iptables configuration

linuxhippy · 03-16-2006, 09:12 AM

I'm running Slack 10.1 on my mp3 server through port 8001. I want to setup my iptables so that I have a good firewall from the command line. Is there an iptables.conf file in Slack that I need to modify so that this runs?

simcox1 · 03-16-2006, 10:20 AM

If you mean write a firewall from scratch, you call the file rc.firewall and it goes in /etc/rc.d/rc.firewall.

supervince · 03-16-2006, 11:33 AM

Here's a quick guide to a simple setup on slack:

You'll probably want to enable(or build if it doesn't exist) the ipt_state module for your kernel:
modprobe ipt_state

(if it doesn't exist, go into your kernel tree and enable it as a module, and do the make modules_install thing...)

A simple setup is to start running iptables:
sudo iptables &

Set up your basic rules:
sudo iptables -A INPUT -s 127.0.0.1 -j ACCEPT
sudo iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p icmp -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport ssh -j ACCEPT
#for the server you mentioned in your post:
sudo iptables -A INPUT -p tcp --dport 8001 -j ACCEPT

sudo iptables --policy FORWARD DROP
sudo iptables --policy INPUT DROP

this will set up your firewall to only allow ssh and 8001 in, and allow you to connect out.

To get this to work on reboot,
sudo iptables-save > ~/iptables-save
sudo cp ~/iptables-save /etc

then add the following line to /etc/rc.d/rc.local:
iptables-restore /etc/iptables-save

if this is your first time setting it up, do it locally (not over ssh) so you don't lock yourself out by chance...
good luck,
-sv

linuxhippy · 03-16-2006, 11:50 AM

Quote:

Originally Posted by supervince

(if it doesn't exist, go into your kernel tree and enable it as a module, and do the make modules_install thing...)

Do you mean rebuid the kernel? This machine is way to slow for that at 200 MHz.

supervince · 03-16-2006, 12:03 PM

you should be able to get away with just telling it to:
make modules_install

If you didn't change anything else about your kernel config, it will build any modules that haven't already been built and installed. Then you can load up the module with your existing kernel. It don't believe it's the optimal way to do it, but it would allow you to build the least amount of software...

first things first, try:
sudo modprobe ipt_state
and see if it works. If so, no need to change any modules or kernel config
-sv

linuxhippy · 03-16-2006, 01:16 PM

sounds good-thanks for the info!

linuxhippy · 03-16-2006, 06:31 PM

I'd like to be able to FTP accross my network on port 21. Would I just add the following line to the file I created above:

-A INPUT -p tcp -m -dport 21 -j ACCEPT

myboysherman · 03-17-2006, 03:20 AM

I modified a Gentoo script to work for some of my gateway machines. It's best to use rc.firewall to load the rules as they will be loaded before the interfaces and forwarding come up and besides that's kinda what the rest of the scripts expect.

Be sure to uncomment any useful modules in rc.modules. Unless you specifically call it with a rule, the FTP conntrack module won't otherwise be loaded. The rc.modules script makes sure you aren't stuck with passive mode inside a NAT'ed lan for example.

Also a good idea to drop INVALID before accepting ESTABLISHED,RELATED.

If it's a public server it would be more polite to REJECT than DROP packets so for example, friendly users checking for a website won't have to wait for a timeout. If you are really worried you can use limit for the REJECT rule and drop the overflow.

This is the modified Gentoo script I use. It's much easier in the long run to write a disposable script with rules in it and then use the following script to save/resore the tables. After you set up your table, you will likely be editing the tables by hand and will only need to save your work when you like your tables.

Code:

#!/bin/sh
# Copyright 1999-2003 Gentoo Technologies, Inc.
# Distributed under the terms of the GNU General Public License, v2 or
# later
# $Header: /var/cvsroot/gentoo-x86/net-firewall/iptables/files/iptables.init,v 1.3 2004/01/26 10:40:42 aliz Exp $
# Not sure you can copyright a script, but this script has been modified by
# Revolt Ltd.

IPTP=/usr/local/sbin/
IPTABLES_SAVE=/etc/current_table
OLD_TABLE_DIR=/var/log/oldtables/
SAVE_RESTORE_OPTIONS=

checkrules() {
        if [ ! -f ${IPTABLES_SAVE} ]
        then
                echo "Not starting iptables. First create some rules then run"
                echo "/etc/rc.d/rc.firewall save"
                return 1
        else
                echo -e '\E[32m'"\033[1mgood!\033[0m"
        fi
        }

start() {
        echo "Loading iptables state and starting firewall"
        echo "Restoring iptables ruleset"
        ${IPTP}iptables-restore ${SAVE_RESTORE_OPTIONS} < ${IPTABLES_SAVE}

        if [ -x /etc/rc.d/rc.ip_forward ] ; then
                /etc/rc.d/rc.ip_forward start
        fi
        success
        }

stop() {
        echo "Stopping firewall"
                # set sane defaults that disable forwarding
                if [ -f /proc/sys/net/ipv4/conf/all/forwarding -a -x /etc/rc.d/rc.ip_forward ] ; then
                        /etc/rc.d/rc.ip_forward stop
                fi

                for table in `cat /proc/net/ip_tables_names`; do
                        ${IPTP}iptables -F -t ${table}
                        ${IPTP}iptables -X -t ${table}

                        if [ ${table} == nat ]; then
                                ${IPTP}iptables -t nat -P PREROUTING ACCEPT
                                ${IPTP}iptables -t nat -P POSTROUTING ACCEPT
                                ${IPTP}iptables -t nat -P OUTPUT ACCEPT
                        elif [ ${table} == mangle ]; then
                                ${IPTP}iptables -t mangle -P PREROUTING ACCEPT
                                ${IPTP}iptables -t mangle -P INPUT ACCEPT
                                ${IPTP}iptables -t mangle -P FORWARD ACCEPT
                                ${IPTP}iptables -t mangle -P OUTPUT ACCEPT
                                ${IPTP}iptables -t mangle -P POSTROUTING ACCEPT
                        elif [ ${table} == filter ]; then
                                ${IPTP}iptables -t filter -P INPUT ACCEPT
                                ${IPTP}iptables -t filter -P FORWARD ACCEPT
                                ${IPTP}iptables -t filter -P OUTPUT ACCEPT
                        fi
                done
        success
        }

reload() {
        echo -n "Flushing firewall . . .   "
                for table in `cat /proc/net/ip_tables_names`; do
                        ${IPTP}iptables -F -t ${table}
                        ${IPTP}iptables -X -t ${table}
                done;
        success
        start
        }

save() {
        cp --backup=numbered ${IPTABLES_SAVE} ${OLD_TABLE_DIR}$(date +%m-%d-%y)-table
        echo -n "Saving iptables state . . .  "
        ${IPTP}iptables-save ${SAVE_RESTORE_OPTIONS} > ${IPTABLES_SAVE}
        success
        }

success() {
        if [ "$?" = "0" ]
        then
                echo -e '\E[32m'"\033[1mSuccess!\033[0m"
        else
                echo -e '\E[31m'"\033[1mCrap! something didn't work\033[0m"
        fi
        }

case "$1" in
        'start')
                start
                ;;
        'stop')
                stop
                ;;
        'reload')
                reload
                ;;
        'check')
                checkrules
                ;;
        'save')
                save
                ;;
        *)
                echo "usage $0 start|stop|reload|check|save"
esac

linuxhippy · 03-17-2006, 06:12 PM

ok, I messed up-now my iptables reject anything not on the network except for web surfing (ssh still works). I had to make an opening for no-ip2 to be able to update my dynamic IP address on port 8245. I googled around and glanced through the iptables man page. Then I added 2 lines to supervince's iptables-save file from above:

-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8245 -j ACCEPT

When I type iptables --list I get this:

Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- localhost anywhere
ACCEPT all -- anywhere anywhere state ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:8001
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:8245

Chain FORWARD (policy DROP)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

I did a reboot and the problem still exists. iptables -F didn't take care of the problem. What's wrong?

linuxhippy · 03-17-2006, 09:19 PM

Got it working-I did iptables -F, rebooted, and turned off my router. Then I booted into Red Hat 9 and then went back into Slack. iptables --list showed that there were no rules, I was able to do an FTP within my network and I got my server running again on the internet. Then I did an iptables-restore ~/iptables-save with my 2 new rules for FTP and port 8245 and once again am not able to FTP within my network.

Any ideas as to why? Is this the way a rule for FTP is done?

ACCEPT tcp -- anywhere anywhere tcp dpt:ftp

Hangdog42 · 03-18-2006, 06:55 AM

The main issue is that FTP operates on more than just port 21. I think you need to open up ports 20 and 21 and then you need a range of ports open for data transfer. I've been using vsftp (as it comes with Slackware) and I've set it up so that it uses the port range 50000 to 51000 for PASV connections. I also have my firewall set up to accept incoming connections on 20,21 and 50000-510000.

myboysherman · 03-18-2006, 03:59 PM

You should only have to allow port 21 and then add --state RELATED ( or edit the "--state ESTABLISHED" rule to read "--state ESTABLISHED,RELATED -j ACCEPT".) As long as the ip_conntrack_ftp module is loaded from rc.modules, netfilter will automatically determine which other connections are related and will allow them.