| View previous topic :: View next topic |
| Author |
Message |
penguinlnx
Tux's lil' helper
Joined: 17 Mar 2005
Posts: 124
Location: Ice Station Alert AFB
|
 Posted: Tue Apr 26, 2005 6:25 am Post subject: IPtables files to get up a quick firewall HOW TO |
 |
|
Here are a couple of iptables/firewall scripts I was given by jtshaw. His website seems temporarily unreachable so I have posted them here, along with his notes. iptables is not automatically included in many installations. Don't forget to either emerge iptables from a commandline, or select it from the Porthole/Portage GUI and emerge it. | from console wrote: | | # emerge iptables <enter> |
Normally iptables is automatically placed in /sbin. if you change this, update jts-firewall accordingly as well.
To get these files simply grab the text off the screen and paste into your text editor, then save each as a file with the appropriate name. (Don't add the .txt extension to the file.) Put jts-firewall in your /sbin directory. Make sure you make it executable by root. Right-click on the file and select 'properties'. Then click on the permissions tab. and allow 'execute'. Do this for both files. Edit the jts-firewall script as needed. I have a bunch of rules commented out for allowing connections on different ports so you can see examples of how things are done.
| jts-firewall wrote: | #!/bin/sh
#IPTABLES=/sbin/iptables is where iptables files are normally placed. Change as needed:
IPTABLES=/sbin/iptables
case "$1" in
start|reload|restart)
#flush existing rules
${IPTABLES} -F INPUT
#Allow replies to all data that has been sent out meant for this machine
${IPTABLES} -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p icmp
${IPTABLES} -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p tcp
${IPTABLES} -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p udp
#Allow incoming SSH requests
#${IPTABLES} -A INPUT -p tcp --dport ssh -j ACCEPT
#Allow incoming Samba connetions
#${IPTABLES} -A INPUT -p tcp --dport netbios-ssn -j ACCEPT
#${IPTABLES} -A INPUT -p tcp --dport microsoft-ds -j ACCEPT
#${IPTABLES} -A INPUT -p tcp --dport swats -j ACCEPT
#${IPTABLES} -A INPUT -p udp --dport netbios-ns -j ACCEPT
#${IPTABLES} -A INPUT -p udp --dport netbios-dgm -j ACCEPT
#Allow incoming ipp for network printing -- We don't have a printer.
#${IPTABLES} -A INPUT -p tcp --dport ipp -j ACCEPT
#${IPTABLES} -A INPUT -p udp --dport ipp -j ACCEPT
#Allow incoming https/www for web.
#${IPTABLES} -A INPUT -p tcp --dport https -j ACCEPT
#${IPTABLES} -A INPUT -p tcp --dport www -j ACCEPT
#${IPTABLES} -A INPUT -p tcp --dport 8080 -j ACCEPT
#Allow incoming smtp connections.
#${IPTABLES} -A INPUT -p tcp --dport smtp -j ACCEPT
#Allow incoming spamd connections:
# We don't need to let others connect to spamd for any reason.
#${IPTABLES} -A INPUT -p tcp --dport spamd -j ACCEPT
#Drop and log all other data: set log so if >5 packets/sec are dropped
# they will be ignored. This helps to prevent a DOS attack crashing the computer.
${IPTABLES} -A INPUT -m limit --limit 3/second --limit-burst 5 -i ! lo -j LOG --log-level 4 --log-prefix "[iptables] "
${IPTABLES} -A INPUT -i ! lo -j DROP
;;
stop)
#flush existing rules
${IPTABLES} -F INPUT
;;
status)
${IPTABLES} -L -v -n
;;
*)
echo "Usage: $0 {start|restart|reload|stop|status}"
exit 1
esac
exit 0
|
Put firewall-init in your /etc/init.d folder, again Make sure you make it executable by root. Right-click on the file and select 'properties'. Then click on the permissions tab. and allow 'execute'. Do this for both files. Adding firewall-init to your initscripts will get your firewall up and running on each boot. To do this, drop into a commandline and execute the following line:
| Quote: | | # rc-update add firewall-init default <enter> |
| firewall-init wrote: | #!/sbin/runscript
# Copyright 1999-2004 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2
# $Header: /var/cvsroot/gentoo-x86/app-admin/bastille/files/bastille-2.1.1-firewall.init,v 1.2 2004/07/14 21:09:15 agriffis Exp $
opts="start stop"
REALSCRIPT=/sbin/jts-firewall
depend() {
need logger net
}
start() {
ebegin "Starting jts-firewall"
exec $REALSCRIPT start
eend $? "Failed to start jts-firewall"
}
stop() {
ebegin "Stopping jts-firewall"
$REALSCRIPT stop
eend $? "Failed to stop jts-firewall"
}
|
To make sure your firewall is working and your computer is in 'stealth' mode, you can go to one of the test sites, like GRC.COM and see if your ports are properly closed.
Switching Linux from Master to Slave
GRUB boot Repair
Hardware Fixes
CUPS Printer Install
Last edited by penguinlnx on Sun May 01, 2005 11:10 am; edited 5 times in total |
|
| Back to top |
|
 |
wjholden
l33t
Joined: 01 Mar 2004
Posts: 826
Location: Augusta, GA
|
| Posted: Tue Apr 26, 2005 6:56 am Post subject: |
|
|
| Thanks! Put this in your signiture or something; iptables is a bitch to work with so this will save myself among others lots of time. If jtshaw reads this thank you! |
|
| Back to top |
|
|
penguinlnx
Tux's lil' helper
Joined: 17 Mar 2005
Posts: 124
Location: Ice Station Alert AFB
|
| Posted: Tue Apr 26, 2005 8:55 am Post subject: |
|
|
No Sweat! I was so pleased when JtShaw showed me how to do a firewall in 5 minutes, that I just had to post and share this.
I have put a link to it in my signature as you suggested...but I don't know how to give it a title... |
|
| Back to top |
|
|
wjholden
l33t
Joined: 01 Mar 2004
Posts: 826
Location: Augusta, GA
|
| Posted: Wed Apr 27, 2005 5:07 pm Post subject: |
|
|
| Just put tags around it like this: [url=http://whatever]name[/url] |
|
| Back to top |
|
|
penguinlnx
Tux's lil' helper
Joined: 17 Mar 2005
Posts: 124
Location: Ice Station Alert AFB
|
| Posted: Thu Apr 28, 2005 1:50 pm Post subject: This would make a great Sticky or Permanent Thread... |
|
|
| I hope an Admin looks at this, and can make it into a sticky! |
|
| Back to top |
|
|
Digital Storm
Tux's lil' helper
Joined: 07 Mar 2003
Posts: 116
Location: Toronto, Canada
|
| Posted: Sat Apr 30, 2005 11:22 am Post subject: |
|
|
Thanks! 
I've been wandering back and forth between iptables gui setups but they all seem confusing to me...After reading this simple script it looks great and should be easy to tailor to my needs...
It makes iptables easier to understand as well, all the other scripts are great but I find them long and complicated... |
|
| Back to top |
|
|
niuck
n00b
Joined: 16 Mar 2005
Posts: 60
|
| Posted: Thu May 19, 2005 7:36 pm Post subject: |
|
|
I generally try to avoid posting my problems to the forum and try to solve it myself. But this time im stuck. I just cant figure out how to modify the script to fit my network.
The network looks like this;
(Internet(Static-ip)--Gentoo-Router--Switch--Gentoo-box (rsync, ircd)
The gentoo-router is connected directly to the internet with static ip. The router has dhcpd and dnsmasq installed. Behind the router i have another gentoobox that i want to run different services on. ircd, rsync-server etc. I also have i wireless AP connected in the switch that one client is connected to.
In my router eth0 is the LAN and eth1 WAN (Internet)
Im really new to this and i have tried to read the manuals etc. But apparently my brain can't take it all in.
Help is _very_ appreciated. Thanks.
Last edited by niuck on Sat Feb 17, 2007 11:32 pm; edited 1 time in total |
|
| Back to top |
|
|
someguy
Guru
Joined: 10 Jul 2003
Posts: 433
Location: (-_-) .::OH_WELL::. (-_-)
|
| Posted: Tue May 24, 2005 7:04 am Post subject: |
|
|
nice
_________________
print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<>
)]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`
while [ 1 ] ; do echo "*" | telnet ip.of.print.er 9100 ; done |
|
| Back to top |
|
|
zooz_pxp
n00b
Joined: 30 Oct 2005
Posts: 6
|
| Posted: Thu Nov 10, 2005 12:29 am Post subject: |
|
|
| I've tried to iptables for so long and this is the only thread that got me up and running. thanks. really. |
|
| Back to top |
|
|
MrUlterior
Guru
Joined: 22 Mar 2005
Posts: 511
Location: Switzerland
|
| Posted: Thu Nov 10, 2005 10:29 am Post subject: |
|
|
That script is too simplistic. It sets no default DROP policy on INPUT, OUTPUT & FORWARD and it completely doesn't handle OUTPUT & FORWARD not to mention masquerading, S/DNAT etc ...
Note:
| Quote: |
21.6.1 Firewalls Can Be Dangerous
We started the chapter by pointing out that a firewall is not a panacea. We will conclude the chapter by making the point again: firewalls can be a big help in ensuring the security of your network; however, a misconfigured firewall, or a firewall with poor per-host controls, may actually be worse than no firewall at all. With no firewall in place, you will at least be more concerned about host security and monitoring. Unfortunately, at many sites, management may be lulled into believing that their systems are secure after they have paid for the installation of a significant firewall - especially if they are only exposed to the advertising hype of the vendor and consultants.
|
| Quote: | While stateful inspection firewalls are the most secure, they are also rather complex and the most likely to be misconfigured. Whichever firewall type you choose, keep in mind that a misconfigured firewall can in some ways be worse than no firewall at all, because it lends the dangerous impression of security while providing little or none.
-Robert G. Ferrell |
My advice is that if you're not prepared to read the iptables man page that contains everything you need to know and implement a PROPER firewall, then rather use an out-of-the-box solution like guarddog, firestarter, shorewall etc. Using something like the script in the OP leads to dellusions of security, it is about as efficient as the default FW in winxp sp2
_________________
Misanthropy 2.0 - enough hate to go around
|
|
| Back to top |
|
|
|
Networking & Security
