LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 03-16-2006, 10:12 AM   #1
linuxhippy
Senior Member
 
Registered: Sep 2004
Location: Philadelphia, PA
Distribution: Xubuntu, Mythbuntu, Lubuntu, Picuntu
Posts: 1,189

Rep: Reputation: 47
iptables configuration


I'm running Slack 10.1 on my mp3 server through port 8001. I want to setup my iptables so that I have a good firewall from the command line. Is there an iptables.conf file in Slack that I need to modify so that this runs?
 
Old 03-16-2006, 11:20 AM   #2
simcox1
Member
 
Registered: Mar 2005
Location: UK
Distribution: Slackware
Posts: 794
Blog Entries: 2

Rep: Reputation: 30
If you mean write a firewall from scratch, you call the file rc.firewall and it goes in /etc/rc.d/rc.firewall.
 
Old 03-16-2006, 12:33 PM   #3
supervince
LQ Newbie
 
Registered: Feb 2006
Location: US
Distribution: Slackware, Fedora, and OpenBSD
Posts: 3

Rep: Reputation: 0
Here's a quick guide to a simple setup on slack:

You'll probably want to enable(or build if it doesn't exist) the ipt_state module for your kernel:
modprobe ipt_state

(if it doesn't exist, go into your kernel tree and enable it as a module, and do the make modules_install thing...)

A simple setup is to start running iptables:
sudo iptables &

Set up your basic rules:
sudo iptables -A INPUT -s 127.0.0.1 -j ACCEPT
sudo iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p icmp -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport ssh -j ACCEPT
#for the server you mentioned in your post:
sudo iptables -A INPUT -p tcp --dport 8001 -j ACCEPT

sudo iptables --policy FORWARD DROP
sudo iptables --policy INPUT DROP

this will set up your firewall to only allow ssh and 8001 in, and allow you to connect out.

To get this to work on reboot,
sudo iptables-save > ~/iptables-save
sudo cp ~/iptables-save /etc

then add the following line to /etc/rc.d/rc.local:
iptables-restore /etc/iptables-save

if this is your first time setting it up, do it locally (not over ssh) so you don't lock yourself out by chance...
good luck,
-sv
 
Old 03-16-2006, 12:50 PM   #4
linuxhippy
Senior Member
 
Registered: Sep 2004
Location: Philadelphia, PA
Distribution: Xubuntu, Mythbuntu, Lubuntu, Picuntu
Posts: 1,189

Original Poster
Rep: Reputation: 47
Quote:
Originally Posted by supervince
(if it doesn't exist, go into your kernel tree and enable it as a module, and do the make modules_install thing...)
Do you mean rebuid the kernel? This machine is way to slow for that at 200 MHz.
 
Old 03-16-2006, 01:03 PM   #5
supervince
LQ Newbie
 
Registered: Feb 2006
Location: US
Distribution: Slackware, Fedora, and OpenBSD
Posts: 3

Rep: Reputation: 0
you should be able to get away with just telling it to:
make modules_install

If you didn't change anything else about your kernel config, it will build any modules that haven't already been built and installed. Then you can load up the module with your existing kernel. It don't believe it's the optimal way to do it, but it would allow you to build the least amount of software...

first things first, try:
sudo modprobe ipt_state
and see if it works. If so, no need to change any modules or kernel config
-sv

Last edited by supervince; 03-16-2006 at 01:04 PM.
 
Old 03-16-2006, 02:16 PM   #6
linuxhippy
Senior Member
 
Registered: Sep 2004
Location: Philadelphia, PA
Distribution: Xubuntu, Mythbuntu, Lubuntu, Picuntu
Posts: 1,189

Original Poster
Rep: Reputation: 47
sounds good-thanks for the info!
 
Old 03-16-2006, 07:31 PM   #7
linuxhippy
Senior Member
 
Registered: Sep 2004
Location: Philadelphia, PA
Distribution: Xubuntu, Mythbuntu, Lubuntu, Picuntu
Posts: 1,189

Original Poster
Rep: Reputation: 47
I'd like to be able to FTP accross my network on port 21. Would I just add the following line to the file I created above:

-A INPUT -p tcp -m -dport 21 -j ACCEPT

Last edited by linuxhippy; 03-16-2006 at 07:45 PM.
 
Old 03-17-2006, 04:20 AM   #8
myboysherman
LQ Newbie
 
Registered: Sep 2003
Distribution: Slackware
Posts: 18

Rep: Reputation: 0
I modified a Gentoo script to work for some of my gateway machines. It's best to use rc.firewall to load the rules as they will be loaded before the interfaces and forwarding come up and besides that's kinda what the rest of the scripts expect.

Be sure to uncomment any useful modules in rc.modules. Unless you specifically call it with a rule, the FTP conntrack module won't otherwise be loaded. The rc.modules script makes sure you aren't stuck with passive mode inside a NAT'ed lan for example.

Also a good idea to drop INVALID before accepting ESTABLISHED,RELATED.

If it's a public server it would be more polite to REJECT than DROP packets so for example, friendly users checking for a website won't have to wait for a timeout. If you are really worried you can use limit for the REJECT rule and drop the overflow.

This is the modified Gentoo script I use. It's much easier in the long run to write a disposable script with rules in it and then use the following script to save/resore the tables. After you set up your table, you will likely be editing the tables by hand and will only need to save your work when you like your tables.

Code:
#!/bin/sh
# Copyright 1999-2003 Gentoo Technologies, Inc.
# Distributed under the terms of the GNU General Public License, v2 or
# later
# $Header: /var/cvsroot/gentoo-x86/net-firewall/iptables/files/iptables.init,v 1.3 2004/01/26 10:40:42 aliz Exp $
# Not sure you can copyright a script, but this script has been modified by
# Revolt Ltd.

IPTP=/usr/local/sbin/
IPTABLES_SAVE=/etc/current_table
OLD_TABLE_DIR=/var/log/oldtables/
SAVE_RESTORE_OPTIONS=

checkrules() {
        if [ ! -f ${IPTABLES_SAVE} ]
        then
                echo "Not starting iptables. First create some rules then run"
                echo "/etc/rc.d/rc.firewall save"
                return 1
        else
                echo -e '\E[32m'"\033[1mgood!\033[0m"
        fi
        }

start() {
        echo "Loading iptables state and starting firewall"
        echo "Restoring iptables ruleset"
        ${IPTP}iptables-restore ${SAVE_RESTORE_OPTIONS} < ${IPTABLES_SAVE}

        if [ -x /etc/rc.d/rc.ip_forward ] ; then
                /etc/rc.d/rc.ip_forward start
        fi
        success
        }

stop() {
        echo "Stopping firewall"
                # set sane defaults that disable forwarding
                if [ -f /proc/sys/net/ipv4/conf/all/forwarding -a -x /etc/rc.d/rc.ip_forward ] ; then
                        /etc/rc.d/rc.ip_forward stop
                fi

                for table in `cat /proc/net/ip_tables_names`; do
                        ${IPTP}iptables -F -t ${table}
                        ${IPTP}iptables -X -t ${table}

                        if [ ${table} == nat ]; then
                                ${IPTP}iptables -t nat -P PREROUTING ACCEPT
                                ${IPTP}iptables -t nat -P POSTROUTING ACCEPT
                                ${IPTP}iptables -t nat -P OUTPUT ACCEPT
                        elif [ ${table} == mangle ]; then
                                ${IPTP}iptables -t mangle -P PREROUTING ACCEPT
                                ${IPTP}iptables -t mangle -P INPUT ACCEPT
                                ${IPTP}iptables -t mangle -P FORWARD ACCEPT
                                ${IPTP}iptables -t mangle -P OUTPUT ACCEPT
                                ${IPTP}iptables -t mangle -P POSTROUTING ACCEPT
                        elif [ ${table} == filter ]; then
                                ${IPTP}iptables -t filter -P INPUT ACCEPT
                                ${IPTP}iptables -t filter -P FORWARD ACCEPT
                                ${IPTP}iptables -t filter -P OUTPUT ACCEPT
                        fi
                done
        success
        }

reload() {
        echo -n "Flushing firewall . . .   "
                for table in `cat /proc/net/ip_tables_names`; do
                        ${IPTP}iptables -F -t ${table}
                        ${IPTP}iptables -X -t ${table}
                done;
        success
        start
        }

save() {
        cp --backup=numbered ${IPTABLES_SAVE} ${OLD_TABLE_DIR}$(date +%m-%d-%y)-table
        echo -n "Saving iptables state . . .  "
        ${IPTP}iptables-save ${SAVE_RESTORE_OPTIONS} > ${IPTABLES_SAVE}
        success
        }

success() {
        if [ "$?" = "0" ]
        then
                echo -e '\E[32m'"\033[1mSuccess!\033[0m"
        else
                echo -e '\E[31m'"\033[1mCrap! something didn't work\033[0m"
        fi
        }

case "$1" in
        'start')
                start
                ;;
        'stop')
                stop
                ;;
        'reload')
                reload
                ;;
        'check')
                checkrules
                ;;
        'save')
                save
                ;;
        *)
                echo "usage $0 start|stop|reload|check|save"
esac
 
Old 03-17-2006, 07:12 PM   #9
linuxhippy
Senior Member
 
Registered: Sep 2004
Location: Philadelphia, PA
Distribution: Xubuntu, Mythbuntu, Lubuntu, Picuntu
Posts: 1,189

Original Poster
Rep: Reputation: 47
ok, I messed up-now my iptables reject anything not on the network except for web surfing (ssh still works). I had to make an opening for no-ip2 to be able to update my dynamic IP address on port 8245. I googled around and glanced through the iptables man page. Then I added 2 lines to supervince's iptables-save file from above:


-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8245 -j ACCEPT

When I type iptables --list I get this:

Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- localhost anywhere
ACCEPT all -- anywhere anywhere state ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:8001
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:8245

Chain FORWARD (policy DROP)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

I did a reboot and the problem still exists. iptables -F didn't take care of the problem. What's wrong?
 
Old 03-17-2006, 10:19 PM   #10
linuxhippy
Senior Member
 
Registered: Sep 2004
Location: Philadelphia, PA
Distribution: Xubuntu, Mythbuntu, Lubuntu, Picuntu
Posts: 1,189

Original Poster
Rep: Reputation: 47
Got it working-I did iptables -F, rebooted, and turned off my router. Then I booted into Red Hat 9 and then went back into Slack. iptables --list showed that there were no rules, I was able to do an FTP within my network and I got my server running again on the internet. Then I did an iptables-restore ~/iptables-save with my 2 new rules for FTP and port 8245 and once again am not able to FTP within my network.

Any ideas as to why? Is this the way a rule for FTP is done?

ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
 
Old 03-18-2006, 07:55 AM   #11
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,791
Blog Entries: 1

Rep: Reputation: 414Reputation: 414Reputation: 414Reputation: 414Reputation: 414
The main issue is that FTP operates on more than just port 21. I think you need to open up ports 20 and 21 and then you need a range of ports open for data transfer. I've been using vsftp (as it comes with Slackware) and I've set it up so that it uses the port range 50000 to 51000 for PASV connections. I also have my firewall set up to accept incoming connections on 20,21 and 50000-510000.
 
Old 03-18-2006, 04:59 PM   #12
myboysherman
LQ Newbie
 
Registered: Sep 2003
Distribution: Slackware
Posts: 18

Rep: Reputation: 0
You should only have to allow port 21 and then add --state RELATED ( or edit the "--state ESTABLISHED" rule to read "--state ESTABLISHED,RELATED -j ACCEPT".) As long as the ip_conntrack_ftp module is loaded from rc.modules, netfilter will automatically determine which other connections are related and will allow them.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables configuration props666999 Linux - Security 3 08-28-2005 03:32 PM
IPTables Configuration shaileshjain Linux - Networking 2 04-07-2005 01:16 AM
iptables configuration tungaw2001 Linux - Networking 2 04-15-2004 04:01 PM
Iptables configuration Salihou Linux - Networking 2 09-24-2003 03:26 PM
iptables configuration know Linux - Networking 2 05-25-2003 05:55 PM


All times are GMT -5. The time now is 08:44 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration