IPtables files to get up a quick firewall HOW TO

[penguinlnx]

Here are a couple of iptables/firewall scripts I was given by jtshaw. His website seems temporarily unreachable so I have posted them here, along with his notes. iptables is not automatically included in many installations. Don't forget to either emerge iptables from a commandline, or select it from the Porthole/Portage GUI and emerge it.

# emerge iptables <enter>

Normally iptables is automatically placed in /sbin. if you change this, update jts-firewall accordingly as well.
To get these files simply grab the text off the screen and paste into your text editor, then save each as a file with the appropriate name. (Don't add the .txt extension to the file.) Put jts-firewall in your /sbin directory. Make sure you make it executable by root. Right-click on the file and select 'properties'. Then click on the permissions tab. and allow 'execute'. Do this for both files. Edit the jts-firewall script as needed. I have a bunch of rules commented out for allowing connections on different ports so you can see examples of how things are done.

#!/bin/sh
#IPTABLES=/sbin/iptables is where iptables files are normally placed. Change as needed:
IPTABLES=/sbin/iptables

case "$1" in
start|reload|restart)
#flush existing rules
${IPTABLES} -F INPUT

#Allow replies to all data that has been sent out meant for this machine
${IPTABLES} -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p icmp
${IPTABLES} -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p tcp
${IPTABLES} -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p udp
#Allow incoming SSH requests
#${IPTABLES} -A INPUT -p tcp --dport ssh -j ACCEPT

#Allow incoming Samba connetions
#${IPTABLES} -A INPUT -p tcp --dport netbios-ssn -j ACCEPT
#${IPTABLES} -A INPUT -p tcp --dport microsoft-ds -j ACCEPT
#${IPTABLES} -A INPUT -p tcp --dport swats -j ACCEPT
#${IPTABLES} -A INPUT -p udp --dport netbios-ns -j ACCEPT
#${IPTABLES} -A INPUT -p udp --dport netbios-dgm -j ACCEPT
#Allow incoming ipp for network printing -- We don't have a printer.
#${IPTABLES} -A INPUT -p tcp --dport ipp -j ACCEPT
#${IPTABLES} -A INPUT -p udp --dport ipp -j ACCEPT

#Allow incoming https/www for web.
#${IPTABLES} -A INPUT -p tcp --dport https -j ACCEPT
#${IPTABLES} -A INPUT -p tcp --dport www -j ACCEPT
#${IPTABLES} -A INPUT -p tcp --dport 8080 -j ACCEPT
#Allow incoming smtp connections.
#${IPTABLES} -A INPUT -p tcp --dport smtp -j ACCEPT
#Allow incoming spamd connections:
# We don't need to let others connect to spamd for any reason.
#${IPTABLES} -A INPUT -p tcp --dport spamd -j ACCEPT

#Drop and log all other data: set log so if >5 packets/sec are dropped
# they will be ignored. This helps to prevent a DOS attack crashing the computer.
${IPTABLES} -A INPUT -m limit --limit 3/second --limit-burst 5 -i ! lo -j LOG --log-level 4 --log-prefix "[iptables] "
${IPTABLES} -A INPUT -i ! lo -j DROP
;;
stop)
#flush existing rules
${IPTABLES} -F INPUT
;;
status)
${IPTABLES} -L -v -n
;;
*)
echo "Usage: $0 {start|restart|reload|stop|status}"
exit 1
esac
exit 0

Put firewall-init in your /etc/init.d folder, again Make sure you make it executable by root. Right-click on the file and select 'properties'. Then click on the permissions tab. and allow 'execute'. Do this for both files. Adding firewall-init to your initscripts will get your firewall up and running on each boot. To do this, drop into a commandline and execute the following line:

# rc-update add firewall-init default <enter>

#!/sbin/runscript
# Copyright 1999-2004 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2
# $Header: /var/cvsroot/gentoo-x86/app-admin/bastille/files/bastille-2.1.1-firewall.init,v 1.2 2004/07/14 21:09:15 agriffis Exp $

opts="start stop"
REALSCRIPT=/sbin/jts-firewall
depend() {
need logger net
}
start() {
ebegin "Starting jts-firewall"
exec $REALSCRIPT start
eend $? "Failed to start jts-firewall"
}
stop() {
ebegin "Stopping jts-firewall"
$REALSCRIPT stop
eend $? "Failed to stop jts-firewall"
}

To make sure your firewall is working and your computer is in 'stealth' mode, you can go to one of the test sites, like GRC.COM and see if your ports are properly closed.

Switching Linux from Master to Slave
GRUB boot Repair
Hardware Fixes
CUPS Printer Install

[wjholden]

Thanks! Put this in your signiture or something; iptables is a bitch to work with so this will save myself among others lots of time. If jtshaw reads this thank you!

[penguinlnx]

No Sweat! I was so pleased when JtShaw showed me how to do a firewall in 5 minutes, that I just had to post and share this.

I have put a link to it in my signature as you suggested...but I don't know how to give it a title...

[wjholden]

Just put tags around it like this: [url=http://whatever]name[/url]

[penguinlnx]

I hope an Admin looks at this, and can make it into a sticky!

[Digital Storm]

Thanks!

I've been wandering back and forth between iptables gui setups but they all seem confusing to me...After reading this simple script it looks great and should be easy to tailor to my needs...

It makes iptables easier to understand as well, all the other scripts are great but I find them long and complicated...

[niuck]

I generally try to avoid posting my problems to the forum and try to solve it myself. But this time im stuck. I just cant figure out how to modify the script to fit my network.

The network looks like this;

(Internet(Static-ip)--Gentoo-Router--Switch--Gentoo-box (rsync, ircd)

The gentoo-router is connected directly to the internet with static ip. The router has dhcpd and dnsmasq installed. Behind the router i have another gentoobox that i want to run different services on. ircd, rsync-server etc. I also have i wireless AP connected in the switch that one client is connected to.

In my router eth0 is the LAN and eth1 WAN (Internet)

Im really new to this and i have tried to read the manuals etc. But apparently my brain can't take it all in.
Help is _very_ appreciated. Thanks.

[someguy]

nice

[zooz_pxp]

I've tried to iptables for so long and this is the only thread that got me up and running. thanks. really.

[MrUlterior]

That script is too simplistic. It sets no default DROP policy on INPUT, OUTPUT & FORWARD and it completely doesn't handle OUTPUT & FORWARD not to mention masquerading, S/DNAT etc ...

Note:

21.6.1 Firewalls Can Be Dangerous

We started the chapter by pointing out that a firewall is not a panacea. We will conclude the chapter by making the point again: firewalls can be a big help in ensuring the security of your network; however, a misconfigured firewall, or a firewall with poor per-host controls, may actually be worse than no firewall at all. With no firewall in place, you will at least be more concerned about host security and monitoring. Unfortunately, at many sites, management may be lulled into believing that their systems are secure after they have paid for the installation of a significant firewall - especially if they are only exposed to the advertising hype of the vendor and consultants.

While stateful inspection firewalls are the most secure, they are also rather complex and the most likely to be misconfigured. Whichever firewall type you choose, keep in mind that a misconfigured firewall can in some ways be worse than no firewall at all, because it lends the dangerous impression of security while providing little or none.
-Robert G. Ferrell

My advice is that if you're not prepared to read the iptables man page that contains everything you need to know and implement a PROPER firewall, then rather use an out-of-the-box solution like guarddog, firestarter, shorewall etc. Using something like the script in the OP leads to dellusions of security, it is about as efficient as the default FW in winxp sp2