rc.firewall optimization and determining why connections get cut
wondering if anyone here could help me weed out the unneeded lines and help me determine why is it that if this script is run after getting onto the local LAN that all connections are closed and I have to re-connect to the local LAN.
Code:
001. IPTABLES=/usr/sbin/iptables |
This looks like a nightmare. Doesn't look like you are using STATEFUL inspection either. I'm willing to help but I need a better file to view. Run the script again and save the firewall with the following:
Code:
iptables-save > ~/firewall-rules Also what distro are you running? |
I'm currently on Slackware64 14.1... as requested, below is the output of iptables-save
Code:
# Generated by iptables-save v1.4.20 on Wed May 11 00:14:46 2016 |
First: Do you really need all of this or is this just some script you found on the internet and decided to use it?
Second: Is this your local desktop or is it providing some sort of service and if it is providing a server what service? Third: Does this box touch the internet or is it already behind a firewall? |
this is actually a script compiled over the years from different places that I use for my laptop... I'm planning to use the same script on a server that will be running openvpn and ssh once I've gotten this script optimized. the server will already be behind the firewall on the router, however the laptop won't always be behind a router as I travel with it often.
|
For your Laptop you don't need anything close to this script. The following should be enough;
Code:
# sample configuration for iptables service Code:
-A INPUT -m (tcp/udp) -p (tcp/udp) --dport ### -m conntrack --ctstate NEW -j ACCEPT You really shouldn't block icmp as this is a control protocol and more than just ping. I'm sure you believe you are doing something amassing with your script but it is a waste of time too if the server is not sitting directly on the internet. And log-level 7 isn't really needed unless you are debugging something. So I would suggest starting out with this and work your way up as needed. Code:
# sample configuration for iptables service |
apologies for such a late response and I hope you're still with me. it did take me a while to find some time and courage to go through my old script to weed out all the unnecessary rules, but I've managed to do so and here below is my updated set of rules
Code:
# Generated by iptables-save v1.6.0 on Sat Oct 22 13:45:13 2016 |
Quote:
Quote:
I see some things that are not required and can safely be removed if you would like. Quote:
Code:
# Generated by iptables-save v1.6.0 on Sat Oct 22 13:45:13 2016 I also changed your ICMP rule to only allow what would be needed for normal operation. You can look up the ICMPports yourself and decide what is not needed or what you would like to add. Quote:
There is a way to get around this, simple set our policy to ACCEPT and then at the end of your input rule place a drop statement like so: Code:
-A INPUT -j DROP |
Quote:
hrmm, I'm not sure why iptables-save did not show the lines for Code:
:DLNA_ALLOW - [0:0] With this set of rules, I did have to add in an extra Code:
-A INPUT -s 192.168.100.0/24 -d 192.168.100.0/24 -j ACCEPT Quote:
|
Quote:
Quote:
Code:
iptables -vnL Quote:
As to INPUT rules you don't really need the -d 192.168.100.0/24. If you are talking about logging in then that is another rule that should be added. I believe you have 2 interfaces on this system, why else would you need FORWARD rules, so I would lock this down to the interface where you would be connecting from. Quote:
|
Quote:
as for the two FORWARD rules, one was needed for VPN and the other was more of allowing established traffic to pass back and forth. lastly, the spoof protection I was using was with "/sbin/arp -i bond0 -s 192.168.100.1 e4:8c:8c:5c:b0:9c". I pretty much had this line run within rc.firewall so it ran after all the rules were installed. In essence the firewall rules would install, arp lockdown happened and all of the network was done until I restarted /etc/rc.d/rc.inet1 bond0. does what I did make sense now? |
Quote:
Code:
-A INPUT -s 192.168.100.0/24 -j ACCEPT Quote:
Quote:
|
All times are GMT -5. The time now is 04:07 PM. |