| View previous topic :: View next topic |
| Author |
Message |
beuselinck
n00b
Joined: 09 Oct 2004
Posts: 19
Location: Ghent, Belgium
|
 Posted: Wed May 18, 2005 7:18 pm Post subject: |
 |
|
great guide!
I'm learning a lot about firewalls.
But I'm having hard times understanding something:
How can a rule applying to the OUTPUT chain have a source address? eg in the script you have:
| Code: | | $IPT -A OUTPUT -o $EXTIF -p tcp -s $EXTIP --dport $i --syn -m state --state NEW -j ACCEPT |
and in a rule from KannX in this thread
| Code: | | $IPT -A OUTPUT -o $INTIF1 -s $INTIP1 -d $INTNET1 -p udp --sport ntp -j ACCEPT |
Aren't packets going through the output chain, packets that are created locally. If they are, then what is the source address?
Kinda lost on this...
thanks |
|
| Back to top |
|
 |
Kazaza
Tux's lil' helper
Joined: 28 Mar 2004
Posts: 100
Location: Sweden
|
| Posted: Wed May 18, 2005 8:16 pm Post subject: |
|
|
Just wanted to say that this is a really great guide! Thanks for working with it...  |
|
| Back to top |
|
|
lost+found
Guru
Joined: 15 Nov 2004
Posts: 509
Location: North~Sea~Coa~s~~t~~~
|
| Posted: Thu May 19, 2005 11:18 am Post subject: |
|
|
@beuselinck
i think it's just an extra check: all packets got a source address anyway, spoofed or not, because they must be replied to actually start the connection. See man:iptables, option --syn. $LPDIP isn't useful for other interfaces than lo, $EXTIP is.
@any firewall guru
i think i read somekind of problem with the "--state ESTABLISHED,RELATED" lines over here: | Quote: | | Using the state module alone, INVALID will break protocols that use bi-directional connections or multiple connections or exchanges, unless an ALG is provided for the protocol. At this time, FTP and IRC are the only protocols with ALG support. |
is this what the ip_conntrack_ftp/irc modules are for  ... and the cause of p2p like gnutella need separate rules |
|
| Back to top |
|
|
tscolari
l33t
Joined: 02 May 2004
Posts: 602
Location: curitiba - pr - Brazil
|
| Posted: Wed Jun 01, 2005 5:27 pm Post subject: |
|
|
This tutorial is very usefull 
but i got some problems here...
my iptables script do this:
| Code: |
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#####################################
$IPTABLES -A INPUT --protocol tcp --dport 22 -j ACCEPT #ssh
$IPTABLES -A INPUT --protocol tcp --dport 23 -j ACCEPT #telnet
$IPTABLES -A INPUT --protocol tcp --dport 21 -j ACCEPT #ftp
$IPTABLES -A INPUT --protocol tcp --dport 139 -j ACCEPT #samba
$IPTABLES -A INPUT --protocol tcp --dport 177 -j ACCEPT #XDMCP
$IPTABLES -A INPUT --protocol tcp --dport 2049 -j ACCEPT #NFS
####################
$IPTABLES -A INPUT -j DROP
$IPTABLES -A FORWARD -j DROP
$IPTABLES -A OUTPUT -j ACCEPT
|
just want to block everything thats comming that is not one of the services i allow.
For ssh it works normal, but with ftp and telnet it doesnt :/
(i dont know about the others, havent been tested yet).
im using netkit-telnet and ftpd ebuilds, that seem to use xinetd, any special rule i should take then to make they work??
_________________
------------------------------------
Tiago Scolari |
|
| Back to top |
|
|
amzuk
Tux's lil' helper
Joined: 30 Apr 2005
Posts: 79
Location: RF/Krasnodar
|
| Posted: Thu Jul 14, 2005 9:46 am Post subject: |
|
|
| Lepaca Kliffoth wrote: | | I was wondering if I can use this script. I've got a desktop connected to the internet through adsl and I want it to share the connection with a laptop. The laptop's conneted to my desktop with a cross-over cable. How should I modify the script? |
no, this is exacctly what you need. except that you dont have $INTIF2
_________________
When your problem is resolved, put [SOLVED] in the topic. |
|
| Back to top |
|
|
elestedt
Guru
Joined: 13 Mar 2005
Posts: 383
|
| Posted: Sun Sep 18, 2005 10:55 pm Post subject: |
|
|
hi
I've added som portforwardning by using | Code: | $IPT -A FORWARD -j ACCEPT -p tcp --dport 80
$IPT -t nat -A PREROUTING -i $EXTIF -p tcp --dport 80 -j DNAT --to 192.168.0.1:80 |
to the script. and this works great as long as I'm not on the INTIF network. That is - it works as long as I'm on the internet even if I try to connect to the external IP from the internal network.
What I want is for that forwarding to work regardless of source (more or less). How do I have to modify the script to get that functionality?
Thanks in advance. |
|
| Back to top |
|
|
Stalione
Guru
Joined: 21 Apr 2002
Posts: 335
|
| Posted: Mon Sep 26, 2005 7:47 pm Post subject: |
|
|
I started out with the iptables script that is posted at the beginning of this thread. I changed it quite a bit to match my needs (since I am not forwarding anything). I have had very good success so far, except for getting NFS working. All I am trying to do is restrict all outgoing and incoming traffic:
$IPT -A OUTPUT -j REJECTl
But I would like to permit the host to be able to mount remote nfs shares. Also I would like to the host to be able to serve nfs shares. I edited the /etc/conf.d/nfs file to the following:
| Quote: |
# Number of servers to be started up by default
RPCNFSDCOUNT=8
# Options to pass to rpc.mountd
# ex. RPCMOUNTDOPTS="-p 32767
RPCMOUNTDOPTS="-p 32767"
# Options to pass to rpc.statd
# ex. RPCSTATDOPTS="-p 32765 -o 32766"
RPCSTATDOPTS="-p 32765 -o 32766"
# Options to pass to rpc.idmapd
RPCIDMAPDOPTS=""
# Timeout (in seconds) for exportfs
EXPORTFSTIMEOUT=30
|
and also modified the sysctl.conf file to the following:
| Quote: |
# TCP Port for lock manager
fs.nfs.nlm_tcpport = 32768
# UDP Port for lock manager
fs.nfs.nlm_udpport = 32768
|
I have tried various rules to get the host to mount nfs shares and serve nfs shares but I cannot get it working for the life of me.
| Quote: |
# NFS
$IPT -A OUTPUT --protocol tcp --dport 2049 -j ACCEPT
$IPT -A OUTPUT --protocol tcp --dport 32765:32770 -j ACCEPT
|
Keep in mind this host only has one network interface, and is NOT acting as a router/gateway.
When I attempt to mount nfs share I get the following error:
| Quote: |
spduslishnode01 sysop # mount -t nfs -o mountport=955 10.55.58.143:/mnt /mnt/floppy
mount: RPC: Unable to send; errno = Operation not permitted
|
If I enable all outbound traffic, then it works. I am not sure what else I need to allow outbound. Any ideas? |
|
| Back to top |
|
|
MikeP
Tux's lil' helper
Joined: 27 Feb 2003
Posts: 115
Location: Germany
|
| Posted: Fri Oct 07, 2005 8:52 pm Post subject: |
|
|
| Stalione wrote: | | I am not sure what else I need to allow outbound. Any ideas? |
As i come across this, one suggestion that may help - you could try to use ethereal or something similar and check all packets that get send when you mount the share, when all outbound traffic may pass. |
|
| Back to top |
|
|
lost+found
Guru
Joined: 15 Nov 2004
Posts: 509
Location: North~Sea~Coa~s~~t~~~
|
| Posted: Sat Nov 05, 2005 11:56 am Post subject: |
|
|
This is how I do some sorting with the firewall log lines in OpenOffice (for analysis the ugly way  ).
<snip>
THE SCRIPT MOVED HERE: https://forums.gentoo.org/viewtopic-p-2868355.html#2868355 
-------
Last edited by lost+found on Tue Dec 06, 2005 12:20 pm; edited 3 times in total |
|
| Back to top |
|
|
patrix_neo
Guru
Joined: 08 Jan 2004
Posts: 520
Location: The Maldives
|
| Posted: Sat Dec 03, 2005 7:45 pm Post subject: |
|
|
First of all; thanks for a good guide! Needs more tallented writers like you.
Next I like to contribute, if no one else had. I've never seen it though, but made it work for me.
What I will do, is make the LANIP-var be calculated from LANIF (eth1) only. And I did like this:
| Code: |
LANIF="eth1"
LANIP="`ifconfig $LANIF|grep addr:|sed 's/.*addr:\([^ ]*\) .*/\1/'`"
LANBCAST="`ifconfig $LANIF|grep Bcast:|sed 's/.*Bcast:\([^ ]*\) .*/\1/'`"
|
I think it might be handy if you have to just enter your LANIF to get the LANIP parm, and LANBCAST parm automatically.
The same can ofcourse be done with your other eth[n] interfaces.
I have not found out how to get the LANET="192.168.1.0/24" (for example) calculated from ifconfig-data. Which means it can be handy to have the actual LANIP, but now is hidden with this method. |
|
| Back to top |
|
|
namo
n00b
Joined: 29 Jun 2004
Posts: 28
Location: Berkeley
|
| Posted: Tue Dec 06, 2005 9:59 am Post subject: |
|
|
Just a side note : people with localized setups might find it useful to use
| Code: | | LC_ALL='C' /sbin/ifconfig |
instead of plain ifconfig, since its output is localized and this can break the sed filters. (and maybe include it in the main script ?) |
|
| Back to top |
|
|
parker.richie
n00b
Joined: 04 Aug 2006
Posts: 1
|
| Posted: Fri Aug 04, 2006 7:29 am Post subject: Using 2 ISP's |
|
|
Hi,
Well firstly IPTables part 1 was real good and i have tried it out and havent faced any issues, as of now .
However, I really would appreciate if I could know as to how do i configure two isp's using the iptables. Say for example how do i do a Load Balance.
Any documents which could guide me step-by-step??
Thanx in advance |
|
| Back to top |
|
|
patrix_neo
Guru
Joined: 08 Jan 2004
Posts: 520
Location: The Maldives
|
| Posted: Fri Aug 04, 2006 8:22 am Post subject: Re: Using 2 ISP's |
|
|
| parker.richie wrote: | Hi,
Well firstly IPTables part 1 was real good and i have tried it out and havent faced any issues, as of now .
However, I really would appreciate if I could know as to how do i configure two isp's using the iptables. Say for example how do i do a Load Balance.
Any documents which could guide me step-by-step??
Thanx in advance |
Hi. What you are looking for is the tc command for (traffic control) load balancing. Try this link http://www.lartc.org/howto/index.html Look at chapter 9. It works in conjunction with iptables. An other way to say it is - like symbiosis with eachother. You can que the traffic and with help of the MARK options in iptables you can use it in collaboration with tc.
Worth a look at. |
|
| Back to top |
|
|
carpenike
Tux's lil' helper
Joined: 10 Feb 2005
Posts: 127
|
| Posted: Thu Aug 24, 2006 4:05 am Post subject: |
|
|
Hello,
First of all, thank you VERY much for the informative guide! It definately got me going in the right direction...
Just have a quick question... Here's my current setup:
Cable Modem (5 Public IP Addresses) --> Gentoo Router (4 NICS).
Two of those NICS on my Gentoo Router are bridged together. When I don't have any IPTables settings on the box, I can easily pull DHCP addresses through the bridge.
I also have an IP address ontop of the bridge group that I use to NAT my other 2 interfaces (one wireless and one wired).
My problem is that as soon as I turn on IPTables, DHCP broadcasts cannot traverse the bridge group, and I'm also not able to pass pings through to the box when it already has an IP address.
My config is pretty much the same as his, with the exception that instead of eth0 being my $EXTIF, br0 is my $EXTIF.
Can anybody give me advice? I'd like to be able to limit the ports that are accessible to those 5 public IPs by using IPTables like so. Any help would be most appreciated! |
|
| Back to top |
|
|
lost+found
Guru
Joined: 15 Nov 2004
Posts: 509
Location: North~Sea~Coa~s~~t~~~
|
| Posted: Thu Dec 21, 2006 9:44 pm Post subject: |
|
|
Not necessarily in reply to carpenike, but here [ http://www.malibyte.net/iptables/scripts/firewall.iptables-generic ] are some nice iptables rules for use with a DHCP server and/or client. You can steal the relevant ones and paste them into the script of this thread.
For a client only (dhcpcd) and cable modem, I pasted the first set of 7 rules after the loopback interface section of our script (before blocking broadcasts). More* than enough imho. Plus this: | Code: | | DHCP_SERVER_IP=`grep DHCPSID /var/lib/dhcpc/dhcpcd-$EXTIF.info | sed 's:DHCPSID=\(.*\):\1:'` |
For a server there's another section at the end.
* = /var/lib/iptables/rules-save shows that most of these rules are not/not often/only in some cases (offline modem) used in my/Gentoo's configuration... :-s
Last edited by lost+found on Fri Dec 29, 2006 4:00 pm; edited 1 time in total |
|
| Back to top |
|
|
lost+found
Guru
Joined: 15 Nov 2004
Posts: 509
Location: North~Sea~Coa~s~~t~~~
|
| Posted: Wed Dec 27, 2006 11:04 am Post subject: |
|
|
I guess this is a good place to start a firewall script...
/etc/conf.d/net:
| Code: | postup() {
[[ ${IFACE} != "lo" ]] && /root/scripts/firewall.sh
} |
|
|
| Back to top |
|
|
|
Documentation, Tips & Tricks
