LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 10-30-2005, 02:25 AM   #1
slazer
LQ Newbie
 
Registered: Oct 2005
Location: kuala lumpur, malaysia
Distribution: slackware, fedora
Posts: 26

Rep: Reputation: 15
rc.firewall didnt exist..


hi all,

i'm in slackware and still learning about this wonderfull and adventerous OS i ever used right now... but what confusing me are:

1. why there is no rc.firewall scripts in my rc.d directory? is it means that i didnt install firewall (iptables) on my pc? or should i create my own rc.firewall, but i dont quite know how, i just know basic command in iptables. can anybody give example to me?

2. and futhermore, how to configure my slack box to be a router and firewall so that my small home lan (consist of 1- xp box and 1- fedora box ) can access internet through this slack box...

thanks in advance...

p/s: sorry for my english... not quite good..
 
Old 10-30-2005, 03:37 AM   #2
Yalla-One
Member
 
Registered: Oct 2004
Location: Norway
Distribution: Slackware, CentOS
Posts: 635

Rep: Reputation: 35
Hi Slazer,

Slackware currently doesn't come with a firewall script. My educated guess is that this is due to evey user's needs being different.

I'm afraid I'm not sufficient firewall-guru to give you a good answer to your 2nd question, but I recommend having a look at shorewall or Oskar Andersons iptables tutorial (Google is your friend) for either a quick start or learning the full iptables syntax to build your own.

Additionally, I highly recommend that you have a look at alien bob's rc-script repository on www.slackware.com/~alien/ -pay special attention to the dhcpc scripts, which allow you to start the firewall immediately after dhcp has given you an IP address, and also allows you to pass the interface and ip address as parameters to the script.

If you want a starting point, I'll share mine here and then you can build on that to add routing functionality etc later:

Code:
#! /bin/sh
# /etc/rc.d/rc.firewall
# This script is used to bring up the various network interfaces.
#
# Parameters:
# rc.firewall start|restart|stop|block <interface-name>
#

IFNAME=$2
IPADDR=`ifconfig $IFNAME | sed -n 's/^.*inet addr.\([^ ]*\).*$/\1/p'`

firewall_start() {
  # Set kernel configuration parameters - safe for everyone
  echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
  echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
  echo 0 > /proc/sys/net/ipv4/conf/all/secure_redirects
  echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
  echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
  echo 0 > /proc/sys/net/ipv4/ip_forward
  #
  # Flush tables and set default policies
  iptables -P INPUT DROP
  iptables -P OUTPUT ACCEPT
  iptables -P FORWARD DROP
  iptables -F
  iptables -X
  iptables -Z
  #
  # Drop known-bad traffic as early as possible
  iptables -A INPUT -p igmp -j DROP
  iptables -A INPUT -s 244.0.0.1 -j DROP
  iptables -A INPUT -m pkttype --pkt-type broadcast -j DROP
  iptables -A INPUT -p icmp -f -j DROP
  iptables -A INPUT -m state --state INVALID -j DROP
  iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
  #
  # Drop the various xmastree scans
  iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
  iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
  iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
  iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
  iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
  iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
  #
  # Drop spoofed traffic (appearing to come from myself but doesnt)
  iptables -A INPUT -i $IFNAME -s $IPADDR -j DROP
  #
  # Set up logic trees for blocking DNS not from ISP DNS
  for i in `cat /etc/resolv.conf | grep "^nameserver" | awk '{print $2}'`
  do
     iptables -A INPUT -p udp --dport 53 --sport 53 \
     -s $i -j ACCEPT
  done
  iptables -A INPUT -p udp --dport 53 --sport 53 \
     -j DROP
  #
  # Set up logic trees for allowing only legal DHCP
  for i in /etc/dhcpc/dhcpcd-*.info
  do
     iptables -A INPUT -p udp --sport 67 --dport 68 \
     -s  `grep DHCPSID $i | sed 's/DHCPSID=//g'` -j ACCEPT
  done
  iptables -A INPUT -p udp --sport 67 --dport 68 -j DROP
  #
  # SSH: stop the script kiddies - only one new connection each 30 seconds
  iptables -A INPUT -p tcp -m state --state NEW --dport 22 -m recent --update --seconds 30 -j DROP
  iptables -A INPUT -p tcp -m state --state NEW --dport 22 -m recent --set -j ACCEPT
  #
  # Peer-to-Peer
  iptables -A INPUT -p tcp --dport 4661:4662 -d $IPADDR -j ACCEPT
  iptables -A INPUT -p tcp --dport 4242:4242 -d $IPADDR -j ACCEPT
  #
  # Allow local traffic - other may want to leave this out! WARNING! MUST TRUST NETWORK
  iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
  #
  # This is for ICQ/AOL/MSN file transfers
  # Notice they're limited to port, protocol, and syn
  # (since we block state NEW ! --syn)
  iptables -A INPUT -p tcp --dport 5001:5100 \
     --syn -j ACCEPT
  iptables -A INPUT -p tcp --dport 6891:6900 \
     --syn -j ACCEPT
  #
  # Stateful inspection, just like the PIX
  iptables -A INPUT -i lo -j ACCEPT
  iptables -A INPUT -p tcp -m state \
     --state ESTABLISHED,RELATED -j ACCEPT
  iptables -A INPUT -p udp -m state \
     --state ESTABLISHED,RELATED -j ACCEPT
  iptables -A INPUT -p icmp -m state \
     --state ESTABLISHED,RELATED -j ACCEPT
  iptables -A INPUT -p icmp --icmp-type 8 -m limit \
     --limit 1/second -j ACCEPT
}

firewall_stop() {
  # Stopping firewall by opening all ports accepting all packets
  iptables -P INPUT ACCEPT
  iptables -P OUTPUT ACCEPT
  iptables -P FORWARD ACCEPT
  iptables -F
  iptables -X
  iptables -Z
}

firewall_block() {
  # Blocking ALL internet traffic by dropping all packets
  iptables -P INPUT DROP
  iptables -P OUTPUT DROP
  iptables -P FORWARD DROP
  iptables -F
  iptables -X
  iptables -Z
}

firewall_simple() {
  iptables -P INPUT DROP
  iptables -P OUTPUT ACCEPT
  iptables -P FORWARD DROP
  iptables -F
  iptables -X
  iptables -Z
  iptables -A INPUT -i lo -j ACCEPT
  iptables -A INPUT -p igmp -j DROP
  iptables -A INPUT -p icmp -f -j DROP
  iptables -A INPUT -m state --state INVALID -j DROP
  iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
  iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
  iptables -A INPUT -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
  iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
  iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
}

firewall_restart() {
  firewall_block
  sleep 1
  firewall_start
}

case "$1" in
'start')
  echo "Starting Firewall ($IFNAME)..."
  firewall_start
  ;;
'stop')
  echo "Stopping Firewall ($IFNAME)..."
  firewall_stop
  ;;
'block')
  echo "BLOCKING FIREWALL ($IFNAME)..."
  firewall_block
  ;;
'restart')
  echo "Restarting Firewall ($IFNAME)..."
  firewall_restart
  ;;
*)
  echo "usage $0 start|stop|restart|block <ifname>"
esac
Hope this helps...
 
Old 10-30-2005, 04:12 AM   #3
slazer
LQ Newbie
 
Registered: Oct 2005
Location: kuala lumpur, malaysia
Distribution: slackware, fedora
Posts: 26

Original Poster
Rep: Reputation: 15
thanks Yalla-One... is that means that i should write my own rc.firewall script in order to enable firewall on my slack box? heh, i guess i have to find any default iptables setting (rc.firewall), only then i will add my own rules to the chain.. do you have any exmple of default rc.firewall script, or any link.. ermm.. ok.. i think i should find it myself from my friend here, missy google..

thanks again yalla-one!

p/s: i really like slackware.. look what she have done to me... making me searching, asking, tweaking, setting and learning beautiful things by myself...
 
Old 10-30-2005, 11:34 AM   #4
Boow
Member
 
Registered: Feb 2004
Distribution: Slackware 10.2
Posts: 669

Rep: Reputation: 32
just download guarddog or any of the graphical frontends to iptables
 
Old 10-30-2005, 03:40 PM   #5
dennisk
Member
 
Registered: May 2004
Location: Southwestern USA
Distribution: CentOS
Posts: 279

Rep: Reputation: 30
If you'd like a ready to run rc.firewall you can use Brian's Ten Minute Firewall.

Dennisk
 
Old 10-30-2005, 07:43 PM   #6
Woodsman
Senior Member
 
Registered: Oct 2005
Distribution: Slackware 14.1
Posts: 3,482

Rep: Reputation: 534Reputation: 534Reputation: 534Reputation: 534Reputation: 534Reputation: 534
In a related thought, every essay I've read about iptables and 'nix firewalls revolves around a network. Yet an iptables firewall is useful for a single station too. I'm running a firewall script from one of the several sites generating firewall scripts.

However, suppose one wants to plan ahead for a potential network. For example, I'm currently running only one box. Suppose I decide to add a second workstation. That second box, and my current box, will be primarily workstations and not dedicated router/gateways. But one of the boxes will provide NAT and a gateway to the web for the other box.

Thus, can one generate a NAT-based firewall script for a single station although that box is not (yet) networked? Seems to me that the idea should work just fine, because the additional differences in the rule set would be related to the NIC connected to the internal network and a not the outbound NIC/modem. Can one use a NAT-gateway based script on a single station (presuming the box contains a NIC, even if not connected to anything)?
 
Old 10-31-2005, 01:35 AM   #7
slazer
LQ Newbie
 
Registered: Oct 2005
Location: kuala lumpur, malaysia
Distribution: slackware, fedora
Posts: 26

Original Poster
Rep: Reputation: 15
Quote:
Originally posted by Boow
just download guarddog or any of the graphical frontends to iptables
my slack box dont have any windows manager.... even X.. so.. the only choice is using command-base pkg.. iptables
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
wvdial didnt complete mission skoot Linux - Software 14 10-31-2005 03:32 PM
automount didnt work PinRojas Debian 7 07-05-2005 11:29 AM
Can firewall and ssh co-exist in RedHat 9.0? adamliu Linux - Security 3 05-20-2005 10:10 AM
Testing uptime and I didnt like it BajaNick General 3 04-16-2004 09:41 PM
RH7.2 , VNC & Firewall - can they co-exist ? RedHat123 Linux - Networking 1 09-02-2002 09:02 PM


All times are GMT -5. The time now is 03:50 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration