LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 07-11-2009, 08:49 PM   #1
JosephS
Member
 
Registered: Jun 2007
Distribution: Debian Squeeze, CrunchBang Waldorf
Posts: 514

Rep: Reputation: 38
Looking for iptables script


Using Slackware 12.2
Can someone point me to a script for iptables?
I'm new to networking and firewalls.
Is there a gui that would be helpful?
I have a computer with a broadband connection to the internet.
I use the computer for personal use.

Thanks.

Last edited by JosephS; 07-11-2009 at 08:51 PM.
 
Old 07-11-2009, 09:26 PM   #2
Bruce Hill
HCL Maintainer
 
Registered: Jun 2003
Location: Tupelo, MS
Distribution: Gentoo
Posts: 6,926

Rep: Reputation: 124Reputation: 124
Check out Alien Bob's idea.
 
Old 07-12-2009, 02:26 AM   #3
allend
Senior Member
 
Registered: Oct 2003
Location: Melbourne
Distribution: Slackware-current
Posts: 3,379

Rep: Reputation: 824Reputation: 824Reputation: 824Reputation: 824Reputation: 824Reputation: 824Reputation: 824
There is a script supplied in /etc/ppp/firewall-standalone that can be copied to /etc/rc.d/rc.firewall and made executable so that it runs automatically at boot. Change the EXTIF to suit your network connection.
The script is very simple, it just blocks all incoming connection attempts, but sounds like it would suit your needs at this time.

Last edited by allend; 07-12-2009 at 02:28 AM.
 
Old 07-12-2009, 02:40 AM   #4
speck
Member
 
Registered: Nov 2001
Location: California
Distribution: Slackware 14.1
Posts: 271

Rep: Reputation: 54
I've used Arno's script over the last few years and it's probably the easiest way (I think it's even easier than using a GUI) to setup a firewall. The script is well documented and constantly updated.
 
Old 07-12-2009, 06:43 AM   #5
Mark Pettit
Member
 
Registered: Dec 2008
Location: Cape Town, South Africa
Distribution: Slackware 14.1 64 Multi-Lib
Posts: 421

Rep: Reputation: 123Reputation: 123
Quote:
Can someone point me to a script for iptables?
someone mentioned arno's - that's good.
i use firehol - also very easy to setup.

Quote:
I'm new to networking and firewalls.
firewalls are not for the faint-hearted if
you want to do it yourself. using any of the
above methods will be quite easy.

Quote:
Is there a gui that would be helpful?
the above methods are so easy it would almost
be tragic to use a GUI. besides - you're using
slackware, so be prepared for a bit of command
line stuff. also, the configs will likely have to
be done as root - and i hope you don't run X
as root.

Quote:
I have a computer with a broadband connection to the internet.
then you will definitely want a firewall. altho' many
times the router can do that for you. if your needs
are simple (ie fetch http, mail etc) then that will
be enough. if you want to download torrents or provide
some services (web,mail,(s)ftp,ssh etc) outwards, then
you will need a firewall (and maybe a bridged router).
 
Old 07-12-2009, 08:05 AM   #6
onebuck
Moderator
 
Registered: Jan 2005
Location: Midwest USA, Central Illinois
Distribution: SlackwareŽ
Posts: 11,061
Blog Entries: 1

Rep: Reputation: 1374Reputation: 1374Reputation: 1374Reputation: 1374Reputation: 1374Reputation: 1374Reputation: 1374Reputation: 1374Reputation: 1374Reputation: 1374
Hi,

'Iptables Tutorial 1.2.2' would be a good place to get a tutorial.

The above link and others available from 'Slackware-Links'. More than just SlackwareŽ links!

Last edited by onebuck; 07-12-2009 at 10:53 AM. Reason: add missing link
 
Old 07-12-2009, 10:05 AM   #7
dugan
Senior Member
 
Registered: Nov 2003
Location: Canada
Distribution: distro hopper
Posts: 4,573

Rep: Reputation: 1394Reputation: 1394Reputation: 1394Reputation: 1394Reputation: 1394Reputation: 1394Reputation: 1394Reputation: 1394Reputation: 1394Reputation: 1394
Here are some interesting and relevant tutorials:
http://linuxgazette.net/103/odonovan.html
http://security.maruhn.com/

Two other iptables firewall I've heard of are Shorewall and SlackFire. I've never used them though.
http://www.shorewall.net/
http://slackfire.berlios.de/

Last edited by dugan; 07-12-2009 at 10:33 AM.
 
Old 07-12-2009, 10:10 AM   #8
vharishankar
Senior Member
 
Registered: Dec 2003
Posts: 3,142
Blog Entries: 4

Rep: Reputation: 121Reputation: 121
If you're using a router, it acts as a firewall basically - blocks all outgoing connections until you manually enable port-forwarding and forward a local port to the gateway. So in most cases you will not need a firewall. Of course, if your computer IP is directly exposed to the internet (i.e. a normal modem) or you need to block a lot of incoming traffic as well as outgoing traffic, you will need a strong and possibly restrictive firewall.

If you're using KDE, guarddog is what I found to be most intuitive from the point of view of commonly used services/ports for incoming and outgoing network traffic.

http://www.simonzone.com/software/guarddog/

My advise is, if you can manage it, avoid direct internet connection (i.e. your machine's IP is the remote IP) and always use a router or a firewall in-between.

Last edited by vharishankar; 07-12-2009 at 10:14 AM.
 
Old 07-12-2009, 10:55 AM   #9
onebuck
Moderator
 
Registered: Jan 2005
Location: Midwest USA, Central Illinois
Distribution: SlackwareŽ
Posts: 11,061
Blog Entries: 1

Rep: Reputation: 1374Reputation: 1374Reputation: 1374Reputation: 1374Reputation: 1374Reputation: 1374Reputation: 1374Reputation: 1374Reputation: 1374Reputation: 1374
Hi,

Customizing a router firewall is not feasible. So additional firewall(s) will aid you in establishing a secure environment.
 
Old 07-12-2009, 11:03 AM   #10
vharishankar
Senior Member
 
Registered: Dec 2003
Posts: 3,142
Blog Entries: 4

Rep: Reputation: 121Reputation: 121
Quote:
Originally Posted by onebuck View Post
Hi,

Customizing a router firewall is not feasible. So additional firewall(s) will aid you in establishing a secure environment.
Yes, but for 99% of desktop use, where you're not even running additional services is secure for most of us.

Of course, if you're paranoid, you can implement a stricter firewall rule, but ultimately I believe in a reasonable amount of protection, but also convenience. There should be a balance between the two.

Using a strict firewall often will prevent you from using VoIP chat (like SIP) and also many multi-player games which a lot of people play. Debugging the firewall rule in such cases can be frustrating sometimes, especially if the ports used by the games are not standard or keep changing dynamically.

My advice is yes, use a firewall by all means. But learn what it does and how it works, not merely implement a rule blindly because a script automatically generates one for you.

Last edited by vharishankar; 07-12-2009 at 11:05 AM.
 
Old 07-12-2009, 03:47 PM   #11
onebuck
Moderator
 
Registered: Jan 2005
Location: Midwest USA, Central Illinois
Distribution: SlackwareŽ
Posts: 11,061
Blog Entries: 1

Rep: Reputation: 1374Reputation: 1374Reputation: 1374Reputation: 1374Reputation: 1374Reputation: 1374Reputation: 1374Reputation: 1374Reputation: 1374Reputation: 1374
Hi,

When I'm paranoid then off to the 'dmz'.
 
Old 07-12-2009, 07:50 PM   #12
vik
Member
 
Registered: Apr 2008
Distribution: Gentoo
Posts: 225
Blog Entries: 6

Rep: Reputation: 50
here's mine...

Here's one I came up with by tweaking the one over at linux.org tutorials...just set the variables at the top correctly, then delete any of the services that you don't need. As I'm adding out rules it is more secure, but also more likely to interfere with your programs.

#!/bin/sh
# first, load module that helps with ftp
/sbin/modprobe ip_conntrack_ftp

IPTABLES=/sbin/iptables
INTERFACE=eth0
MY_IP=x.x.x.x
MY_NETWORK=x.x.x.0

# start by flushing the rules
$IPTABLES -F
# delete any user-created chains
$IPTABLES -X

## allow packets coming from/going to the loopback interface
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT

# block spoofing-packet coming in to my machine where source is 127.0.0.1 and
# not loopback interface.
$IPTABLES -A INPUT -s 127.0.0.0/8 -i ! lo -j DROP
# block spoofing-packet coming in to my machine with my IP
# (would use loopback with IP of 127.0.0.1, not actual IP)
$IPTABLES -A INPUT -s $MY_IP -j DROP

# stop bad packets
$IPTABLES -A INPUT -m state --state INVALID -j DROP

# NMAP FIN/URG/PSH
$IPTABLES -A INPUT -i $INTERFACE -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
# stop Xmas Tree type scanning
$IPTABLES -A INPUT -i $INTERFACE -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A INPUT -i $INTERFACE -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
# stop null scanning
$IPTABLES -A INPUT -i $INTERFACE -p tcp --tcp-flags ALL NONE -j DROP
# SYN/RST
$IPTABLES -A INPUT -i $INTERFACE -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# SYN/FIN
$IPTABLES -A INPUT -i $INTERFACE -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# stop sync flood
$IPTABLES -N SYNFLOOD
$IPTABLES -A SYNFLOOD -p tcp --syn -m limit --limit 1/s -j RETURN
$IPTABLES -A SYNFLOOD -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A INPUT -p tcp -m state --state NEW -j SYNFLOOD
# stop ping flood attack
$IPTABLES -N PING
$IPTABLES -A PING -p icmp --icmp-type echo-request -m limit --limit 1/second -j RETURN
$IPTABLES -A PING -p icmp -j REJECT
$IPTABLES -I INPUT -p icmp --icmp-type echo-request -m state --state NEW -j PING

#################################
## What we allow
#################################

# http
$IPTABLES -A INPUT -p tcp --sport 80 -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 80 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 80 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 80 -j ACCEPT

# https
$IPTABLES -A INPUT -p tcp --sport 443 -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 443 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 443 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 443 -j ACCEPT

# dns client
$IPTABLES -A INPUT -p tcp --sport 53 -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 53 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 53 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 53 -j ACCEPT

# ftp, sftp
$IPTABLES -A INPUT -p tcp --sport 20:21 -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 20:21 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 989:990 -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 989:990 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 20:21 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 20:21 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 989:990 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 989:990 -j ACCEPT
$IPTABLES -A INPUT -m helper --helper ftp -j ACCEPT
$IPTABLES -A OUTPUT -m helper --helper ftp -j ACCEPT

# pop2, pop3, secure pop3
## NOT TESTED ##
$IPTABLES -A INPUT -p tcp --sport 109:110 -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 109:110 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 995 -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 995 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 109:110 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 109:110 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 995 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 995 -j ACCEPT

# imap2, imap3, secure imap
## NOT TESTED ##
$IPTABLES -A INPUT -p tcp --sport 143 -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 143 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 220 -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 220 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 993 -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 993 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 143 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 143 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 220 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 220 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 993 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 993 -j ACCEPT

# dhcp (only send/receive packets to/from my subnet)
## NOT TESTED ##
$IPTABLES -A INPUT -p udp --sport 67:68 -s $MY_NETWORK/16 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 67:68 -d $MY_NETWORK/16 -j ACCEPT

# nfs (only send/receive packets to/from my subnet)
## NOT TESTED ##
$IPTABLES -A INPUT -p tcp --sport 2049 -s $MY_NETWORK/16 -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 2049 -s $MY_NETWORK/16 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 2049 -d $MY_NETWORK/16 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 2049 -d $MY_NETWORK/16 -j ACCEPT

# ntp (network time protocol)
## NOT TESTED ##
$IPTABLES -A INPUT -p tcp --sport 123 -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 123 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 123 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 123 -j ACCEPT

# ssh (only send/receive packets to/from my subnet)
$IPTABLES -A INPUT -p tcp --sport 22 -s $MY_NETWORK/16 -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 22 -s $MY_NETWORK/16 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 22 -d $MY_NETWORK/16 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 22 -d $MY_NETWORK/16 -j ACCEPT

# ping (only send/receive packets to/from my subnet)
$IPTABLES -A INPUT -p icmp -s $MY_NETWORK/16 -j ACCEPT
$IPTABLES -A OUTPUT -p icmp -d $MY_NETWORK/16 -j ACCEPT

# cups (internet printing protocol, line printer)
# (only send/receive packets to/from my subnet)
$IPTABLES -A INPUT -p tcp --sport 515 -s $MY_NETWORK/16 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 631 -s $MY_NETWORK/16 -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 631 -s $MY_NETWORK/16 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 515 -d $MY_NETWORK/16 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 631 -d $MY_NETWORK/16 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 631 -d $MY_NETWORK/16 -j ACCEPT

# samba with netbios (only send/receive packets to/from my subnet)
## NOT TESTED ##
$IPTABLES -A INPUT -p tcp --sport 137:139 -s $MY_NETWORK/16 -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 137:139 -s $MY_NETWORK/16 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 137:139 -d $MY_NETWORK/16 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 137:139 -d $MY_NETWORK/16 -j ACCEPT

# mysql (only send/receive packets to/from my subnet)
$IPTABLES -A INPUT -p tcp --sport 3306 -s $MY_NETWORK/16 -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 3306 -s $MY_NETWORK/16 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 3306 -d $MY_NETWORK/16 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 3306 -d $MY_NETWORK/16 -j ACCEPT

# block all incoming/outgoing that don't match rules above. must be last
# rule, or overrides other rules and blocks everything.
$IPTABLES -A INPUT -j DROP
$IPTABLES -A OUTPUT -j DROP
 
Old 07-12-2009, 08:35 PM   #13
micxz
Senior Member
 
Registered: Sep 2002
Location: CA
Distribution: openSuSE, Cent OS, Slackware
Posts: 1,131

Rep: Reputation: 75
http://oreilly.com/pub/h/45
 
Old 07-13-2009, 09:20 AM   #14
onebuck
Moderator
 
Registered: Jan 2005
Location: Midwest USA, Central Illinois
Distribution: SlackwareŽ
Posts: 11,061
Blog Entries: 1

Rep: Reputation: 1374Reputation: 1374Reputation: 1374Reputation: 1374Reputation: 1374Reputation: 1374Reputation: 1374Reputation: 1374Reputation: 1374Reputation: 1374
Hi,

Quote:
Originally Posted by vik View Post
Here's one I came up with by tweaking the one over at linux.org tutorials...just set the variables at the top correctly, then delete any of the services that you don't need. As I'm adding out rules it is more secure, but also more likely to interfere with your programs.

Code:
#!/bin/sh
# first, load module that helps with ftp
/sbin/modprobe ip_conntrack_ftp

IPTABLES=/sbin/iptables
INTERFACE=eth0
MY_IP=x.x.x.x
MY_NETWORK=x.x.x.0

# start by flushing the rules
$IPTABLES -F
# delete any user-created chains
$IPTABLES -X

## allow packets coming from/going to the loopback interface
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT

# block spoofing-packet coming in to my machine where source is 127.0.0.1 and
# not loopback interface.
$IPTABLES -A INPUT -s 127.0.0.0/8 -i ! lo -j DROP
# block spoofing-packet coming in to my machine with my IP
# (would use loopback with IP of 127.0.0.1, not actual IP)
$IPTABLES -A INPUT -s $MY_IP -j DROP

# stop bad packets
$IPTABLES -A INPUT -m state --state INVALID -j DROP

# NMAP FIN/URG/PSH
$IPTABLES -A INPUT -i $INTERFACE -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
# stop Xmas Tree type scanning
$IPTABLES -A INPUT -i $INTERFACE -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A INPUT -i $INTERFACE -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
# stop null scanning
$IPTABLES -A INPUT -i $INTERFACE -p tcp --tcp-flags ALL NONE -j DROP
# SYN/RST
$IPTABLES -A INPUT -i $INTERFACE -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# SYN/FIN
$IPTABLES -A INPUT -i $INTERFACE -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# stop sync flood
$IPTABLES -N SYNFLOOD
$IPTABLES -A SYNFLOOD -p tcp --syn -m limit --limit 1/s -j RETURN
$IPTABLES -A SYNFLOOD -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A INPUT -p tcp -m state --state NEW -j SYNFLOOD
# stop ping flood attack
$IPTABLES -N PING
$IPTABLES -A PING -p icmp --icmp-type echo-request -m limit --limit 1/second -j RETURN
$IPTABLES -A PING -p icmp -j REJECT
$IPTABLES -I INPUT -p icmp --icmp-type echo-request -m state --state NEW -j PING

#################################
## What we allow
#################################

# http
$IPTABLES -A INPUT -p tcp --sport 80 -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 80 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 80 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 80 -j ACCEPT

# https
$IPTABLES -A INPUT -p tcp --sport 443 -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 443 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 443 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 443 -j ACCEPT

# dns client
$IPTABLES -A INPUT -p tcp --sport 53 -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 53 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 53 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 53 -j ACCEPT

# ftp, sftp
$IPTABLES -A INPUT -p tcp --sport 20:21 -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 20:21 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 989:990 -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 989:990 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 20:21 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 20:21 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 989:990 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 989:990 -j ACCEPT
$IPTABLES -A INPUT -m helper --helper ftp -j ACCEPT
$IPTABLES -A OUTPUT -m helper --helper ftp -j ACCEPT

# pop2, pop3, secure pop3
## NOT TESTED ##
$IPTABLES -A INPUT -p tcp --sport 109:110 -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 109:110 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 995 -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 995 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 109:110 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 109:110 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 995 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 995 -j ACCEPT

# imap2, imap3, secure imap
## NOT TESTED ##
$IPTABLES -A INPUT -p tcp --sport 143 -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 143 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 220 -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 220 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 993 -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 993 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 143 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 143 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 220 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 220 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 993 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 993 -j ACCEPT

# dhcp (only send/receive packets to/from my subnet)
## NOT TESTED ##
$IPTABLES -A INPUT -p udp --sport 67:68 -s $MY_NETWORK/16 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 67:68 -d $MY_NETWORK/16 -j ACCEPT

# nfs (only send/receive packets to/from my subnet)
## NOT TESTED ##
$IPTABLES -A INPUT -p tcp --sport 2049 -s $MY_NETWORK/16 -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 2049 -s $MY_NETWORK/16 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 2049 -d $MY_NETWORK/16 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 2049 -d $MY_NETWORK/16 -j ACCEPT

# ntp (network time protocol)
## NOT TESTED ##
$IPTABLES -A INPUT -p tcp --sport 123 -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 123 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 123 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 123 -j ACCEPT

# ssh (only send/receive packets to/from my subnet)
$IPTABLES -A INPUT -p tcp --sport 22 -s $MY_NETWORK/16 -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 22 -s $MY_NETWORK/16 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 22 -d $MY_NETWORK/16 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 22 -d $MY_NETWORK/16 -j ACCEPT

# ping (only send/receive packets to/from my subnet)
$IPTABLES -A INPUT -p icmp -s $MY_NETWORK/16 -j ACCEPT
$IPTABLES -A OUTPUT -p icmp -d $MY_NETWORK/16 -j ACCEPT

# cups (internet printing protocol, line printer)
# (only send/receive packets to/from my subnet)
$IPTABLES -A INPUT -p tcp --sport 515 -s $MY_NETWORK/16 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 631 -s $MY_NETWORK/16 -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 631 -s $MY_NETWORK/16 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 515 -d $MY_NETWORK/16 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 631 -d $MY_NETWORK/16 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 631 -d $MY_NETWORK/16 -j ACCEPT

# samba with netbios (only send/receive packets to/from my subnet)
## NOT TESTED ##
$IPTABLES -A INPUT -p tcp --sport 137:139 -s $MY_NETWORK/16 -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 137:139 -s $MY_NETWORK/16 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 137:139 -d $MY_NETWORK/16 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 137:139 -d $MY_NETWORK/16 -j ACCEPT

# mysql (only send/receive packets to/from my subnet)
$IPTABLES -A INPUT -p tcp --sport 3306 -s $MY_NETWORK/16 -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 3306 -s $MY_NETWORK/16 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 3306 -d $MY_NETWORK/16 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 3306 -d $MY_NETWORK/16 -j ACCEPT

# block all incoming/outgoing that don't match rules above.  must be last
# rule, or overrides other rules and blocks everything.
$IPTABLES -A INPUT -j DROP
$IPTABLES -A OUTPUT -j DROP
It would be nice if you place the long listings in the vbcode tags. Like I did in the quote of your post. If you use the vbcode tags the post will be cleaner therefore easier to read. You can edit your post then highlight the list, click code(#) or Quote(balloon to the left of #).
 
Old 07-13-2009, 09:41 PM   #15
JosephS
Member
 
Registered: Jun 2007
Distribution: Debian Squeeze, CrunchBang Waldorf
Posts: 514

Original Poster
Rep: Reputation: 38
Thanks for the replies. I have some things I can study.
I have a couple more questions:

Quote:
hs123
My advise is, if you can manage it, avoid direct internet connection (i.e. your machine's IP is the remote IP) and always use a router or a firewall in-between.
Yesterday 09:05 AM
If I use a firewall such as Iptables will that hide the IP of my machine?


Quote:
Mark Pettit
the above methods are so easy it would almost
be tragic to use a GUI. besides - you're using
slackware, so be prepared for a bit of command
line stuff. also, the configs will likely have to
be done as root - and i hope you don't run X
as root.
Why is it a problem to use a gui when running as root?

Is it better to run a firewall as a dedicated firewall like IPCop or
a router, rather than on the same computer or does it matter?

Thanks for the help.
 
  


Reply

Tags
firewall, iptables


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables-save, iptables-restore, how to set up them in some script sarajevo Linux - Networking 1 03-24-2008 11:39 PM
Iptables (with masq) troubleshooting, very simple script attached script and logs. xinu Linux - Networking 13 11-01-2007 04:19 AM
Yet another iptables script Cron Linux - Networking 0 03-12-2005 11:11 AM
my first iptables script sh1ft Linux - Security 1 02-24-2005 04:17 PM
My iptables script is /etc/sysconfig/iptables. How do i make this baby execute on boo ForumKid Linux - General 3 01-22-2002 07:36 AM


All times are GMT -5. The time now is 11:24 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration