Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
hi i am trying to run iptables firewall and found a script which i have changed a litlle bit to match my connection
i am running redhat 8 and using adsl vpn connection
heres the commands:
# a table for dealing with icmp traffic
-N icmp_packets
# a table to deal with tcp traffic
-N tcp_packets
# a table for udp traffic
-N udp_packets
#this is the tcp_packets table.
# tcp packets that start a new sessions are sent to the tcp_services table
-A tcp_packets -p TCP --syn -j tcp_packets
# this line allows exisiting connections to live. It is actualy redundent since we had this line in the INPUT table.
-A tcp_packets -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
# we log the packets before DROPing them
-A tcp_packets -m limit --limit 60/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "TCP packets packet died: "
# tcp packets that are not related to established session, and are not syn packets, gets drop
-A tcp_packets -p TCP -j DROP
# no other services, so we log and then drop
#-A tcp -m limit --limit 60/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "TCP srv packet died: "
#-A tcp -p TCP -s 0/0 -j DROP
#
# ICMP rules
#
# we permit icmp types 3,11
# type 3 is destination unreachable. this may save us b/w of accessive retries
# type 11 is Time Exceeded - good for traceroute .
-A icmp_packets -p ICMP -s 0/0 --icmp-type 3 -j ACCEPT
-A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
#this is where we do the masquerading.
-t nat -A POSTROUTING -o ppp0 -j MASQUERADE
# This is the INPUT table. Most filtering is done here
#
# for performance efficiency, we put the rules that should get the highest matces
# first.
#
# Firtst , we permit the ADSL modem to pass traffic on pptp (tcp port 1723) and the gre tunnel (protocol 47)
-A INPUT -p 47 -s x.x.x.x/x -j ACCEPT
-A INPUT -p tcp -s x.x.x.x/x --sport 1723 -j ACCEPT
# we trust our internal host. If you want to specificaly control its activity, remove this line and permit specific
# service in the apropriate tables.
-A INPUT -p ALL -s x.x.x.x/x -j ACCEPT
# the following 3 rules ensure that established connections will not break. These are the lines that make the
# stateful inspection (and which match most of the LAN and PPP interface traffic).
-A INPUT -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
# then we permit the loopback interface
-A INPUT -s 127.0.0.1 -j ACCEPT
#The following 2 rules enables the passive and active ftp port command (that opens a data stream).
-A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
# we allow broadcasts.
-A INPUT -p ALL -d x.255.255.255/x -j ACCEPT
# any traffic coming on the internet interface that did not match the previous rules (basicaly packets that try to start sessions, or probes, or just any
# other packet that is not related to an existing stream) will be separated to icmp, tcp and udp and treated specificaly.
-A INPUT -p ICMP -i ppp0 -j icmp_packets
-A INPUT -p TCP -i ppp0 -j tcp_packets
-A INPUT -p UDP -i ppp0 -j udp_packets
-A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT
# before we drop the packets that reach the end of the table, we want to record it. We limit the log rate so that we wont
#chocke it we are badly attacked.
-A INPUT -m limit --limit 60/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "
# This is the output table.
#First we permit the pptp and gre tunnel to the ADSL
-A OUTPUT -p 47 -d x.x.x.x/x -j ACCEPT
# We trust our internal host
-A OUTPUT -p ALL -d x.x.x.x/x -j ACCEPT
# we make stateful inspection and let established sessions live, and new connections to be created.
-A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -m limit --limit 60/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: "
# We forward for established sessions
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# set default policies for the INPUT, FORWARD and OUTPUT chains. #Since we filter on the INPUT , the FORWARD
# policy is ACCEPT
-P INPUT DROP
-P OUTPUT DROP
-P FORWARD DROP
for some reason when i try to restart iptables with the command /etc/rc.d/init.d/iptables start
i get errors which state:
Applying iptables firewall rules: iptables-restore v1.2.6a: Unknown arg `--icmp-type'
--sport
--dport
i have checked the iptables man and all of these commands are allowed i even tried not using the alias name as in : --source-port etc and no go
i appriciate any help on this subject
I think in your ICMP rules that the protocol has to be lower case, so:
-A icmp_packets -p icmp -s 0/0 --icmp-type 3 -j ACCEPT
which is why it doesn't like the -icmp-type part. You need to have the -p icmp part recognized so that it can load the -icmp-type extensions. Try that and see if you still get errors.
Scatch that, case doesn't matter for the protocol type.
But I do have a question, are you loading these rules with a script, by command line, or are you directly editing the /etc/sysconfig/iptables file?
If you're editing the file by hand, that might be the problem. For some reason if you edit the file by hand, the extension modules are not loaded (the ones that specify how to handle the --dport, --sport, --icmp-type).
thanks for the reply,
Capt_Caveman: i am editing the iptables files directly,so anyone know hot to enable them or should i just make it a script and try it?
thanks
I'd go ahead and use a script. As I've been trying to learn iptables, I've created a few different scripts for me to play with. I've also got one "good" firewall script that I don't play with so no matter how badly I screw up the one I'm working on, a good firewall is only a script run away....
You can type them in at the command line one after another using the iptables command, the nice part being that you can debug them line by line.
But I'd agree with Hangdog42, that a script is probably the way to go. Just put a line that points to the path of the script in rc.local, so that it get loaded at boot. And don't forget to make it executable.
cool thanks for the replys guys
i just tried running them all manualy and no errors its a bit strange though that on the iptables files it doesnt work any way how do i go about the command in rc.local would:
sh /path/to/script/script.sh
be ok?
I actually run my firewall script from rc.inet1 before the NIC is set up. That way I'm never without a firewall in place. I've got the firewall script in the same directory as rc.inet1 and just have a line that says ./rc.firewall.
>its a bit strange though that on the iptables files it doesnt work
yeah, I thought so too. I had a similar problem once where if I pasted a line into the iptables file it would give me an error, but if I pasted the exact same line into the command line with "iptables" in front of it, it would run no problem. Somehow the act of entering the command (through a script or command line) tells the kernel to load the proper extension modules.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.