The following provides some tips and examples of managing the firewall rules at a running NST probe.

In a Nut Shell

• Use quicktables or fwbuilder to initialize your iptables configuration.
• Use iptables-save to save the current configuration as: "/etc/sysconfig/iptables".
• Enable the iptables service.

iptables

The iptables command can be used to manage firewall rules on a NST probe.

Displaying the Active iptables Configuration

Testing The Firewall Configuration

With Another NST System

From the Internet

Managing iptables As A Service

After one has performed a hard disk installation, it is often desirable to configure the system such that the appropriate firewall rules are loaded at the time the system boots.

The following demonstrates how one can save the current iptables configuration to the file: "/etc/sysconfig/iptables", and enable the iptables service:

Flushing firewall rules:                                   [  OK  ]
Setting chains to policy ACCEPT: filter                    [  OK  ]
Unloading iptables modules:                                [  OK  ]
Applying iptables firewall rules:                          [  OK  ]
Loading additional iptables modules: ip_conntrack_netbios_n[  OK  ]

NOTE: Additional configuration values related to the iptables service can be found in the file: "/etc/sysconfig/iptables-conf".

Using quicktables-2.3

Creating configuration files for iptables by hand is a difficult task. The NST distribution comes with the quicktables-2.3 program to help one get started.

No Incoming Connections

The following demonstrates:

• The creation of a script using quicktables-2.3 which will configure iptables such that it does not allow the outside world to connect to your system.

• How to install and list the rules.

• How to save the configuration such that the rules will be enforced the next time the system is started.

Turning a NST Probe Into A Broadband Router

In many homes and small businesses, you will find a small broadband router (such as a LinkSys WRT54G). The broadband router is typically configured to act as a firewall and perform Network Address Translation (NAT). This provides a layer of protection of the internal Local Area Network (LAN) from the outside world. It allows systems on the LAN to initiate connections to the outside world, but blocks the outside world from initiating connections to systems within the LAN.

A NST probe can be configured to act as a broadband router (thus assuming one of the roles of a LinkSys WRT54G).

NST Broadband Router Disadvantages

• Contains moving mechanical parts (more likely to have a hardware failure over time).
• Uses more power.

NST Broadband Router Advantages

• A full suite of Linux tools is available.
• Packet capture can be done on the "clean side" (prior to NAT). This makes network analysis of Internet usage much simpler.
• Additional services (not typically found on a small broadband router) can be configured. For example, one could setup the NST system to act as a proxy server for the LAN.

NST Broadband Router Configuration Script

The following script can be used to configure a NST probe to act as a broadband router. By default, it permits systems on the internal LAN (the "clean" side) to initiate connections to the outside world (the "dirty" side), but prevents the outside world from initiating any connections back to the LAN.

IMPORTANT: There are a few variables at the top of the script which will need to adjusted based upon the network and hardware configuration.

The following demonstrates