Iptables / Host* files / New Cable Modem (dhcp)
Hello,
I have to admit, I have some reading to do here. I have used a fairly strict iptables configuration in /etc/rc.local and hosts* policies by default w/out much understanding. I recently switched from a dial up ISP to a cable modem and I had to disable my iptables to get this working but I left my host* files alone. I'd appreciate a critique and some good cable modem iptable rules. My PC does not act like a server in any capcity. I did of course enable dhcpcd for the cable modem. I suspect iptables is messing up ports 6768 which I believe DHCP uses. Thanks! ******************************** Here's my /etc/hosts information: # For loopbacking. 127.0.0.1 localhost 127.0.0.1 bairco.bairco.org bairco # End of hosts. ******************************** Here's my /etc/hosts.allow information: ALL: bairco, localhos ******************************** Here's my /etc/hosts.allow information: ALL: ALL ******************************** Here's my iptables setup from /etc/rc.local # **** iptables setup begin ***** ## Clean and flush all chains to an empty state. iptables -F iptables -t nat -F iptables -t mangle -F iptables -X iptables -t nat -X iptables -t mangle -X ## Set the default policies of the built-in chains. If no match for any of ## the rules below, these will be the defaults that iptables uses iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT iptables -P INPUT DROP ## Setup masquerade: (could use this once LAN is established) iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE ## Insert connection-tracking modules (not needed if built into kernel) modprobe ip_conntrack modprobe ip_conntrack_ftp modprobe ip_conntrack_irc ## New Chain: dlog, Drop and Log (log before drop!) iptables -N dlog iptables -A dlog -m limit --limit 15/minute -j LOG --log-prefix="iptables: " --log-tcp-options --log-ip-options iptables -A dlog -j DROP ## New Chain: block, create chain which blocks new connections, except if ## coming from inside iptables -N block iptables -A block -m state --state INVALID -j dlog iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT iptables -A block -j dlog ## Jump to the block chain from INPUT and FORWARD chains iptables -A INPUT -j block iptables -A FORWARD -j block # **** iptables setup end ***** |
I can't really help with the specifics, maybe try the security forum. However, I believe that rc.local is not the correct place for an iptables firewall. You should put it in /etc/rc.d/rc.firewall, which you need to create.
Having looked at your firewall, and being not experienced, have you got loopback allowed? [iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT] This line might be it, and if it is, you might need to change it. 'ppp0' is possibly for a dial-up. If, for example, you're now using ethernet, you might need to change the interface to 'eth0'. |
Duh! I missed the ppp0. For now, I've changed that to eth0 and all the old rules are "working" as they did. I'd still be interested in a critique/recommendation(s).
Thanks! |
Besides what simcox said about having it in a different rc.* file, if it works, it works.
That's the best thing about Slack/linux ... Configure it til it breaks, then back off a smidge |
All times are GMT -5. The time now is 08:36 AM. |