LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (http://www.linuxquestions.org/questions/slackware-14/)
-   -   Iptables / Host* files / New Cable Modem (dhcp) (http://www.linuxquestions.org/questions/slackware-14/iptables-host%2A-files-new-cable-modem-dhcp-398235/)

rhb327 12-31-2005 05:21 PM

Iptables / Host* files / New Cable Modem (dhcp)
 
Hello,

I have to admit, I have some reading to do here. I have used a fairly strict iptables configuration in /etc/rc.local and hosts* policies by default w/out much understanding. I recently switched from a dial up ISP to a cable modem and I had to disable my iptables to get this working but I left my host* files alone. I'd appreciate a critique and some good cable modem iptable rules. My PC does not act like a server in any capcity. I did of course enable dhcpcd for the cable modem. I suspect iptables is messing up ports 6768 which I believe DHCP uses.

Thanks!

********************************
Here's my /etc/hosts information:

# For loopbacking.
127.0.0.1 localhost
127.0.0.1 bairco.bairco.org bairco
# End of hosts.

********************************
Here's my /etc/hosts.allow information:

ALL: bairco, localhos

********************************
Here's my /etc/hosts.allow information:

ALL: ALL

********************************
Here's my iptables setup from /etc/rc.local

# **** iptables setup begin *****
## Clean and flush all chains to an empty state.
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -t nat -X
iptables -t mangle -X

## Set the default policies of the built-in chains. If no match for any of
## the rules below, these will be the defaults that iptables uses
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP

## Setup masquerade: (could use this once LAN is established)
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

## Insert connection-tracking modules (not needed if built into kernel)
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc

## New Chain: dlog, Drop and Log (log before drop!)
iptables -N dlog
iptables -A dlog -m limit --limit 15/minute -j LOG --log-prefix="iptables: " --log-tcp-options --log-ip-options
iptables -A dlog -j DROP

## New Chain: block, create chain which blocks new connections, except if
## coming from inside
iptables -N block
iptables -A block -m state --state INVALID -j dlog
iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT
iptables -A block -j dlog

## Jump to the block chain from INPUT and FORWARD chains
iptables -A INPUT -j block
iptables -A FORWARD -j block
# **** iptables setup end *****

simcox1 12-31-2005 05:56 PM

I can't really help with the specifics, maybe try the security forum. However, I believe that rc.local is not the correct place for an iptables firewall. You should put it in /etc/rc.d/rc.firewall, which you need to create.

Having looked at your firewall, and being not experienced, have you got loopback allowed? [iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT] This line might be it, and if it is, you might need to change it. 'ppp0' is possibly for a dial-up. If, for example, you're now using ethernet, you might need to change the interface to 'eth0'.

rhb327 12-31-2005 06:02 PM

Duh! I missed the ppp0. For now, I've changed that to eth0 and all the old rules are "working" as they did. I'd still be interested in a critique/recommendation(s).

Thanks!

cwwilson721 12-31-2005 06:11 PM

Besides what simcox said about having it in a different rc.* file, if it works, it works.
That's the best thing about Slack/linux ... Configure it til it breaks, then back off a smidge


All times are GMT -5. The time now is 01:54 AM.