LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 12-31-2005, 05:21 PM   #1
rhb327
Member
 
Registered: May 2004
Distribution: Slackware Current
Posts: 161

Rep: Reputation: 30
Iptables / Host* files / New Cable Modem (dhcp)


Hello,

I have to admit, I have some reading to do here. I have used a fairly strict iptables configuration in /etc/rc.local and hosts* policies by default w/out much understanding. I recently switched from a dial up ISP to a cable modem and I had to disable my iptables to get this working but I left my host* files alone. I'd appreciate a critique and some good cable modem iptable rules. My PC does not act like a server in any capcity. I did of course enable dhcpcd for the cable modem. I suspect iptables is messing up ports 6768 which I believe DHCP uses.

Thanks!

********************************
Here's my /etc/hosts information:

# For loopbacking.
127.0.0.1 localhost
127.0.0.1 bairco.bairco.org bairco
# End of hosts.

********************************
Here's my /etc/hosts.allow information:

ALL: bairco, localhos

********************************
Here's my /etc/hosts.allow information:

ALL: ALL

********************************
Here's my iptables setup from /etc/rc.local

# **** iptables setup begin *****
## Clean and flush all chains to an empty state.
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -t nat -X
iptables -t mangle -X

## Set the default policies of the built-in chains. If no match for any of
## the rules below, these will be the defaults that iptables uses
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP

## Setup masquerade: (could use this once LAN is established)
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

## Insert connection-tracking modules (not needed if built into kernel)
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc

## New Chain: dlog, Drop and Log (log before drop!)
iptables -N dlog
iptables -A dlog -m limit --limit 15/minute -j LOG --log-prefix="iptables: " --log-tcp-options --log-ip-options
iptables -A dlog -j DROP

## New Chain: block, create chain which blocks new connections, except if
## coming from inside
iptables -N block
iptables -A block -m state --state INVALID -j dlog
iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT
iptables -A block -j dlog

## Jump to the block chain from INPUT and FORWARD chains
iptables -A INPUT -j block
iptables -A FORWARD -j block
# **** iptables setup end *****
 
Old 12-31-2005, 05:56 PM   #2
simcox1
Member
 
Registered: Mar 2005
Location: UK
Distribution: Slackware
Posts: 794
Blog Entries: 2

Rep: Reputation: 30
I can't really help with the specifics, maybe try the security forum. However, I believe that rc.local is not the correct place for an iptables firewall. You should put it in /etc/rc.d/rc.firewall, which you need to create.

Having looked at your firewall, and being not experienced, have you got loopback allowed? [iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT] This line might be it, and if it is, you might need to change it. 'ppp0' is possibly for a dial-up. If, for example, you're now using ethernet, you might need to change the interface to 'eth0'.
 
Old 12-31-2005, 06:02 PM   #3
rhb327
Member
 
Registered: May 2004
Distribution: Slackware Current
Posts: 161

Original Poster
Rep: Reputation: 30
Duh! I missed the ppp0. For now, I've changed that to eth0 and all the old rules are "working" as they did. I'd still be interested in a critique/recommendation(s).

Thanks!
 
Old 12-31-2005, 06:11 PM   #4
cwwilson721
Senior Member
 
Registered: Dec 2004
Location: In my house.
Distribution: Ubuntu 10.10 64bit, Slackware 13.1 64-bit
Posts: 2,649
Blog Entries: 1

Rep: Reputation: 65
Besides what simcox said about having it in a different rc.* file, if it works, it works.
That's the best thing about Slack/linux ... Configure it til it breaks, then back off a smidge
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
DHCP problems and cable modem wmeler Linux - Software 6 01-29-2004 04:49 PM
cable modem and dhcp dead_p00l Linux - Networking 3 11-30-2003 02:29 AM
DHCP & Cable Modem raypen Linux - Networking 4 08-06-2003 09:16 PM
Cable Modem - How-to DHCP ? iraysyvalo Linux - Networking 17 07-16-2003 09:28 AM
DHCP set-up for cable-modem iraysyvalo Debian 5 07-16-2003 08:34 AM


All times are GMT -5. The time now is 12:35 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration