-   Slackware (
-   -   Iptables / Host* files / New Cable Modem (dhcp) (

rhb327 12-31-2005 05:21 PM

Iptables / Host* files / New Cable Modem (dhcp)

I have to admit, I have some reading to do here. I have used a fairly strict iptables configuration in /etc/rc.local and hosts* policies by default w/out much understanding. I recently switched from a dial up ISP to a cable modem and I had to disable my iptables to get this working but I left my host* files alone. I'd appreciate a critique and some good cable modem iptable rules. My PC does not act like a server in any capcity. I did of course enable dhcpcd for the cable modem. I suspect iptables is messing up ports 6768 which I believe DHCP uses.


Here's my /etc/hosts information:

# For loopbacking. localhost bairco
# End of hosts.

Here's my /etc/hosts.allow information:

ALL: bairco, localhos

Here's my /etc/hosts.allow information:


Here's my iptables setup from /etc/rc.local

# **** iptables setup begin *****
## Clean and flush all chains to an empty state.
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -t nat -X
iptables -t mangle -X

## Set the default policies of the built-in chains. If no match for any of
## the rules below, these will be the defaults that iptables uses
iptables -P FORWARD DROP
iptables -P INPUT DROP

## Setup masquerade: (could use this once LAN is established)
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

## Insert connection-tracking modules (not needed if built into kernel)
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc

## New Chain: dlog, Drop and Log (log before drop!)
iptables -N dlog
iptables -A dlog -m limit --limit 15/minute -j LOG --log-prefix="iptables: " --log-tcp-options --log-ip-options
iptables -A dlog -j DROP

## New Chain: block, create chain which blocks new connections, except if
## coming from inside
iptables -N block
iptables -A block -m state --state INVALID -j dlog
iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT
iptables -A block -j dlog

## Jump to the block chain from INPUT and FORWARD chains
iptables -A INPUT -j block
iptables -A FORWARD -j block
# **** iptables setup end *****

simcox1 12-31-2005 05:56 PM

I can't really help with the specifics, maybe try the security forum. However, I believe that rc.local is not the correct place for an iptables firewall. You should put it in /etc/rc.d/rc.firewall, which you need to create.

Having looked at your firewall, and being not experienced, have you got loopback allowed? [iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT] This line might be it, and if it is, you might need to change it. 'ppp0' is possibly for a dial-up. If, for example, you're now using ethernet, you might need to change the interface to 'eth0'.

rhb327 12-31-2005 06:02 PM

Duh! I missed the ppp0. For now, I've changed that to eth0 and all the old rules are "working" as they did. I'd still be interested in a critique/recommendation(s).


cwwilson721 12-31-2005 06:11 PM

Besides what simcox said about having it in a different rc.* file, if it works, it works.
That's the best thing about Slack/linux ... Configure it til it breaks, then back off a smidge

All times are GMT -5. The time now is 10:45 PM.