Hello everyone,
I'm creating an iptables firewall using Firewall Builder (fwbuilder.org). I like the clean shell scripts that FW Builder creates and have tested several of them on various test boxes.
The latest firewall I'm needing to create is for a server (FC2,iptables v1.2.9) that I host several virtual websites/email on. This box has 3 static IP addresses on it. I also have built a few rules to allow certain IP's to have access to any port, any time (in case I screw something up, I can get back in and fix it as this box is at a server house and I have no console access.)
I've generated a sample firewall and placed it here: http://kold.homelinux.com/homesvr.fw (bash shell script)
The IP's are not real and probably not even associated with the right netmasks. The rules for addresses using 192.168* and 127.0.0.[234] are the ?static? IP's for me to get back in if something messes up. Otherwise I'm allowing all 9 services access and denying everything else.
Here are a few questions:
1) Is there I can allow a dynamic hostname to have unlimited access to the server? For example, if I'm a Comcast subscriber the hostname to my cable modem is 12-134345-112.nashville.comcast.com or something like that. Is there a way I can create a firewall rule to allow all *.nashville.comcast.com requests for any port rather than a static IP?
2) Are there other restrictions I should place on the 9 ports I have open? If so, what are they?
Thanks for any help, Kevin
Kevin Old wrote:
Here are a few questions:
- Is there I can allow a dynamic hostname to have unlimited access to
the server? For example, if I'm a Comcast subscriber the hostname to my cable modem is 12-134345-112.nashville.comcast.com or something like that. Is there a way I can create a firewall rule to allow all *.nashville.comcast.com requests for any port rather than a static IP?
I wouldnt enable a wide range like that... What I would do is a little shell script magic to open just the necessary IP... This is how I'd do it: 1 - Register a dynamic DNS entry in any service like dnsalias.org . get the autoupdate client and configure it on the machine connected to comcast. This way , every time your home IP changes , the dns entry will be pointing to it. 2 - make a little shell script which does something like this and set it to run every 5 minutes on cron: get the ip for hostname myhomemachine.dnsalias.org (for example) if $HOMEIP is set , compare it with the IP you got on the first step . If they are the same , just exit. If they're different: set the $HOMEIP var and run the bash script of the firewall
This should be enough , if the firewall script uses the $HOMEIP variable to configure the necessary lines..
- Are there other restrictions I should place on the 9 ports I have
open? If so, what are they?
Sorry. Couldnt open your firewall script here.. my provider sometimes has issues with some random servers :|
-- Pedro Macedo