[lug] the world's easiest iptables firewall
Sean Reifschneider
jafo at tummy.com
Sun Dec 12 19:26:52 MST 2004
On Thu, Dec 09, 2004 at 07:58:45PM -0700, Kevin Fenzi wrote:
>Coming to you live from the BLUG meeting tonight, It was suggested
>that I post the world's easiest iptables fireall that I just demoed.
Indeed. It's good, but you have to be a little careful with it if it's on
a busy machine or firewall machine. You may need to increase the default
from /proc/sys/net/ipv4/ip_conntrack_max, the default is 32k. We just
recently had to up a router on a high-traffic network to 512k, it was very
unhappy when it hit this limit.
You can see how many you are currently using with:
[root at gwen jafo]# wc -l /proc/net/ip_conntrack
2555 /proc/net/ip_conntrack
In this case, we are using conntrack mainly as a simple firewall for the
router itself, but the conntrack is applying to *ALL* connections going
through the router. On 2.6 you can use the "NOTRACK" target to mark the
routed traffic as not being tracked.
>iptables -A INPUT -j LOG
I like to rate-limit logging:
iptables -A INPUT -m limit --limit 20/min --limit-burst 20 -j LOG
That will allow a burst to come in, otherwise it will limit the logging to
one message every 3 seconds.
Sean
--
If you don't believe it's correct before you start testing, what
could possibly convince you? -- Don Grimes, 1994
Sean Reifschneider, Member of Technical Staff <jafo at tummy.com>
tummy.com, ltd. - Linux Consulting since 1995. Qmail, Python, SysAdmin
More information about the LUG
mailing list