SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
i'm in slackware and still learning about this wonderfull and adventerous OS i ever used right now... but what confusing me are:
1. why there is no rc.firewall scripts in my rc.d directory? is it means that i didnt install firewall (iptables) on my pc? or should i create my own rc.firewall, but i dont quite know how, i just know basic command in iptables. can anybody give example to me?
2. and futhermore, how to configure my slack box to be a router and firewall so that my small home lan (consist of 1- xp box and 1- fedora box ) can access internet through this slack box...
Slackware currently doesn't come with a firewall script. My educated guess is that this is due to evey user's needs being different.
I'm afraid I'm not sufficient firewall-guru to give you a good answer to your 2nd question, but I recommend having a look at shorewall or Oskar Andersons iptables tutorial (Google is your friend) for either a quick start or learning the full iptables syntax to build your own.
Additionally, I highly recommend that you have a look at alien bob's rc-script repository on www.slackware.com/~alien/ -pay special attention to the dhcpc scripts, which allow you to start the firewall immediately after dhcp has given you an IP address, and also allows you to pass the interface and ip address as parameters to the script.
If you want a starting point, I'll share mine here and then you can build on that to add routing functionality etc later:
Code:
#! /bin/sh
# /etc/rc.d/rc.firewall
# This script is used to bring up the various network interfaces.
#
# Parameters:
# rc.firewall start|restart|stop|block <interface-name>
#
IFNAME=$2
IPADDR=`ifconfig $IFNAME | sed -n 's/^.*inet addr.\([^ ]*\).*$/\1/p'`
firewall_start() {
# Set kernel configuration parameters - safe for everyone
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/secure_redirects
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 0 > /proc/sys/net/ipv4/ip_forward
#
# Flush tables and set default policies
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -F
iptables -X
iptables -Z
#
# Drop known-bad traffic as early as possible
iptables -A INPUT -p igmp -j DROP
iptables -A INPUT -s 244.0.0.1 -j DROP
iptables -A INPUT -m pkttype --pkt-type broadcast -j DROP
iptables -A INPUT -p icmp -f -j DROP
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
#
# Drop the various xmastree scans
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
#
# Drop spoofed traffic (appearing to come from myself but doesnt)
iptables -A INPUT -i $IFNAME -s $IPADDR -j DROP
#
# Set up logic trees for blocking DNS not from ISP DNS
for i in `cat /etc/resolv.conf | grep "^nameserver" | awk '{print $2}'`
do
iptables -A INPUT -p udp --dport 53 --sport 53 \
-s $i -j ACCEPT
done
iptables -A INPUT -p udp --dport 53 --sport 53 \
-j DROP
#
# Set up logic trees for allowing only legal DHCP
for i in /etc/dhcpc/dhcpcd-*.info
do
iptables -A INPUT -p udp --sport 67 --dport 68 \
-s `grep DHCPSID $i | sed 's/DHCPSID=//g'` -j ACCEPT
done
iptables -A INPUT -p udp --sport 67 --dport 68 -j DROP
#
# SSH: stop the script kiddies - only one new connection each 30 seconds
iptables -A INPUT -p tcp -m state --state NEW --dport 22 -m recent --update --seconds 30 -j DROP
iptables -A INPUT -p tcp -m state --state NEW --dport 22 -m recent --set -j ACCEPT
#
# Peer-to-Peer
iptables -A INPUT -p tcp --dport 4661:4662 -d $IPADDR -j ACCEPT
iptables -A INPUT -p tcp --dport 4242:4242 -d $IPADDR -j ACCEPT
#
# Allow local traffic - other may want to leave this out! WARNING! MUST TRUST NETWORK
iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
#
# This is for ICQ/AOL/MSN file transfers
# Notice they're limited to port, protocol, and syn
# (since we block state NEW ! --syn)
iptables -A INPUT -p tcp --dport 5001:5100 \
--syn -j ACCEPT
iptables -A INPUT -p tcp --dport 6891:6900 \
--syn -j ACCEPT
#
# Stateful inspection, just like the PIX
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp -m state \
--state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p udp -m state \
--state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp -m state \
--state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -m limit \
--limit 1/second -j ACCEPT
}
firewall_stop() {
# Stopping firewall by opening all ports accepting all packets
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
iptables -X
iptables -Z
}
firewall_block() {
# Blocking ALL internet traffic by dropping all packets
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -F
iptables -X
iptables -Z
}
firewall_simple() {
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -F
iptables -X
iptables -Z
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p igmp -j DROP
iptables -A INPUT -p icmp -f -j DROP
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
}
firewall_restart() {
firewall_block
sleep 1
firewall_start
}
case "$1" in
'start')
echo "Starting Firewall ($IFNAME)..."
firewall_start
;;
'stop')
echo "Stopping Firewall ($IFNAME)..."
firewall_stop
;;
'block')
echo "BLOCKING FIREWALL ($IFNAME)..."
firewall_block
;;
'restart')
echo "Restarting Firewall ($IFNAME)..."
firewall_restart
;;
*)
echo "usage $0 start|stop|restart|block <ifname>"
esac
thanks Yalla-One... is that means that i should write my own rc.firewall script in order to enable firewall on my slack box? heh, i guess i have to find any default iptables setting (rc.firewall), only then i will add my own rules to the chain.. do you have any exmple of default rc.firewall script, or any link.. ermm.. ok.. i think i should find it myself from my friend here, missy google..
thanks again yalla-one!
p/s: i really like slackware.. look what she have done to me... making me searching, asking, tweaking, setting and learning beautiful things by myself...
In a related thought, every essay I've read about iptables and 'nix firewalls revolves around a network. Yet an iptables firewall is useful for a single station too. I'm running a firewall script from one of the several sites generating firewall scripts.
However, suppose one wants to plan ahead for a potential network. For example, I'm currently running only one box. Suppose I decide to add a second workstation. That second box, and my current box, will be primarily workstations and not dedicated router/gateways. But one of the boxes will provide NAT and a gateway to the web for the other box.
Thus, can one generate a NAT-based firewall script for a single station although that box is not (yet) networked? Seems to me that the idea should work just fine, because the additional differences in the rule set would be related to the NIC connected to the internal network and a not the outbound NIC/modem. Can one use a NAT-gateway based script on a single station (presuming the box contains a NIC, even if not connected to anything)?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.