Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Hardware firewall?



On Thu, Jul 03, 2003 at 09:05:30AM -0400, Robert La Ferla wrote:

> Any recommendations for a low-cost hardware firewall for a high traffic 
> web server?  Something that won't slow down performance.  It does not 
> need to be stateful just fast.

If the webserver box is running linux, how 'bout just running some
simple iptables rules on the box itself?

Assuming you just have one interface, maybe something like the folling.
I can't imagine this would add much overhead.

#! /bin/sh

########################################################################
IPTABLES="/sbin/iptables"
echo "1" > /proc/sys/net/ipv4/ip_forward
########################################################################


########################################################################
# Flush existing rules for all chains.
$IPTABLES -F
$IPTABLES -t nat -F
    
# The default policy for each chain is to DROP the packet.
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
########################################################################


########################################################################
# Allow this host to establish new connections.  Otherwise only accept
# established connections.
$IPTABLES -A OUTPUT --match state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT --match state --state ESTABLISHED,RELATED -j ACCEPT

# Allow web connections
$IPTABLES -A INPUT --protocol tcp --destination-port 80 -j ACCEPT

# Allow secure web connections
$IPTABLES -A INPUT --protocol tcp --destination-port 443 -j ACCEPT

# Allow ssh
$IPTABLES -A INPUT --protocol tcp --destination-port 22 -j ACCEPT

# Allow ping
$IPTABLES -A INPUT --protocol icmp --icmp-type echo-request -j ACCEPT

# All this host to talk to itself.
$IPTABLES -A INPUT -d 127.0.0.1 -i lo -j ACCEPT
########################################################################


-- 
Ron Peterson                   -o)
87 Taylor Street               /\\
Granby, MA  01033             _\_v
https://www.yellowbank.com/   ---- 




BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org