LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 01-29-2009, 02:21 PM   #1
trist007
Senior Member
 
Registered: May 2008
Distribution: Slackware
Posts: 1,033

Rep: Reputation: 69
A question on my firewall script...


I'm running Slackware 12.0 and I'm trying to block some IPs from accessing my apache web server.

My rc.FireWall script looks like this. I've put several IPs in there that I want to block. Yet, I still get http requests from these IPs...
Also, what's the difference from rc.FireWall and rc.FireWall~ ?
Which one gets used. Anyhow I usually start the script with

rc.FireWall stop
rc.FireWall start

Code:
#!/bin/bash
#
# usage: rc.firewall start|stop|status
#
# Simple firewall disallowing all incomming connections
# but allowing all traffic on localhost (lo device)
# and allowing all outgoing traffic for $ALLOWED_PORTS
# (you can set the variable below)
#
# Author: Tomas M. <http://slax.linux-live.org/>
#
ALLOWED_PORTS="20 21 22 25 80 110 143 443"
#-----------------------------------------------------------

if [ "$1" = "start" ]; then

   SYSCTLW="/sbin/sysctl -q -w"
   IPTABLES="/usr/sbin/iptables"

   # Disable routing triangulation. Respond to queries out
   # the same interface, not another. Helps to maintain state
   # Also protects against IP spoofing

   $SYSCTLW net.ipv4.conf.all.rp_filter=1

   # Enable logging of packets with malformed IP addresses,
   # Disable redirects,
   # Disable source routed packets,
   # Disable acceptance of ICMP redirects,
   # Turn on protection from Denial of Service (DOS) attacks,
   # Disable responding to ping broadcasts,
   # Enable IP routing. Required if your firewall is protecting a network, NAT included

   $SYSCTLW net.ipv4.conf.all.log_martians=1
   $SYSCTLW net.ipv4.conf.all.send_redirects=0
   $SYSCTLW net.ipv4.conf.all.accept_source_route=0
   $SYSCTLW net.ipv4.conf.all.accept_redirects=0
   $SYSCTLW net.ipv4.tcp_syncookies=1
   $SYSCTLW net.ipv4.icmp_echo_ignore_broadcasts=1
   $SYSCTLW net.ipv4.ip_forward=1

   # Firewall initialization, remove everything, start with clean tables
   $IPTABLES -F      # remove all rules
   $IPTABLES -X      # delete all user-defined chains

   # allow everything for loop device
   $IPTABLES -A INPUT -i lo -j ACCEPT
   $IPTABLES -A OUTPUT -j ACCEPT

   # allow DNS in all directions
   $IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT
   $IPTABLES -A INPUT -p udp --sport 53 -j ACCEPT

   # Allow previously established connections
   $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

   for PORT in $ALLOWED_PORTS; do
      $IPTABLES -A INPUT -p tcp --dport $PORT -j ACCEPT
   done

   # Create a chain for logging all dropped packets
   $IPTABLES -N LOG_DROP
#  $IPTABLES -A LOG_DROP -j LOG --log-prefix "Attack log: "
   $IPTABLES -A LOG_DROP -j DROP

   $IPTABLES -A INPUT -j LOG_DROP    # drop all incomming
   
   # Drop packets coming from specific IP addresses
   $IPTABLES -I INPUT -s 222.187.221.88 -j DROP
   $IPTABLES -I INPUT -s 82.98.141.7 -j DROP
   $IPTABLES -I INPUT -s 8.11.254.248 -j DROP
   $IPTABLES -I INPUT -s 66.154.97.57 -j DROP
   $IPTABLES -I INPUT -s 74.95.163.5 -j DROP
   $IPTABLES -I INPUT -s 195.140.202.142 -j DROP
   $IPTABLES -I INPUT -s 67.29.139.234 -j DROP
   $IPTABLES -I INPUT -s 78.109.19.178 -j DROP
   $IPTABLES -I INPUT -s 85.204.12.16 -j DROP



   $IPTABLES -A FORWARD -j LOG_DROP  # drop all forwarded

elif [ "$1" = "stop" ]; then
   iptables -F
   iptables -X
   iptables -P OUTPUT ACCEPT
   iptables -P FORWARD ACCEPT
   iptables -P INPUT ACCEPT

elif [ "$1" = "status" ]; then
   iptables -L -v

else
   echo "usage: $0 start|stop|status"
fi
 
Old 01-29-2009, 02:36 PM   #2
repo
LQ 5k Club
 
Registered: May 2001
Location: Belgium
Distribution: Arch
Posts: 8,527

Rep: Reputation: 898Reputation: 898Reputation: 898Reputation: 898Reputation: 898Reputation: 898Reputation: 898
Quote:
what's the difference from rc.FireWall and rc.FireWall~
rc.FireWall~ is the backup made by your texteditor

You can block the whole range
iptables -I INPUT -s 66.135.32.0/20 -j DROP

Last edited by repo; 01-29-2009 at 02:40 PM.
 
Old 01-29-2009, 06:13 PM   #3
trist007
Senior Member
 
Registered: May 2008
Distribution: Slackware
Posts: 1,033

Original Poster
Rep: Reputation: 69
In my script each rule is started with $IPTABLES instead of just IPTABLES, why is that?
 
Old 01-29-2009, 06:31 PM   #4
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
Quote:
Originally Posted by trist007
In my script each rule is started with $IPTABLES instead of just IPTABLES, why is that?
Because of this line:
Code:
IPTABLES="/usr/sbin/iptables"
Read about bash variables here: http://www.tldp.org/LDP/abs/html/
 
Old 01-29-2009, 06:31 PM   #5
repo
LQ 5k Club
 
Registered: May 2001
Location: Belgium
Distribution: Arch
Posts: 8,527

Rep: Reputation: 898Reputation: 898Reputation: 898Reputation: 898Reputation: 898Reputation: 898Reputation: 898
Quote:
In my script each rule is started with $IPTABLES instead of just IPTABLES, why is that?
you define iptables at the beginning of the script
Code:
IPTABLES="/usr/sbin/iptables"
so $IPTABLES means
Code:
/usr/sbin/iptables
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
My firewall script gabsik Linux - Security 2 04-08-2006 02:19 PM
Question 1 Firewall Log Question 2 Network Monitor Soulful93 Linux - Networking 4 08-05-2004 12:05 AM
slackware's /etc/rc.d/rc.firewall equivalent ||| firewall script startup win32sux Debian 1 03-06-2004 10:15 PM
port/firewall script question (bittorrent) ratty007 Linux - Networking 1 12-01-2003 07:36 PM
Firewall script help jfall Linux - Networking 6 10-23-2002 04:46 AM


All times are GMT -5. The time now is 10:18 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration