to your machine if you are logging in through a network port. That
way you can test it before you actually use it. It is driven by several text
config files in /etc/shorewall. For instance NAT is set up easily by this
command in the snat file (my internet connection is on eth1 and local 172 net
is on eth0):
MASQUERADE 172.16.0.1/16 eth1
I redirect all the dns and time requests to my router machine even if the client
has requested these services from an outside address. I use opendns for its
malware filters so bind is set to forward all non local dns querys to opendns
servers. I also use dnscrypt-proxy to get a secure connection to opendns so
that I can be assured that the data coming back from opendns hasn't been
tampered with. These 2 lines in the rules file accomplish the redirection:
REDIRECT Loc 53 tcp,udp 53 -
REDIRECT Loc 123 tcp,udp 123 -
There is plenty of documentation and examples for simple setups available on the
shorewall web site.
--
*...Bob*
[Attachment #3 (text/html)]
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 1/31/18 12:28 PM, Jacques Rodary
wrote:<br>
</div>
<blockquote type="cite" cite="mid:8086086.i9HP4yeeS3@ns">
<meta http-equiv="Context-Type" content="text/html;
charset=us-ascii">
<meta name="qrichtext" content="1">
<p> Hi</p>
<p> Many things happened since my first message: I first had to
get rid of connman (connection manager), which insisted to
preset iptables rules without any notice. My Debian box is uset
as a DNS chrooted server (also I had to modify bind9.service
behaviour), and I use iptables to do NAT, since I have one
routable address for several clients. With Jessie I managed to
have all this working. When upgrading to stretch, because of a
stupid error with grub on my RAID system, and of an insufficient
backup, I lost most of my config. Thanks for your help. When
everything will be OK, I surely will have the use for your
answers.</p>
<p> Jacques </p>
</blockquote>
<p>Have you looked at shorewall? I use it on all my debian linux
installs. Basically its a front end to the kernel iptables
network filters. It sets up the iptables entries and then goes
away so that there is no additional program running after it does
its job. It starts up on boot after you have set up the rules
the way you want. You have to set a parameter in the
/etc/default/shorewall file to have it start since you don't want
to loose connection to your machine if you are logging in through
a network port. That way you can test it before you actually use
it. It is driven by several text config files in /etc/shorewall.
For instance NAT is set up easily by this command in the snat
file (my internet connection is on eth1 and local 172 net is on
eth0):</p>
<p>MASQUERADE 172.16.0.1/16 eth1</p>
<p>I redirect all the dns and time requests to my router machine
even if the client has requested these services from an outside
address. I use opendns for its malware filters so bind is set to
forward all non local dns querys to opendns servers. I also use
dnscrypt-proxy to get a secure connection to opendns so that I can
be assured that the data coming back from opendns hasn't been
tampered with. These 2 lines in the rules file accomplish the
redirection:</p>
<p>REDIRECT Loc 53 tcp,udp 53
-<br>
REDIRECT Loc 123 tcp,udp 123 -</p>
<p>There is plenty of documentation and examples for simple setups
available on the shorewall web site.<br>
</p>
<div class="moz-signature">-- <br>
<br>
<br>
<b>...Bob</b><br>
</div>
</body>
</html>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic