SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
View Poll Results: How have you configured IPTABLES on your system[s]?
Easy Firewall Generator (or a derivative like Alien Bob's, post link please)
12
9.84%
Firestarter
21
17.21%
KMyFirewall
4
3.28%
fwbuilder
2
1.64%
Guarddog
17
13.93%
Script from an LQ forum post (link please)
1
0.82%
Some other script (link please) or GUI
44
36.07%
Don't use iptables
24
19.67%
Multiple Choice Poll. Voters: 122. You may not vote on this poll
Good thread, w/ a minimum of the arrogant, pissing on other guy's shoes. I've taken the path most have. No fwall at first, then something hand-rolled (current config.) Part of me wants to grab IPTABLES by the horns and 'bend it to my will', so to speak. Frankly, I can't get up for that anymore, since real coding beckons and screwing around w/ the fwall isn't real coding.
Like pbhj, I played w/ GuardDog, but while it's a nice bit of code, I too want a single solution that will do the same for a router that it does for a wkstation from a GUI app. Have some stuf to look at bec of thias thread.
As an intermediate step, I would welcome a suggestion for a straight-fwd, parameterized script designed around the idea a list of diff objects to permit, like incoming ports, port(s) to forward to an IP, NAT enable, blocking the rest. I can sort thru the rest as time allows.
As an intermediate step, I would welcome a suggestion for a straight-fwd, parameterized script designed around the idea a list of diff objects to permit, like incoming ports, port(s) to forward to an IP, NAT enable, blocking the rest. I can sort thru the rest as time allows.
TIA. Later....Jet
I answered my own inquiry ! Alien Bob's script thingie is what I was looking for ! Eventually, I think KMyFirewall will be my ultimate solution, but simply to gen a static script, from someone who already knows how IPTABLES works, a quik trip to Alien Bob's place gave me what I wanted !
Alien Bob's EFG derivative (mentioned earlier) works very well ... I recommend it, with some hand-tuning if you need. It's very fast and easy ... run it, copy to /etc/rc.d/rc.firewall, make it executable and that's it.
Last edited by H_TeXMeX_H; 03-02-2007 at 09:22 PM.
I have one question. I've setup a couple boxes w/ IPTABLES firewalls, but I continue to have one problem: I can't access my web server (or anything else) from the server box itself. I can't PING the box itself or use LYNX to access the local server.
Code:
iptables -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT
I'm trying variations of the above line (I know it's not the answer), but this is where I don't grok IPTABLES at all. I don't understand what's being blocked. I can access the web browser from my internal box via the internal or external addresses. BTW, I'm still using the Alien Bob script, which I'd hoped would address/illuminate this subj. I setup the script as a router to permit access to SSH and HTTP(S).
The quoted line is something I found by GOOGLEing for IPTABLES and "local access". Way too broad a search, but I simply don't understand what I'm looking for....Jet
How in the world did a Slackware poll on iptables not include the "Manually" option??
At least two others asked this and I explained that "some other script" to my mind included the set of "self-written". The reason I had "some other script" was that I wanted to include those generated by an app / script and amended beyond recognition.
Unless of course you mean sitting down and writing the iptables in each time you boot (which isn't then a script), in which case, yeah I forgot that option.
I have one question. I've setup a couple boxes w/ IPTABLES firewalls, but I continue to have one problem: I can't access my web server (or anything else) from the server box itself. I can't PING the box itself or use LYNX to access the local server.
Code:
iptables -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT
I'm trying variations of the above line (I know it's not the answer), but this is where I don't grok IPTABLES at all. I don't understand what's being blocked. I can access the web browser from my internal box via the internal or external addresses. BTW, I'm still using the Alien Bob script, which I'd hoped would address/illuminate this subj. I setup the script as a router to permit access to SSH and HTTP(S).
The quoted line is something I found by GOOGLEing for IPTABLES and "local access". Way too broad a search, but I simply don't understand what I'm looking for....Jet
If you cannot access anything from the server, my first suggestion would be to stop the firewall from running and then flush all the rules and set it to allow everything.
This will clear out all rules and allow everything, once that is done try to ping 127.0.0.1 again. If that fails then you either do not have the netowrk card setup with the right drivers, or the network card is dead. Even with the cable disconnected, you still should be able to ping the loopback device.
If clearing the rules you can then get a connection, then we know it will have something to do with the iptables rules, we can then take it from there.
Up to version 10.0 of Slackware but since have not bothered with any firewall at all. Would like to know the latest & greatest, great thread! For those who would like to give it a try here's some info on how to set it up. Doesn't seem to work out of the box like it did before. So maybe I'll give it another try or try something else.
Code:
CHAPTER 7
------------------------------------------------------------------------------
Using iptables
iptables is IP packet filter administration. A lot of people use
iptables as a firewall. A firewall protects a computer from intruders,
theoretically. A firewall is as secure as the configuration.
In this manual, you will install iptables if necessary, disable any
firewall front-ends, install Arno's iptables script, install Arno's
iptables service, log iptables messages, view the log, log incoming
traffic, check iptables status, and troubleshoot unresolved symbol boot
errors.
Before moving forward, check that iptables is installed:
which iptables
/usr/sbin/iptables
If it is installed, skip to Installing Arno's iptables Script.
Installing iptables
The best way would be to install iptables using your distro's package
manager to minimize any dependency issues. Compiling and installing
would be the last option. You need to know where your kernel source
resides.
1. Download iptables-1.2.11.tar.bz2 to your home directory
2. Open a terminal or console, switch user to root, decompress the
iptables download, change directory to the install directory, locate the
kernel source, install iptables, remove the install directory, and exit
root:
su
tar xjf iptables-1.2.11.tar.bz2
cd iptables-1.2.11
uname -r && ls /usr/src
make KERNEL_DIR=/usr/src/linux-2.4.26
make install KERNEL_DIR=/usr/src/linux-2.4.26
cd .. && rm -fr iptables-1.2.11
exit
After iptables install, you may have to recompile the kernel and include
iptables support. In Networking options > IP: Netfilter Configuration >
set all as modules, and exclude ipchains and ipfwadm. Arno's rc.iptables
init script will load the required modules at boot.
Disabling Firewall Front-ends
If you are running any firewall front-end, you have to disable it before
switching to Arno's iptables script. For Guarddog in Mandrake and MEPIS,
click main menu > System > Security > Guarddog > enter root password >
Advanced tab > check "Disable firewall", [OK], [Continue] and [OK].
Their rule set should be removed immediately. For other firewall front-
ends, find out how to disable them in their documentation.
Installing Arno's iptables Script
The script, by Arno van Amersfoort, loads iptables modules and sets up a
firewall rule set for you without your reading cryptic, cross-
referenced, full-of-jargon documentation.
You should ALWAYS start and stop rc.iptables or init scripts, in
general, as root. In fact, you wouldn't have to if you finished this
part and the next, since it would automatically start at boot. Remember
your security is only as secure as the weakest link: i.e. users with too
much power.
1. Download arno-iptables-firewall.tgz to your home directory
2. Open a terminal or console, switch user to root, decompress the
archive, change directory to install directory replacing the directory
name, restrict all files to non-root users, and make fwfilter and
rc.iptables executable for root:
su
tar zxvf arno-iptables-firewall.tgz
cd arno-iptables-firewall-x.x.x
chmod go-rwx *
chown root:root *
chmod u+x fwfilter rc.iptables
3. Move the rc.iptables init script to the auto-start directory of your
distro
For Arch, Core, Crux, Slackware, Vector and Yoper:
mv rc.iptables /etc/rc.d
For DaNix, Debian, Gentoo, Kanotix, Knoppix, MEPIS, PCLinuxOS and
others:
mv rc.iptables /etc/init.d
4. Run ifconfig to get the eth0 (first Ethernet or network device) inet
addr and lo (local loopback) inet addr numbers:
ifconfig
eth0 Link encap:Ethernet HWaddr 00:0B:6D:24:31:69
inet addr:192.168.1.100 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5 errors:0 dropped:0 overruns:0 frame:0
TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:1024 (1024.0 b) TX bytes:854 (854.0 b)
Interrupt:11 Base address:0x1000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
5. Find the path to iptables executable:
which iptables
/usr/sbin/iptables
6. Edit iptables-firewall.conf as follows if you're behind a router on
DSL modem or you're on a cable modem. EXT_IF_DHCP_IP is dynamic IP. Make
it 0 if it's a static IP. If it is dynamic IP, you can comment out the
MODEM_IF_IP and MODEM_IP options. MODEM_IF_IP is your local loopback.
MODEM_IP is your NIC or modem. Read README file if you're on dial-up
For Arch, Core, Crux, Slackware, Vector and Yoper:
vi iptables-firewall.conf
IPTABLES="/usr/sbin/iptables"
EXT_IF="eth0"
EXT_IF_DHCP_IP=1
#MODEM_IF="eth0"
MODEM_IF_IP="127.0.0.1"
MODEM_IP="192.168.1.100"
FIREWALL_LOG=/var/log/firewall
For DaNix, Debian, Gentoo, Kanotix, Knoppix, MEPIS, PCLinuxOS and
others:
vi iptables-firewall.conf
IPTABLES="/sbin/iptables"
EXT_IF="eth0"
EXT_IF_DHCP_IP=1
#MODEM_IF="eth0"
MODEM_IF_IP="127.0.0.1"
MODEM_IP="192.168.1.100"
FIREWALL_LOG=/var/log/firewall
7. Move the configuration file to /etc, and firewall filter program to /
usr/local/bin, and remove the install directory replacing the directory
name:
mv iptables-firewall.conf /etc
mv fwfilter /usr/local/bin
cd .. && rm -fr arno-iptables-firewall-x.x.x
8. Start the script
For Arch, Core, Crux, Slackware, Vector and Yoper:
/etc/rc.d/rc.iptables start
For DaNix, Debian, Gentoo, Kanotix, Knoppix, MEPIS, PCLinuxOS and
others:
/etc/init.d/rc.iptables start
If all goes well, read on. If not, close the terminal and return to step
2.
Installing Arno's iptables Service
Computers are meant to automate processes. You don't have to type that
line to start the script again. It would be best to start iptables
BEFORE activating network. Whenever possible, let the system start
rc.iptables at boot and stop the service at reboot or shut-down.
9. Add the service, or edit the system init script
For Arch, add rc.iptables to DAEMONS parameter in rc.conf:
nano /etc/rc.conf
DAEMONS=(syslogd klogd network crond rc.iptables)
For Core, copy and paste this snippet at the end of system init script:
nano /etc/rc.d/rc.si
# Starting iptables firewall
if [ -x /etc/rc.d/rc.iptables ]; then
/etc/rc.d/rc.iptables start
fi
For Crux, add rc.iptables to SERVICES parameter in rc:
vi /etc/rc
SERVICES=(net crond rc.iptables kdm)
For DaNix, Debian, Kanotix, Knoppix and MEPIS, add symlinks to
runlevels:
update-rc.d rc.iptables defaults 18
For Gentoo, add the init script to runlevels:
rc-update add rc.iptables default
If that doesn't start rc.iptables at boot, put this line in local.start
to start rc.iptables at boot:
nano -w /etc/conf.d/local.start
/etc/init.d/rc.iptables start 1>&2
And put this line in local.stop to stop rc.iptables at reboot or shut-
down:
nano -w /etc/conf.d/local.stop
/etc/init.d/rc.iptables stop 1>&2
For PCLinuxOS, add the service to auto-start:
chkconfig --add rc.iptables
For Slackware and Vector, insert the start snippet before rc.inet1 in
rc.M:
vi /etc/rc.d/rc.M
# Starting iptables firewall
if [ -x /etc/rc.d/rc.iptables ]; then
/etc/rc.d/rc.iptables start
fi
# Initialize the networking hardware...
if [ -x /etc/rc.d/rc.inet1 ]; then
. /etc/rc.d/rc.inet1
fi
And insert the stop snippet before rc.pcmcia in rc.6:
vi /etc/rc.d/rc.6
# Stopping iptables firewall
if [ -x /etc/rc.d/rc.iptables ]; then
/etc/rc.d/rc.iptables stop
fi
# Shut down PCMCIA devices:
if [ -x /etc/rc.d/rc.pcmcia ] ; then
. /etc/rc.d/rc.pcmcia stop
sleep 5
fi
For Yoper, copy and paste this snippet at the end of init script:
vi /etc/rc.d/init.d/rc
# Starting iptables firewall
if [ -x /etc/rc.d/rc.iptables ]; then
/etc/rc.d/rc.iptables start
fi
For other distros, copy and paste this snippet at the end of init
script:
vi /etc/init.d/rc.init
# Starting iptables firewall
if [ -x /etc/init.d/rc.iptables ]; then
/etc/init.d/rc.iptables start
fi
10. Exit root:
exit
You should reboot Linux to make sure that rc.iptables is working.
Logging iptables Messages
Logging is optional. syslogd can output the logs to /var/log/firewall.
Switch user to root, create /var/log/firewall for only root, add the
bold line to the end of syslog.conf file, making sure the spaces are
tabs between debug and /var, and that /var lines up with the other
column:
su
touch /var/log/firewall
chmod go-rwx /var/log/firewall
vi /etc/syslog.conf
kern.=debug /var/log/firewall
Restart system logging daemon, and exit root:
killall -HUP syslogd
exit
Viewing Firewall Log
There is no point in logging iptables messages if the log isn't viewed
regularly. In Arno's download is a fwfilter script that filters firewall
logs for easy viewing. The usage is mentioned in the same script. Let's
see the log:
su
cat /var/log/firewall | fwfilter
Jan 1 0:00:00 ** Starting Arno's IPTABLES firewall v1.8.3-BETA3 **
Jan 1 0:00:00 ** All firewall rules applied **
Jan 1 0:00:00 ** Stopping IPTABLES firewall **
How about a real-time output?
tail -f /var/log/firewall | fwfilter
Press CTRL C to quit. If fwfilter can't be found, the environment path
must be missing /usr/local/bin/. Add it to /etc/profile and reload
profile if need be. After viewing the firewall log, exit root:
exit
Logging Incoming Traffic
Technically, your iptables install has been over. So? Yeah, what the
hell. Mount up. There is a number of firewall loggers out there. IP
Packet Logger is a tiny daemon that logs incoming IP packets.
1. Download ippl-1.4.14.tar.gz to home directory
2. Open a terminal or console, and install ippl:
tar zxvf ippl-1.4.14.tar.gz
cd ippl-1.4.14
su
./configure --sysconfdir=/etc && make && make install
cd .. && rm -fr ippl-1.4.14
3. Make ippl root only and edit the ippl.conf file:
chmod 0700 /usr/local/sbin/ippl
vi /etc/ippl.conf
runas nobody
expire 3600
log-in all /var/log/ippllog
run icmp tcp udp
4. Write the init script:
vi ippl
#!/bin/sh
#
# ippl: start/stop ippl daemon
#
case $1 in
start)
echo "Starting $0:"
/usr/local/sbin/ippl
;;
stop)
echo "Stopping $0:"
killall --SIGTERM /usr/local/sbin/ippl
;;
restart)
$0 stop
sleep 2
$0 start
;;
*)
echo "usage: $0 [start|stop|restart]"
;;
esac
# End of file
Make ippl executable for only root:
chmod 0700 ippl
For Arch, Core, Crux, Slackware, Vector and Yoper, move ippl to /etc/
rc.d:
mv ippl /etc/rc.d
For DaNix, Debian, Gentoo, Kanotix, Knoppix, MEPIS, PCLinuxOS and
others, move ippl to /etc/init.d:
mv ippl /etc/init.d
5. Add the service, or edit the system init script
For Arch, add rc.iptables to DAEMONS parameter in rc.conf:
nano /etc/rc.conf
DAEMONS=(syslogd klogd network crond rc.iptables ippl)
For Core, copy and paste this snippet at the end of init script:
nano /etc/rc.d/rc.si
# Starting ippl
if [ -x /etc/rc.d/ippl ]; then
/etc/rc.d/ippl start
fi
For Crux, add rc.iptables to SERVICES parameter:
vi /etc/rc
SERVICES=(net crond rc.iptables ippl kdm)
For DaNix, Debian, Kanotix, Knoppix and MEPIS, add symlinks to
runlevels:
update-rc.d ippl defaults 19
For Gentoo, add the init script to runlevels:
rc-update add ippl default
For PCLinuxOS, add the service to auto-start:
chkconfig --add ippl
For Slackware and Vector, insert the start snippet after rc.iptables in
rc.M:
vi /etc/rc.d/rc.M
# Starting iptables firewall
if [ -x /etc/rc.d/rc.iptables ]; then
/etc/rc.d/rc.iptables start
fi
# Starting ippl
if [ -x /etc/rc.d/ippl ]; then
/etc/rc.d/ippl start
fi
And insert the stop snippet before rc.iptables in rc.6:
vi /etc/rc.d/rc.6
# Stopping ippl
if [ -x /etc/rc.d/ippl ]; then
/etc/rc.d/ippl stop
fi
# Stopping iptables firewall
if [ -x /etc/rc.d/rc.iptables ]; then
/etc/rc.d/rc.iptables stop
fi
For Yoper, copy and paste this snippet at the end of init script:
vi /etc/rc.d/init.d/rc
# Starting ippl
if [ -x /etc/rc.d/ippl ]; then
/etc/rc.d/ippl start
fi
For other distros, copy and paste this snippet at the end of init
script:
vi /etc/init.d/rc.init
# Starting ippl
if [ -x /etc/init.d/ippl ]; then
/etc/init.d/ippl start
fi
6. Start ippl:
/etc/rc.d/ippl start
Or
/etc/init.d/ippl start
It is a good idea to frequently check the traffic log:
tail /var/log/ippllog
7. After installing ippl, exit root:
exit
IP Packet Logger is running in the background. You don't have to reboot
the computer after installing and running ippl. That's the beauty of
Linux.
Checking iptables Status
You can check that the iptables rule set is applied. Switch user to
root:
su
List everything set by Arno's script:
/etc/rc.d/rc.iptables status
Or list all chains as an exact numeric verbose output:
iptables -xnvL
Exit root:
exit
Troubleshooting: Unresolved symbols
If the distro boots up or you enter "depmod -a", and one or more of this
iptables-related line sweeps across the screen:
depmod: *** Unresolved symbols in
/lib/modules/2.x.xx/kernel/net/ipv4/netfilter/ip_tables.o
It is possible that you just compiled a new kernel without cleaning the
source tree thoroughly. You can try this:
su
cd /usr/src/linux
mv .config ..
make mrproper
mv ../.config .
Replace linux directory with the right one if necessary. Then you can
config your kernel, check that all iptables modules are included,
compile kernel, write LInux LOader and reboot the computer.
iptables
http://www.iptables.org/downloads.html
Arno's iptables Script
http://freshmeat.net/projects/iptables-firewall/?topic_id=151
ippl Logger
http://pltplp.net/ippl/
----------------------------------------------------------------------------
Copyright (C) 2002-2004 by jet_blackz@lycos.com
One thing I have noticed however, is that if you have a modern day router that offers things like port forwarding and trusted hosts, isn't that enough? Rather than having to replicate alot of that functionality on your linux box. As I never seem to have any viruses or intrusions on my machine.
Real life Court Extracts
Q: Doctor, before you performed the autopsy, did you check for a pulse?
A: No.
Q. Did you check for blood pressure?
A: No.
Q: Did you check for breathing?
A: No.
Q: So, then it is possible that the patient was alive when you began the autopsy?
A: No.
Q: How can you be so sure, Doctor?
A: Because his brain was sitting on my desk in a jar.
Q: But could the patient have still been alive, nevertheless?
A: Yes, it is possible that he could have been alive and practicing law somewhere.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.