Problem with iptables, and a simple question about a NTFS part.

Jorek · 12-30-2005, 12:34 PM

Hello my fellow Linux users!
Here's some quick qustions(I have tried both google and this forum, but I havent
been able to find the solution to my problems).

1. Iptables.
I'm trying to learn how to use iptables, so decided to write a very simple firewall script on my own.
Here's what I have done so far:

Code:

#!/bin/sh
# Setting Policy for chains...
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
# Loading userspesified rules...
iptables -A INPUT -s 127.0.0.0/8  -d 127.0.0.0/8 -lo -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -p tcp --dport 20 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT

When I use this script, I can't surf on the WWW,eventhough my port 80(HTTP) and 53 (DNS) are wide open! I can't even ping, but I have allowed icmp traffic as you can see in my script. Can someone tell me whats wrong with this script?

2. NTFS Partition.
When I installed Slackware, I decided to mount my two NTFS partitions into my Linux system at boot.
That works pretty good for root, but I haven't found any way to give normal users read rights(chmod o+r).
This is a cut of my fstab:
/dev/hda5 /mnt/Windisk1 ntfs defaults 1 0
/dev/hda7 /mnt/Windisk2 ntfs defaults 1 0

Anyone?

Thanx

stress_junkie · 12-30-2005, 01:22 PM

Here is a quick discussion and example script for iptables.

http://techrepublic.com.com/5100-108...tml?tag=search

I always end up hacking mounted partitions so this information may be stupid, ugly, or even wrong.

The first thing that I may be wrong about is your fstab file entries. You should include the read only directive "ro" in the options field.

Now here is where I get ugly. If I wanted to set up a system as you described I would make the mount point, set the ownership and permissions of the mount point, mount the partition, check the ownership and permissions of the mount point, and if required reset the ownership and permissions on the mount point. That's always worked for me with ntfs and vfat partitions.

Remember that you want to mount ntfs partitions as read only.

Freemor · 12-30-2005, 02:05 PM

Not sure What you were trying to do with the first part of the script ( where you seem to be trying to set up policies) settin the entire input chain to DROP would basically (ifaik) drop all input.. not good.. Also you only need to open ports you have servers on. so only need to open port 80 if running a web server, 21 if you are running an ftp server etc. I generally drop the first 1023 ports. unless i'm running a server.. with the exception of the ntp port being allowed for the time server I sync with.

Here is an early sample of my IPtables script..

#!/bin/bash
#
# tight firewall
#
#

# First make sure we are not duplicating things..

iptables -F
iptables -X

# accept all local connection so interal stuff works

iptables -A INPUT -s localhost -p tcp -j ACCEPT
iptables -A INPUT -s localhost -p udp -j ACCEPT

# Open the ports we want

iptables -A INPUT -s time.nrc.ca -p udp --destination-port 123 -j ACCEPT

# Drop all ICMP requests

iptables -A INPUT -p icmp -j DROP

# Drop All un-authorizes connections

iptables -A INPUT -s 0/0 -p tcp --destination-port 0:1023 -j DROP
iptables -A INPUT -s 0/0 -p udp --destination-port 0:1023 -j DROP

---

This was an early version of my script I have since added logging capabilities for both blocked and allowed ports that i wish to monitor..

remember iptables rules are fallthrough so if i had put the last two lines first then nothing would be allowed because it would see the block everything rulle first and not fallthrough to the rest.

Hope this helps