LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices

Reply
 
Search this Thread
Old 04-23-2005, 12:42 AM   #16
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371

you're very welcome!! let me know if any issues come-up... good luck!!
 
Old 04-23-2005, 12:46 AM   #17
meinzorn
Member
 
Registered: Jan 2004
Posts: 44

Original Poster
Rep: Reputation: 15
hmm.. kinda an issue, not that big of one I guess....

but pre this, I had apache set up, as well as proftpd and they worked fine...

now they aren't working.. is it related, or did I change something without realizing it ?

ssh also isn't working...... which is more of an issue than anything... I planned on using that mostly when I needed to do anything with the machine.

Last edited by meinzorn; 04-23-2005 at 12:49 AM.
 
Old 04-23-2005, 12:49 AM   #18
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
you mean, like, to access those services on your box from the internet??
 
Old 04-23-2005, 12:50 AM   #19
meinzorn
Member
 
Registered: Jan 2004
Posts: 44

Original Poster
Rep: Reputation: 15
well, yeah, or the local network.. from the windows machine..

and when I try to connect with ssh, it just times out.

same with http

Last edited by meinzorn; 04-23-2005 at 12:53 AM.
 
Old 04-23-2005, 12:54 AM   #20
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally posted by meinzorn
hmm.. kinda an issue, not that big of one I guess....

but pre this, I had apache set up, as well as proftpd and they worked fine...

now they aren't working.. is it related, or did I change something without realizing it ?

ssh also isn't working...... which is more of an issue than anything... I planned on using that mostly when I needed to do anything with the machine.
Quote:
well, yeah, or the local network..

and when I try to connect with ssh, it just times out.

same with http
no problem, we just need to add a few rules to the script allowing http, ftp, and ssh (the original script i wrote was designed for complete stealth on the external interface, as i didn't know you were running services on it)...

here you go (the relevant rules are in bold):

here you go:

Code:
#!/bin/sh

IPT="/usr/sbin/iptables"

LAN_IFACE="eth0"
INET_IFACE="ppp0"

echo "0" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "0" > /proc/sys/net/ipv4/tcp_timestamps
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

$IPT -F
$IPT -F -t nat
$IPT -F -t mangle

$IPT -X
$IPT -X -t nat
$IPT -X -t mangle

$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT

$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i lo -m state --state NEW -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 8 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p TCP --dport 21 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p TCP --dport 22 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p TCP --dport 80 -m state --state NEW -j ACCEPT
$IPT -A INPUT -j LOG --log-prefix "INPUT DROP: "

$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $LAN_IFACE -o $INET_IFACE \
-m state --state NEW -j ACCEPT
$IPT -A FORWARD -j LOG --log-prefix "FORWARD DROP: "

$IPT -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE

/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp

/sbin/modprobe ip_conntrack_irc
/sbin/modprobe ip_nat_irc

echo "1" > /proc/sys/net/ipv4/ip_forward

echo "So let it be written. So let it be done."

Last edited by win32sux; 04-23-2005 at 12:57 AM.
 
Old 04-23-2005, 01:01 AM   #21
meinzorn
Member
 
Registered: Jan 2004
Posts: 44

Original Poster
Rep: Reputation: 15
ok, so if I need a port opened for whatever reason, it's just like those added lines, only change the port number?
 
Old 04-23-2005, 01:11 AM   #22
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
yeah, basically... but it wouldn't be a bad idea to do some reading about iptables/netfilter so you can have a better understanding of what the script is doing:

http://www.linuxguruz.com/iptables/howto/

http://www.linuxguruz.com/iptables/

http://www.justlinux.com/nhf/Securit...es_Basics.html

http://iptables-tutorial.frozentux.n...-tutorial.html

for more iptables info: http://www.google.com/linux?hl=en&lr...es&btnG=Search

;-)


Last edited by win32sux; 04-23-2005 at 01:22 AM.
 
Old 04-23-2005, 01:32 AM   #23
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
BTW, that script is logging every packet that gets blocked by the firewall... you can see what packets are getting blocked in "real-time" by doing a:

Code:
tail -f /var/log/syslog
(you need to have sysklogd installed for this to work)

this is good for troubleshooting and stuff... like, for example when you weren't able to SSH to the box - by monitoring the log file you would have noticed the port 22 packets getting blocked... so you would have known it was a firewall issue right away...

it's also good for seeing all the weird spiders that crawl all over the internet... hehe...


Last edited by win32sux; 04-23-2005 at 01:33 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Internet Connection Sharing explorer Mandriva 1 03-17-2005 06:25 PM
Internet connection sharing mark_booze Linux - Newbie 22 01-02-2004 12:37 AM
internet connection sharing Sathe Linux - Newbie 4 12-05-2001 08:59 PM
internet connection sharing Danobri Linux - Networking 14 07-21-2001 11:50 PM
Internet Connection Sharing qsilver Linux - Networking 1 07-19-2001 01:31 AM


All times are GMT -5. The time now is 01:17 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration