SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: Xubuntu, Mythbuntu, Lubuntu, Picuntu, Mint 18.1, Debian Jessie
Posts: 1,207
Rep:
iptables configuration
I'm running Slack 10.1 on my mp3 server through port 8001. I want to setup my iptables so that I have a good firewall from the command line. Is there an iptables.conf file in Slack that I need to modify so that this runs?
You'll probably want to enable(or build if it doesn't exist) the ipt_state module for your kernel:
modprobe ipt_state
(if it doesn't exist, go into your kernel tree and enable it as a module, and do the make modules_install thing...)
A simple setup is to start running iptables:
sudo iptables &
Set up your basic rules:
sudo iptables -A INPUT -s 127.0.0.1 -j ACCEPT
sudo iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p icmp -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport ssh -j ACCEPT
#for the server you mentioned in your post:
sudo iptables -A INPUT -p tcp --dport 8001 -j ACCEPT
sudo iptables --policy FORWARD DROP
sudo iptables --policy INPUT DROP
this will set up your firewall to only allow ssh and 8001 in, and allow you to connect out.
To get this to work on reboot,
sudo iptables-save > ~/iptables-save
sudo cp ~/iptables-save /etc
then add the following line to /etc/rc.d/rc.local:
iptables-restore /etc/iptables-save
if this is your first time setting it up, do it locally (not over ssh) so you don't lock yourself out by chance...
good luck,
-sv
you should be able to get away with just telling it to:
make modules_install
If you didn't change anything else about your kernel config, it will build any modules that haven't already been built and installed. Then you can load up the module with your existing kernel. It don't believe it's the optimal way to do it, but it would allow you to build the least amount of software...
first things first, try:
sudo modprobe ipt_state
and see if it works. If so, no need to change any modules or kernel config
-sv
Last edited by supervince; 03-16-2006 at 12:04 PM.
I modified a Gentoo script to work for some of my gateway machines. It's best to use rc.firewall to load the rules as they will be loaded before the interfaces and forwarding come up and besides that's kinda what the rest of the scripts expect.
Be sure to uncomment any useful modules in rc.modules. Unless you specifically call it with a rule, the FTP conntrack module won't otherwise be loaded. The rc.modules script makes sure you aren't stuck with passive mode inside a NAT'ed lan for example.
Also a good idea to drop INVALID before accepting ESTABLISHED,RELATED.
If it's a public server it would be more polite to REJECT than DROP packets so for example, friendly users checking for a website won't have to wait for a timeout. If you are really worried you can use limit for the REJECT rule and drop the overflow.
This is the modified Gentoo script I use. It's much easier in the long run to write a disposable script with rules in it and then use the following script to save/resore the tables. After you set up your table, you will likely be editing the tables by hand and will only need to save your work when you like your tables.
Code:
#!/bin/sh
# Copyright 1999-2003 Gentoo Technologies, Inc.
# Distributed under the terms of the GNU General Public License, v2 or
# later
# $Header: /var/cvsroot/gentoo-x86/net-firewall/iptables/files/iptables.init,v 1.3 2004/01/26 10:40:42 aliz Exp $
# Not sure you can copyright a script, but this script has been modified by
# Revolt Ltd.
IPTP=/usr/local/sbin/
IPTABLES_SAVE=/etc/current_table
OLD_TABLE_DIR=/var/log/oldtables/
SAVE_RESTORE_OPTIONS=
checkrules() {
if [ ! -f ${IPTABLES_SAVE} ]
then
echo "Not starting iptables. First create some rules then run"
echo "/etc/rc.d/rc.firewall save"
return 1
else
echo -e '\E[32m'"\033[1mgood!\033[0m"
fi
}
start() {
echo "Loading iptables state and starting firewall"
echo "Restoring iptables ruleset"
${IPTP}iptables-restore ${SAVE_RESTORE_OPTIONS} < ${IPTABLES_SAVE}
if [ -x /etc/rc.d/rc.ip_forward ] ; then
/etc/rc.d/rc.ip_forward start
fi
success
}
stop() {
echo "Stopping firewall"
# set sane defaults that disable forwarding
if [ -f /proc/sys/net/ipv4/conf/all/forwarding -a -x /etc/rc.d/rc.ip_forward ] ; then
/etc/rc.d/rc.ip_forward stop
fi
for table in `cat /proc/net/ip_tables_names`; do
${IPTP}iptables -F -t ${table}
${IPTP}iptables -X -t ${table}
if [ ${table} == nat ]; then
${IPTP}iptables -t nat -P PREROUTING ACCEPT
${IPTP}iptables -t nat -P POSTROUTING ACCEPT
${IPTP}iptables -t nat -P OUTPUT ACCEPT
elif [ ${table} == mangle ]; then
${IPTP}iptables -t mangle -P PREROUTING ACCEPT
${IPTP}iptables -t mangle -P INPUT ACCEPT
${IPTP}iptables -t mangle -P FORWARD ACCEPT
${IPTP}iptables -t mangle -P OUTPUT ACCEPT
${IPTP}iptables -t mangle -P POSTROUTING ACCEPT
elif [ ${table} == filter ]; then
${IPTP}iptables -t filter -P INPUT ACCEPT
${IPTP}iptables -t filter -P FORWARD ACCEPT
${IPTP}iptables -t filter -P OUTPUT ACCEPT
fi
done
success
}
reload() {
echo -n "Flushing firewall . . . "
for table in `cat /proc/net/ip_tables_names`; do
${IPTP}iptables -F -t ${table}
${IPTP}iptables -X -t ${table}
done;
success
start
}
save() {
cp --backup=numbered ${IPTABLES_SAVE} ${OLD_TABLE_DIR}$(date +%m-%d-%y)-table
echo -n "Saving iptables state . . . "
${IPTP}iptables-save ${SAVE_RESTORE_OPTIONS} > ${IPTABLES_SAVE}
success
}
success() {
if [ "$?" = "0" ]
then
echo -e '\E[32m'"\033[1mSuccess!\033[0m"
else
echo -e '\E[31m'"\033[1mCrap! something didn't work\033[0m"
fi
}
case "$1" in
'start')
start
;;
'stop')
stop
;;
'reload')
reload
;;
'check')
checkrules
;;
'save')
save
;;
*)
echo "usage $0 start|stop|reload|check|save"
esac
Distribution: Xubuntu, Mythbuntu, Lubuntu, Picuntu, Mint 18.1, Debian Jessie
Posts: 1,207
Original Poster
Rep:
ok, I messed up-now my iptables reject anything not on the network except for web surfing (ssh still works). I had to make an opening for no-ip2 to be able to update my dynamic IP address on port 8245. I googled around and glanced through the iptables man page. Then I added 2 lines to supervince's iptables-save file from above:
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8245 -j ACCEPT
Distribution: Xubuntu, Mythbuntu, Lubuntu, Picuntu, Mint 18.1, Debian Jessie
Posts: 1,207
Original Poster
Rep:
Got it working-I did iptables -F, rebooted, and turned off my router. Then I booted into Red Hat 9 and then went back into Slack. iptables --list showed that there were no rules, I was able to do an FTP within my network and I got my server running again on the internet. Then I did an iptables-restore ~/iptables-save with my 2 new rules for FTP and port 8245 and once again am not able to FTP within my network.
Any ideas as to why? Is this the way a rule for FTP is done?
The main issue is that FTP operates on more than just port 21. I think you need to open up ports 20 and 21 and then you need a range of ports open for data transfer. I've been using vsftp (as it comes with Slackware) and I've set it up so that it uses the port range 50000 to 51000 for PASV connections. I also have my firewall set up to accept incoming connections on 20,21 and 50000-510000.
You should only have to allow port 21 and then add --state RELATED ( or edit the "--state ESTABLISHED" rule to read "--state ESTABLISHED,RELATED -j ACCEPT".) As long as the ip_conntrack_ftp module is loaded from rc.modules, netfilter will automatically determine which other connections are related and will allow them.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.