LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 09-09-2003, 02:43 PM   #1
BearClaw
Member
 
Registered: Jun 2003
Location: USA
Distribution: Slackware-Current
Posts: 90

Rep: Reputation: 15
My iptables/firewall setup for ppp--It may help someone.


First, I removed: "ipchains",using 'pkgtool'. Then(as root) I entered these 14 commands: '
#cd /etc/rc.d ; #touch rc.firewall (make the file).
1) root@BearClaw:/# iptables -P INPUT DROP
2) root@BearClaw:/# iptables -P OUTPUT ACCEPT
3) root@BearClaw:/# iptables -P FORWARD DROP
4) root@BearClaw:/# iptables -F INPUT
5)root@BearClaw:/# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
6) root@BearClaw:/# iptables -A INPUT -j REJECT
7) root@BearClaw:/# iptables -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT
8) root@BearClaw:/# iptables -A INPUT -p icmp -j ACCEPT
9) root@BearClaw:/# iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
10) root@BearClaw:/# echo 1 > /proc/sys/net/ipv4/ip_forward
11) root@BearClaw:/# iptables-save > /etc/rc.d/rc.firewall

Load firewall-rules at boot time:
12) In: rc.local, I put this line: "iptables-restore < /etc/rc.d/rc.firewall"

13) #updatedb -e /mnt &

Here is my /etc/rc.d/rc.firewall :

# Generated by iptables-save v1.2.8 on Sat Aug 23 18:43:04 2003
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A INPUT -s 127.0.0.0/255.0.0.0 -d 127.0.0.0/255.0.0.0 -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j DROP
COMMIT
# Completed on Sat Aug 23 18:43:04 2003

This setup, using a dial-up ppp connection works great for me. I tested it at the grc website and it yields 'True Stealth' results. I'm not sure if it would work for other types of connections.

I decided to post this in case it might help someone out.

Frank
 
Old 09-10-2003, 12:45 AM   #2
eric.r.turner
Member
 
Registered: Aug 2003
Location: Planet Earth
Distribution: Linux Mint Debian Edition (LMDE)
Posts: 215

Rep: Reputation: 31
Someone pointed out to me that you don't need to call rc.firewall in /etc/rc.d/rc.local because there's already a call to it in /etc/rc.d/rc.inet2. You're loading your firewall rules twice.
 
Old 09-10-2003, 03:54 PM   #3
BearClaw
Member
 
Registered: Jun 2003
Location: USA
Distribution: Slackware-Current
Posts: 90

Original Poster
Rep: Reputation: 15
ert: I wasn't aware of that-thanks for pointing that out. Anyway, the firewall is working as it should. I'll remove the line in /etc/rc.d/rc.local and see if it loads as you mentioned.

Thanks, Frank
 
Old 09-10-2003, 07:21 PM   #4
BearClaw
Member
 
Registered: Jun 2003
Location: USA
Distribution: Slackware-Current
Posts: 90

Original Poster
Rep: Reputation: 15
Hey:

I removed the line in /etc/rc.d/rc.local, rebooted, checked in at grc and the stealth analysis Failed!!! So...I changed it back the way it was and achieved a "True Slealth" rating.

The book from O'Reilly-"Linux Security Cookbook" said to put that call in rc.local...maybe my rc.inet2 file is not configured correctly; anyway it's working the way it is now. It ain't broke, so I'm not gonna try to fix it. (grin)

BC
 
Old 09-10-2003, 09:11 PM   #5
eric.r.turner
Member
 
Registered: Aug 2003
Location: Planet Earth
Distribution: Linux Mint Debian Edition (LMDE)
Posts: 215

Rep: Reputation: 31
Re: My iptables/firewall setup for ppp--It may help someone.

Quote:
Originally posted by BearClaw
1) root@BearClaw:/# iptables -P INPUT DROP
2) root@BearClaw:/# iptables -P OUTPUT ACCEPT
3) root@BearClaw:/# iptables -P FORWARD DROP
4) root@BearClaw:/# iptables -F INPUT
5)root@BearClaw:/# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
6) root@BearClaw:/# iptables -A INPUT -j REJECT
7) root@BearClaw:/# iptables -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT
8) root@BearClaw:/# iptables -A INPUT -p icmp -j ACCEPT
9) root@BearClaw:/# iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
If I understand iptables correctly, none of your INPUT rules after line 6 will ever be reached since nothing can get past line 6. The order that you probably want is: 1, 2, 3, 4, 5, 7, 9, 8, 6. You need 9 before 8, otherwise 8 will allow all icmp packets in. Also, I don't think you need 7.

Am I missing something?
 
Old 09-10-2003, 09:13 PM   #6
eric.r.turner
Member
 
Registered: Aug 2003
Location: Planet Earth
Distribution: Linux Mint Debian Edition (LMDE)
Posts: 215

Rep: Reputation: 31
Quote:
Originally posted by BearClaw
Hey:

I removed the line in /etc/rc.d/rc.local, rebooted, checked in at grc and the stealth analysis Failed!!! So...I changed it back the way it was and achieved a "True Slealth" rating.

The book from O'Reilly-"Linux Security Cookbook" said to put that call in rc.local...maybe my rc.inet2 file is not configured correctly; anyway it's working the way it is now. It ain't broke, so I'm not gonna try to fix it. (grin)

BC
Please post your /etc/rc.d/rc.inet2
 
Old 09-10-2003, 10:23 PM   #7
BearClaw
Member
 
Registered: Jun 2003
Location: USA
Distribution: Slackware-Current
Posts: 90

Original Poster
Rep: Reputation: 15
Here is the relevant portion of the rc.inet2 file. I just followed the directions from the book and the firewall must be working as it should. The proof is already verified.

# If there is a firewall script, run it before enabling packet forwarding.
# See the HOWTOs on http://www.netfilter.org/ for documentation on
# setting up a firewall or NAT on Linux. In some cases this might need to
# be moved past the section below dealing with packet forwarding.
if [ -x /etc/rc.d/rc.firewall ]; then
/etc/rc.d/rc.firewall start
fi

BC
 
Old 09-11-2003, 04:55 AM   #8
Cerbere
Member
 
Registered: Dec 2002
Location: California
Distribution: Slackware & LFS
Posts: 799

Rep: Reputation: 33
The reason that /etc/rc.inet2 isn't setting your firewall rules is because you only have the iptables SETTINGS in /etc/rc.firewall, whereas it is expecting an executable list of COMMANDS.

In order for /etc/rc.inet2 to set up your firewall, you must make /etc/rc.firewall a script, with a shebang followed by the commands that you listed, then set /etc/rc.firewall as executable.

The command that you placed in rc.local restores the settings that you have listed in /etc/rc.firewall. This isn't strictly in line with slack configuration, but it'll work (as you already know).

Enjoy!
--- Cerbere
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Iptables with iptables-firewall.conf arno's matt3333 Slackware 16 06-28-2007 08:20 AM
help with client side NFS-firewall setup and server side NIS-firewall setup niverson Linux - Networking 3 02-02-2004 09:52 AM
Trying to setup a firewall router using iptables pmoss Linux - Networking 3 03-20-2002 01:15 AM
PPP-Setup and my modem Syfur Linux - Newbie 0 02-08-2002 08:49 PM
How do i setup Multilink PPP Danish Usman Linux - Networking 1 06-12-2001 01:35 PM


All times are GMT -5. The time now is 08:14 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration