You are not logged in.
- Topics: Active | Unanswered
#1 2009-02-17 12:01:38
- zenlord
- Member
- From: Belgium
- Registered: 2006-05-24
- Posts: 1,221
- Website
hosts.allow or iptables?
Hi,
Setting up a server for the first time and I'm granting only access from the local network by setting all daemons separately as 192.168.0.0/255.255.255.0 in /etc/hosts.allow.
Now I was wondering if this is as safe as installing and running iptables. I know I have a lot more options with iptables (outgoing traffic etc.), but is this a safe way of setting up a server? I am only installing and running the bare minimum of packages to ensure I don't have anything open that I don't need.
I would like to keep it simple at first, but over time I might be interested in making this server (privately) accessible over the internet...
Zl.
Offline
#2 2009-02-17 13:17:02
- ckristi
- Member
- From: Bucharest, Romania
- Registered: 2006-11-21
- Posts: 225
Re: hosts.allow or iptables?
Well... your best bet would be to use both hosts.allow AND iptables-based firewall. Iptables would be your first line of defense, while hosts.allow the second (and only for tcpwrapper-aware daemons, e.g.: telnet, ssh; a counter example would be the Apache HTTP server which has its own connection prevention mechanisms, not based on hosts.allow/deny).
Arch has two packages in extra who should help you in setting an iptables firewall: fwbuilder and firestarter. I personally prefer an older script, based on ncurses (console-based). It's called EasyTables... but it's unmaintained now and probably harder to find it on the net.. though I think I've seen the project still being present on SourceForge not so long ago.
In love I believe and in Linux I trust
Offline
#3 2009-02-17 22:40:22
- fukawi2
- Ex-Administratorino
- From: .vic.au
- Registered: 2007-09-28
- Posts: 6,224
- Website
Re: hosts.allow or iptables?
I'd suggest iptables. I try to avoid using the tcp-wrappers and do everything in iptables. It keeps all config for who's allowed and who isn't in one central place instead of spread out disparately which makes it easier to maintain.
Of course, I roll my own iptables rules too, so maybe I'm just a nerd 
Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?
BlueHackers // fscanary // resticctl
Offline
#4 2009-02-18 19:14:47
- ckristi
- Member
- From: Bucharest, Romania
- Registered: 2006-11-21
- Posts: 225
Re: hosts.allow or iptables?
@fukawi2: It's good to be a nerd, but the man seems a beginner. With an iptables helper he'll get a working script (modifiable after he gets familiar with iptables) by answering a few easy questions. He'll also be able to skip loads of iptables man pages and at the same time he's getting an working firewall quickly. And, after all... the resulting script may be a good point of starting to learn iptables, rather than just reading the manual.
Last edited by ckristi (2009-02-18 19:15:55)
In love I believe and in Linux I trust
Offline
#5 2009-02-18 20:42:41
- zenlord
- Member
- From: Belgium
- Registered: 2006-05-24
- Posts: 1,221
- Website
Re: hosts.allow or iptables?
@ckristi: thx for the compliment 
(and for the help of course... )
THX - I will get into iptables once every service on my server is working the way I want it to. That way iptables cannot get in the way of debugging my setup.
Zl.
Offline
#6 2009-02-19 20:07:21
- ckristi
- Member
- From: Bucharest, Romania
- Registered: 2006-11-21
- Posts: 225
Re: hosts.allow or iptables?
@zenlord:
Sorry if I made you feel offended. That was definitely not my purpose.
In love I believe and in Linux I trust
Offline