LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 09-09-2006, 02:26 AM   #1
Old_Fogie
Senior Member
 
Registered: Mar 2006
Distribution: SLACKWARE 4TW! =D
Posts: 1,515

Rep: Reputation: 62
Need help tweaking rc.firewall from alien bobs site


Hi all,

I just went thru Alien Bob's firewall builder, as I'm trying to learn IP/tables etc and not have my hand held via other app's that are more gui driven.

However, I cannot locate where in the rc.firewall that I put for samba/windows shares.

Would I just add this to "Network File System" Section:
Quote:
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 631:631 -j ACCEPT
Also, I believe that I should probably also un-comment where 'netbios' packets are to be dropped, correct?

Lastly, I was wondering, there is a section on the script builder that let's you add in custom ports. The script only allows you to do one port for custom, tcp or udp. If I have more custom ports that I want configured, do I simply add them right there below that line?

Am I missing anything else. Thank you.
 
Old 09-09-2006, 07:35 AM   #2
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,790
Blog Entries: 1

Rep: Reputation: 414Reputation: 414Reputation: 414Reputation: 414Reputation: 414
I don't know if it helps (I'm not familiar with AlienBob's firewall), but here is how I allow Samba access on my LAN:

Code:
#Allow SAMBA from internal network only
iptables -A INPUT -i eth0 -s 192.168.1.0/24 -p tcp --dport netbios-ssn -j ACCEPT
iptables -A INPUT -i eth0 -s 192.168.1.0/24 -p tcp --dport microsoft-ds -j ACCEPT
iptables -A INPUT -i eth0 -s 192.168.1.0/24 -p udp --dport netbios-ns -j ACCEPT
As far as where it should go, you just need to make sure that there are no rules in front of it that would do something with SAMBA packets before they hit these rules.

The same would go for the custom ports. You just need to check if there is a rule in front of the rule for the custom port that would do something with the packet. Otherwise, you should be able to open as many custom ports as you like.
 
Old 09-09-2006, 10:36 AM   #3
Alien Bob
Slackware Contributor
 
Registered: Sep 2005
Location: Eindhoven, The Netherlands
Distribution: Slackware
Posts: 5,313

Rep: Reputation: Disabled
Quote:
Originally Posted by Old_Fogie
Hi all,

I just went thru Alien Bob's firewall builder, as I'm trying to learn IP/tables etc and not have my hand held via other app's that are more gui driven.
However, I cannot locate where in the rc.firewall that I put for samba/windows shares.
Would I just add this to "Network File System" Section:
Code:
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 631:631 -j ACCEPT
Well it is not my firewall :-) I only found it and modified it just a little so that it would apply to Slackware.

Actually, look for
Code:
# udp_inbound chain
and insert your line right after that. By the way, port 631 is the CUPS printing port, it has nothing to do with Fileservers... but I assume you were aware of that?

Quote:
Also, I believe that I should probably also un-comment where 'netbios' packets are to be dropped, correct?
If the firewalled box is to act as a Samba fileserver, yes.

Quote:
Lastly, I was wondering, there is a section on the script builder that let's you add in custom ports. The script only allows you to do one port for custom, tcp or udp. If I have more custom ports that I want configured, do I simply add them right there below that line?
Yes, if you want to add additional port ranges, you can copy and paste the relevant lines, and change the port number. The script generator does the basic work for you, after that it's all yours to adapt.

Eric
 
Old 09-09-2006, 04:23 PM   #4
Old_Fogie
Senior Member
 
Registered: Mar 2006
Distribution: SLACKWARE 4TW! =D
Posts: 1,515

Original Poster
Rep: Reputation: 62
Hi all,

Thank you for the replies.

Handog mention's that I should be sure that there are no 'rules' set up before my custom rules, so basically, if I understand this correctly, rules at top in the rc.firewall file have more "priority" per se' then rules lower in the file? Correct.

@alien bob: regarding 631 port, actually, I forgot that was printing and it is presently being dropped now on that machine according to dmesg, tho I didnt test printing yet. ok I gotta set up my cups too then, np.
 
Old 09-09-2006, 08:24 PM   #5
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by Old_Fogie
Handog mention's that I should be sure that there are no 'rules' set up before my custom rules, so basically, if I understand this correctly, rules at top in the rc.firewall file have more "priority" per se' then rules lower in the file?
it depends... you wanna focus on what the end-result in the actual chain is - not so much what you see in the script... rules in chains are interpreted from top to bottom... when you append (-A) a rule to a chain, it goes to the end of the chain... when you insert (-I) a rule, it goes to the top of the chain...

example #1:
Code:
iptables -A INPUT -s 192.168.100.22 -j ACCEPT

iptables -A INPUT -p TCP --dport 80 -j DROP
example #2:
Code:
iptables -A INPUT -s 192.168.100.22 -j ACCEPT

iptables -I INPUT -p TCP --dport 80 -j DROP
in example #1, 192.168.100.22 will be able to connect to port 80 on our box... in example #2, it will NOT - because the second rule was inserted and went to the top of the INPUT chain...

you *usually* won't see inserts (-I) in iptables scripts, as one could simply edit the appends to have the rules execute in the wanted order... however, inserts are VERY useful from the command-line, or from automated-response scripts... but i'm getting off-topic now - too much coffee... =/

Last edited by win32sux; 09-09-2006 at 08:32 PM.
 
Old 09-09-2006, 10:56 PM   #6
drkstr
Senior Member
 
Registered: Feb 2006
Location: Seattle, WA: USA
Distribution: Slackware 11.0
Posts: 1,191

Rep: Reputation: 45
Hey Fogie!

Can I ask where you got the firewall builder script? I looked on Eric's page but didn't see it. I was hoping to pull some ideas from it. I'm about to start work on my own utility and wanted to brainstorm some ideas. (sorry if this is considered thread hi-jacking. I'm not really sure what the actual definition is).

Thanks!
...drkstr

Last edited by drkstr; 09-09-2006 at 11:03 PM.
 
Old 09-09-2006, 11:01 PM   #7
Old_Fogie
Senior Member
 
Registered: Mar 2006
Distribution: SLACKWARE 4TW! =D
Posts: 1,515

Original Poster
Rep: Reputation: 62
Hi drkstr

here is the link http://www.slackware.com/~alien/efg/

thanks for the info win32 much appreciated, that makes sense.
 
Old 09-09-2006, 11:39 PM   #8
Old_Fogie
Senior Member
 
Registered: Mar 2006
Distribution: SLACKWARE 4TW! =D
Posts: 1,515

Original Poster
Rep: Reputation: 62
hmmm...

I put this into /etc/rc.firewall:

$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 631:631 -j ACCEPT

But I keep getting this in my dmesg:
INPUT packet died: IN=eth1 OUT= MAC= SRC=192.168.XXX.XXX DST=192.168.XXX.255 LEN=1 95 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=631 DPT=631 LEN=175

which is obviously that pc broadcasting to others on my local lan that I have a printer service on that pc on port 631 but it's blocking it still? any thoughts thank you
 
Old 09-10-2006, 03:02 AM   #9
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by Old_Fogie
hmmm...

I put this into /etc/rc.firewall:

$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 631:631 -j ACCEPT

But I keep getting this in my dmesg:
INPUT packet died: IN=eth1 OUT= MAC= SRC=192.168.XXX.XXX DST=192.168.XXX.255 LEN=1 95 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=631 DPT=631 LEN=175

which is obviously that pc broadcasting to others on my local lan that I have a printer service on that pc on port 631 but it's blocking it still? any thoughts thank you
i'm not sure, but i would think you'd need a separate rule in order to accept broadcasts... BTW, it really isn't necessary to censor your internal IPs when you post...
 
Old 09-10-2006, 07:35 AM   #10
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,790
Blog Entries: 1

Rep: Reputation: 414Reputation: 414Reputation: 414Reputation: 414Reputation: 414
Quote:
IPT -A udp_inbound -p UDP -s 0/0 --destination-port 631:631 -j ACCEPT
Could it be a syntax problem? I'm not sure you need the range specification if you are accepting at a single port (i.e. --destination-port 631 -j ACCEPT).
 
Old 09-10-2006, 05:32 PM   #11
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by Hangdog42
Could it be a syntax problem? I'm not sure you need the range specification if you are accepting at a single port (i.e. --destination-port 631 -j ACCEPT).
although that specification isn't necessary and looks sloppy, it seems like it would have no negative impact... i did this quick test to make sure:
Code:
win32sux@lizzard:~$ sudo iptables -N TEST
win32sux@lizzard:~$ sudo iptables -A TEST -p TCP --dport 555:555 -j ACCEPT
win32sux@lizzard:~$ sudo iptables -L -n -v | grep 555
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:555
Code:
win32sux@lizzard:~$ sudo iptables -A TEST -p TCP --dport 555:559 -j ACCEPT
win32sux@lizzard:~$ sudo iptables -L -n -v | grep 559
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpts:555:559
 
Old 10-10-2006, 02:41 AM   #12
Old_Fogie
Senior Member
 
Registered: Mar 2006
Distribution: SLACKWARE 4TW! =D
Posts: 1,515

Original Poster
Rep: Reputation: 62
Alien Bob,

I was just wondering, I should be ok to use the "easy firewall script" on your site for slack11? correct?
 
Old 10-10-2006, 02:55 AM   #13
Alien Bob
Slackware Contributor
 
Registered: Sep 2005
Location: Eindhoven, The Netherlands
Distribution: Slackware
Posts: 5,313

Rep: Reputation: Disabled
It should just work - after all it is just a script of iptables commands that it produces. I guess if you start using IPV6, you'll need something else.

Eric
 
Old 10-10-2006, 08:36 AM   #14
Old_Fogie
Senior Member
 
Registered: Mar 2006
Distribution: SLACKWARE 4TW! =D
Posts: 1,515

Original Poster
Rep: Reputation: 62
Thank you for quick reply Bob, I'm going to give it a shot.

No IPV6 devices here, from the little I have read, I need to have hardware to support it, so shouldn't be an issue I suppose.

Tho it does get modprobe'd, I might take that out of my loaded modules at boot time.

Thanks again.
 
Old 10-10-2006, 01:40 PM   #15
Woodsman
Senior Member
 
Registered: Oct 2005
Distribution: Slackware 14.1
Posts: 3,482

Rep: Reputation: 534Reputation: 534Reputation: 534Reputation: 534Reputation: 534Reputation: 534
I am not an iptables expert, but I think there are some potential conceptual errors in this thread.

If you trust all the boxes on your LAN, then all you need do is configure the firewall script builder at Eric's web site such that all LAN traffic is trusted. After you do that, you need not worry about specific rules for specific ports on the LAN side.

If you allow access to your LAN from outside the LAN, then usually you need to add additional rules for those ports. But the LAN interface and the internet interface are two different sets of rules. The port exceptions would be on the INET interface, not the LAN interface.

I use the same approach with my Windows firewall. I trust my LAN and allow all such traffic. The bulk of my rule set is concerned with blocking the parasites outside my LAN.

Take a closer look at the rules generated by the script builder at Eric's site, which basically is a modified version of the script builder found at http://easyfwgen.morizot.net/gen/. I believe Eric's version basically addresses path name issues unique to Slackware (such as the path to the iptables executable). However, the rule set generated by this online script builder should have references to both the LAN and internet (INET) interfaces. Within the LAN you do not (normally) need additional rules to pass specific ports because the LAN is trusted and all traffic is passed and forwarded. Only the INET interface needs special attention and only if allowing outside access to specific LAN ports.

I run Samba, SSH, VSFTP on my LAN and I have no rules addressing those specific ports on the LAN side. I only have the rules addressing the basic LAN interface and I accept all traffic on the LAN. Even on the LAN side, any point not shared through Samba or allowed by SSH is simply ignored and the firewall rules have no part in that process because the ports are not open. I do not have any special rules addressing CUPS (port 631) or Samba (ports 139, 445, etc.). On my gateway box, on the INET interface I have rules added such that with some simple variable modifications, I can grant external outside access to those services. For example, if I go on the road and I want SSH or FTP access to my LAN, I toggle those variables, restart my firewall script, and those ports then are accessible from the outside world. But these mods always affect only the INET interface, and not the LAN interface.

A key to using the online firewall script builder is understanding the difference between the two interfaces (LAN and INET). Although adding additional security at each workstation in a LAN with local iptables firewall rules is a good idea, the critical point is the box that provides gateway and NAT services between the LAN and the internet. That box, unlike others in the LAN, is unique because there are at least two interfaces. Most if not all the other boxes on the LAN have only one interface. For those boxes, using the online script builder is straightforward---simply build a rule set for one interface---and that interface is also the interface for the internet because to a LAN box, the LAN gateway is the internet.

In other words, for people with LANs, generate two sets of firewall rules. Build one rule set for the generic LAN boxes and one for the box that provides gateway and NAT services. For people using stand-alone boxes, generate only one rule set because the internet interface is the only interface needing rules. That interface might be a NIC, a phone modem, or ISDN. Simply select the appropriate device.

The best way to understand the online script builder is to generate three sets of rules: 1) for a stand-alone box, 2) for a LAN box, and 3) for a gateway box. Then use a file comparison tool (in KDE, Kompare is excellent) to study the differences. Again, I am not an iptables expert, but this approach is how I learned the unique differences among the different interfaces and needs.

Because I am not an iptables expert, I welcome any corrections to my post.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
how do i use Alien on ubuntu 5.04? kriogenic Linux - Newbie 5 02-15-2006 08:07 PM
Alien OSes sancho5 Linux - General 3 01-26-2006 09:36 PM
Cannot browse the MS site through firewall..... supag33k Linux - Newbie 1 08-16-2004 02:08 AM
Using alien or using RPM?? R00ts Debian 4 07-26-2004 05:48 PM
alien glibc2.3 scheidel21 Debian 1 12-12-2003 09:28 AM


All times are GMT -5. The time now is 06:50 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration