LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 09-02-2004, 09:21 AM   #1
soner
LQ Newbie
 
Registered: Sep 2004
Location: Turkey
Posts: 19

Rep: Reputation: 0
How to install and setup firewall on my computer?


I use Suse 9.0 . I work in an office with several computers on a network.
I want to set up a firewall on my computer.
Which software should I use to install and setup the firewall.
Where can I find the configuration specifications?
 
Old 09-02-2004, 09:39 AM   #2
littleking
Member
 
Registered: Jun 2003
Location: New Albany, OH
Posts: 190

Rep: Reputation: 30
www.ipcop.org
 
Old 09-02-2004, 09:41 AM   #3
adjman
LQ Newbie
 
Registered: Sep 2004
Location: Duncton, UK
Distribution: Lubuntu
Posts: 6

Rep: Reputation: 0
Best bet is IPTABLES which should be built in to your distro

type in

iptables -h

if you get a load of help text then you know it's installed.

From here you can do a search for iptables scripts on google and find something that covers most eventuallities

here is an example from mine :

Code:
#!/bin/sh
#
# For a system to function as a firewall the kernel has to be told to forward
# packets between interfaces, i.e., it needs to be a router. Since you'll save
# the running config with 'iptables save' for RedHat to reinstate at the next
# boot IP fordarding must be enabled by other than this script for production
# use. That's best done by editing /etc/sysctl.conf and setting:
#
# net.ipv4.ip_forward = 1
#
# Since that file will only be read at boot, you can uncomment the following
# line to enable forwarding on the fly for initial testing. Just remember that
# the saved iptables data won't include the command.
#
#echo 1 > /proc/sys/net/ipv4/ip_forward
#
# Once the rule sets are to your liking you can easily arrange to have them
# installed at boot on a Redhat box (7.1 or later). Save the rules with:
#
# service iptables save
#
# which saves the running ruleset to /etc/sysconfig/iptables. When
# /etc/init.d/iptables executes it will see the file and restore the rules.
# I find it easier to modify this file and run it (make sure it is executable
# with 'chmod +x iptables-gw') to change the rulesets., rather than
# modifying the running rules. That way I have a readable record
# of the firewall configuration.
#
# Set an absolute path to IPTABLES and define the interfaces.
#
IPT="/sbin/iptables"
#
# OUTSIDE is the outside or untrusted interface that connects to the Internet
# and INSIDE is, well that ought to be obvious.
#
OUTSIDE=eth0
INSIDE=eth1
INSIDE_IP=192.168.0.1
#
# Clear out any existing firewall rules, and any chains that might have
# been created. Then set the default policies.
#
$IPT -F
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -F -t mangle
$IPT -F -t nat
$IPT -X
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
#
# Begin setting up the rulesets. First define some rule chains to handle
# exception conditions. These chains will receive packets that we aren't
# willing to pass. Limiters on logging are used so as to not to swamp the
# firewall in a DOS scenario.
#
# silent       - Just drop the packet
# tcpflags     - Log packets with bad flags, most likely an attack
# firewalled   - Log packets that that we refuse, possibly from an attack
#
$IPT -N silent
$IPT -A silent -j DROP

$IPT -N tcpflags
$IPT -A tcpflags -m limit --limit 15/minute -j LOG --log-prefix TCPflags:
$IPT -A tcpflags -j DROP

$IPT -N firewalled
$IPT -A firewalled -m limit --limit 15/minute -j LOG --log-prefix Firewalled:
$IPT -A firewalled -j DROP
#
# Use  NPAT if you have a dynamic IP. Otherwise comment out the following
# line and use the Source NAT below.
#
$IPT -t nat -A POSTROUTING -o $OUTSIDE -j MASQUERADE
#
# Use Source NAT if to do the NPAT you have a static IP or netblock.
# Remember to change the IP to be that of your OUTSIDE NIC.
#
#$IPT -t nat -A POSTROUTING -o $OUTSIDE -j SNAT --to 1.2.3.4
#
# To Statically NAT an outside IP (1.2.3.4) to an inside IP (10.0.0.2) you'd
# do something like:
#
#$IPT -t nat -A PREROUTING -i $OUTSIDE -d 195.74.108.232 -j DNAT --to-destination 192.168.0.125
#$IPT -t nat -A POSTROUTING -o $OUTSIDE -s 195.74.108.232 -j SNAT --to-source 192.168.0.125
#
# These are all TCP flag combinations that should never, ever, occur in the
# wild. All of these are illegal combinations that are used to attack a box
# in various ways.
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j tcpflags
#
# Allow selected ICMP types and drop the rest.
#
$IPT -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPT -A INPUT -p icmp -j firewalled

# Blocking known troublemakers
#
$IPT -A INPUT -i $OUTSIDE -s 80.86.160.0/19 -j firewalled
$IPT -A INPUT -i $OUTSIDE -s 66.193.175.182 -j firewalled
$IPT -A INPUT -i $OUTSIDE -s 61.193.179.162 -j firewalled
$IPT -A INPUT -i $OUTSIDE -s 195.144.232.162 -j firewalled
$IPT -A INPUT -i $OUTSIDE -s 61.144.167.78 -j firewalled
$IPT -A INPUT -i $OUTSIDE -s 211.68.120.41 -j firewalled
$IPT -A INPUT -i $OUTSIDE -s 150.46.85.222 -j firewalled
$IPT -A INPUT -i $OUTSIDE -s 210.91.208.103 -j firewalled
$IPT -A INPUT -i $OUTSIDE -s 207.228.240.58 -j firewalled
$IPT -A INPUT -i $OUTSIDE -s 211.119.136.170 -j firewalled
$IPT -A INPUT -i $OUTSIDE -s 80.11.72.145 -j firewalled
$IPT -A INPUT -i $OUTSIDE -s 10.59.0.1 -j silent
$IPT -A INPUT -i $OUTSIDE -s 61.19.212.18 -j firewalled
$IPT -A INPUT -i $OUTSIDE -s 24.223.163.20 -j firewalled
$IPT -A INPUT -i $OUTSIDE -s 66.160.141.55 -j firewalled
$IPT -A INPUT -i $OUTSIDE -s 217.137.98.70 -j firewalled
$IPT -A INPUT -i $OUTSIDE -s 195.5.28.73 -j firewalled
$IPT -A INPUT -i $OUTSIDE -s 68.10.53.24 -j firewalled
$IPT -A INPUT -i $OUTSIDE -s 66.111.192.21 -j firewalled
$IPT -A INPUT -i $OUTSIDE -s 61.193.179.162 -j firewalled
$IPT -A INPUT -i $OUTSIDE -s 195.144.232.162 -j firewalled
$IPT -A INPUT -i $OUTSIDE -s 61.144.232.162 -j firewalled
$IPT -A INPUT -i $OUTSIDE -s 193.110.88.247 -j firewalled
$IPT -A INPUT -i $OUTSIDE -s 220.69.12.96 -j firewalled
$IPT -A INPUT -i $OUTSIDE -s 193.110.88.247 -j firewalled
$IPT -A INPUT -i $OUTSIDE -s 195.162.212.176 -j firewalled
$IPT -A INPUT -i $OUTSIDE -s 203.122.239.154 -j firewalled
$IPT -A INPUT -i $OUTSIDE -s 194.165.127.149 -j firewalled
$IPT -A INPUT -i $OUTSIDE -s 213.103.199.168 -j firewalled
$IPT -A INPUT -i $OUTSIDE -s 207.235.120.39 -j firewalled
$IPT -A INPUT -i $OUTSIDE -s 216.82.64.10 -j firewalled
$IPT -A INPUT -i $OUTSIDE -s 61.221.196.181 -j firewalled
$IPT -A INPUT -i $OUTSIDE -s 64.89.16.0/20 -j firewalled

#
#
# Examples of Port forwarding.
#
# The first forwards HTTP traffic to 10.0.0.10
# The second forwards SSH to 10.0.0.10
# The third forwards a block of tcp and udp ports (2300-2400) to 10.0.0.10
#
# Remember that if you intend to forward something that you'll also
# have to add a rule to permit the inbound traffic.
#
#$IPT -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 21 -j DNAT --to 192.168.0.125
#$IPT -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 22 -j DNAT --to 10.0.0.10
#$IPT -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 2300:2400 -j DNAT --to 10.0.0.10
#$IPT -t nat -A PREROUTING -i $OUTSIDE -p udp --dport 2300:2400 -j DNAT --to 10.0.0.10
#
# Examples of allowing inbound for the port forwarding examples above or for
# allowing access to services running on the firewall
#
# SSH server access
#
$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 22 -j ACCEPT
#
# Web server access
#
$IPT -A INPUT -i $INSIDE -d 0/0 -p tcp --dport 80 -j ACCEPT
$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 80 -j ACCEPT
$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 10000 -j ACCEPT
$IPT -A INPUT -i $INSIDE -d 0/0 -p tcp --dport 10000 -j ACCEPT
$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 443 -j ACCEPT
#$IPT -A INPUT -i $OUTSIDE -j ACCEPT
#
# FTP server access (also allows IRC and Email)
#
#$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 20:21 -j ACCEPT
#$IPT -A INPUT -i $OUTSIDE -d 0/0 -p udp --dport 1024:65535 -j ACCEPT
#$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 110:111 -j ACCEPT
#$IPT -A INPUT -i $INSIDE -d 0/0 -p tcp --dport 110:111 -j ACCEPT
#
# Telnet server access
#
#$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 23 -j ACCEPT
#
# DNS server access
#
$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 53 -j ACCEPT
$IPT -A INPUT -i $OUTSIDE -d 0/0 -p udp --dport 53 -j ACCEPT
#
# The loopback interface is inheritly trustworthy. Don't disable it or
# a number of things on the firewall will break.
#
$IPT -A INPUT -i lo -j ACCEPT
#
# Uncomment the following  if the inside machines are trustworthy and
# there are services on the firewall, like DNS, web, etc., that they need to
# access. And remember to change the  IP to be that of the INSIDE interface
# of the firewall.
#
$IPT -A INPUT -i $INSIDE -d 192.168.0.1 -j ACCEPT
$IPT -A INPUT -i $INSIDE -s 192.168.0.125 -j ACCEPT
$IPT -A INPUT -i $INSIDE -s 192.168.0.10 -j ACCEPT
#
# If you are running a DHCP server on the firewall uncomment the next line
#
#$IPT -A INPUT -i $INSIDE -d 255.255.255.255 -j ACCEPT
#
# Allow packets that are part of an established connection to pass
# through the firewall. This is required for normal Internet activity
# by inside clients.
#
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#
# We've slipped the surly bonds of windows and are dancing on the
# silvery wings of Linux, so don't allow that windows trash to leak
# out of the firewall.
#
$IPT -A FORWARD -p udp --dport 137 -j silent
$IPT -A FORWARD -p udp --dport 138 -j silent
$IPT -A FORWARD -p udp --dport 139 -j silent
$IPT -A FORWARD -p udp --dport 445 -j silent
#
# Anything that hasn't already matched gets logged and then dropped.
#
$IPT -A INPUT -j firewalled
You have to type it in or copy and paste it to a plain text file, usually called rc.firewall

Then chmod the script to make it executable and run it - once you have it configured how you want, type in

service iptables save

and this will mean the rules you have set will get loaded each time the machine boots.

HTH

Adjman
 
Old 09-02-2004, 11:58 AM   #4
guzzi
Member
 
Registered: Jun 2004
Location: Lawrence, KS
Distribution: Slackware
Posts: 294

Rep: Reputation: 32
security

Marhaba soner.

I believe that adjman is correct.

I have a Linux box running IPTABLES working as my internet access point. It protects various systems here from the evil crackers out there. One windows2000 box running Norton Internet Security has not had any issues at all since going behind the Linux firewall.

I was in Trabzon for a year a long time ago, and I loved it.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Linux Firewall with a computer Dark_Sniper* Linux - Networking 1 10-18-2005 11:49 PM
connecting computer to firewall brandonweinberg Linux - Newbie 2 02-04-2004 08:05 AM
help with client side NFS-firewall setup and server side NIS-firewall setup niverson Linux - Networking 3 02-02-2004 08:52 AM
Conneting to a computer thru a firewall clau_bolson Linux - Networking 7 01-01-2004 05:20 PM
Need some advice on my Firewall/Setup/Computer rootlinux Linux - Security 7 03-15-2002 09:20 PM


All times are GMT -5. The time now is 07:39 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration