iptables configuration
I'm running Slack 10.1 on my mp3 server through port 8001. I want to setup my iptables so that I have a good firewall from the command line. Is there an iptables.conf file in Slack that I need to modify so that this runs?
|
If you mean write a firewall from scratch, you call the file rc.firewall and it goes in /etc/rc.d/rc.firewall.
|
Here's a quick guide to a simple setup on slack:
You'll probably want to enable(or build if it doesn't exist) the ipt_state module for your kernel: modprobe ipt_state (if it doesn't exist, go into your kernel tree and enable it as a module, and do the make modules_install thing...) A simple setup is to start running iptables: sudo iptables & Set up your basic rules: sudo iptables -A INPUT -s 127.0.0.1 -j ACCEPT sudo iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT sudo iptables -A INPUT -p icmp -j ACCEPT sudo iptables -A INPUT -p tcp -m tcp --dport ssh -j ACCEPT #for the server you mentioned in your post: sudo iptables -A INPUT -p tcp --dport 8001 -j ACCEPT sudo iptables --policy FORWARD DROP sudo iptables --policy INPUT DROP this will set up your firewall to only allow ssh and 8001 in, and allow you to connect out. To get this to work on reboot, sudo iptables-save > ~/iptables-save sudo cp ~/iptables-save /etc then add the following line to /etc/rc.d/rc.local: iptables-restore /etc/iptables-save if this is your first time setting it up, do it locally (not over ssh) so you don't lock yourself out by chance... good luck, -sv |
Quote:
|
you should be able to get away with just telling it to:
make modules_install If you didn't change anything else about your kernel config, it will build any modules that haven't already been built and installed. Then you can load up the module with your existing kernel. It don't believe it's the optimal way to do it, but it would allow you to build the least amount of software... first things first, try: sudo modprobe ipt_state and see if it works. If so, no need to change any modules or kernel config -sv |
sounds good-thanks for the info!
|
I'd like to be able to FTP accross my network on port 21. Would I just add the following line to the file I created above:
-A INPUT -p tcp -m -dport 21 -j ACCEPT |
I modified a Gentoo script to work for some of my gateway machines. It's best to use rc.firewall to load the rules as they will be loaded before the interfaces and forwarding come up and besides that's kinda what the rest of the scripts expect.
Be sure to uncomment any useful modules in rc.modules. Unless you specifically call it with a rule, the FTP conntrack module won't otherwise be loaded. The rc.modules script makes sure you aren't stuck with passive mode inside a NAT'ed lan for example. Also a good idea to drop INVALID before accepting ESTABLISHED,RELATED. If it's a public server it would be more polite to REJECT than DROP packets so for example, friendly users checking for a website won't have to wait for a timeout. If you are really worried you can use limit for the REJECT rule and drop the overflow. This is the modified Gentoo script I use. It's much easier in the long run to write a disposable script with rules in it and then use the following script to save/resore the tables. After you set up your table, you will likely be editing the tables by hand and will only need to save your work when you like your tables. Code:
#!/bin/sh |
ok, I messed up-now my iptables reject anything not on the network except for web surfing (ssh still works). I had to make an opening for no-ip2 to be able to update my dynamic IP address on port 8245. I googled around and glanced through the iptables man page. Then I added 2 lines to supervince's iptables-save file from above:
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT -A INPUT -p tcp -m tcp --dport 8245 -j ACCEPT When I type iptables --list I get this: Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- localhost anywhere ACCEPT all -- anywhere anywhere state ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:8001 ACCEPT tcp -- anywhere anywhere tcp dpt:ftp ACCEPT tcp -- anywhere anywhere tcp dpt:8245 Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination I did a reboot and the problem still exists. iptables -F didn't take care of the problem. What's wrong? |
Got it working-I did iptables -F, rebooted, and turned off my router. Then I booted into Red Hat 9 and then went back into Slack. iptables --list showed that there were no rules, I was able to do an FTP within my network and I got my server running again on the internet. Then I did an iptables-restore ~/iptables-save with my 2 new rules for FTP and port 8245 and once again am not able to FTP within my network.
Any ideas as to why? Is this the way a rule for FTP is done? ACCEPT tcp -- anywhere anywhere tcp dpt:ftp |
The main issue is that FTP operates on more than just port 21. I think you need to open up ports 20 and 21 and then you need a range of ports open for data transfer. I've been using vsftp (as it comes with Slackware) and I've set it up so that it uses the port range 50000 to 51000 for PASV connections. I also have my firewall set up to accept incoming connections on 20,21 and 50000-510000.
|
You should only have to allow port 21 and then add --state RELATED ( or edit the "--state ESTABLISHED" rule to read "--state ESTABLISHED,RELATED -j ACCEPT".) As long as the ip_conntrack_ftp module is loaded from rc.modules, netfilter will automatically determine which other connections are related and will allow them.
|
All times are GMT -5. The time now is 10:56 PM. |