My question is not about writing a firewall script or how to code the iptables rules, but about how to manage the firewall.

I've generally ignored iptables and just used the Slackware default because my home LAN is behind a router that firewalls everything coming in. Lately I've been setting up various servers that I want to access remotely over the internet, like ssh, openvpn, vsftpd, httpd, and sparkleshare. I soon started seeing intrusion attempts on well-known ports once I opened them up on my router. I installed fail2ban to deal with them.

My firewall is rudimentary. I created /etc/rc.d/rc.firewall and I invoke it from rc.local during boot. It only has a couple of iptables commands in it. Next I start fail2ban, which adds some additional iptables rules. Fail2ban adds and deletes more rules to ban or unban specific IP addresses as it monitors intrusions.

This is what I have now in rc.local:

It's the dynamic nature of fail2ban that made me question best practices for managing the firewall. If it were completely static, I'd just code it in rc.firewall and start it during boot from rc.local. But when fail2ban is running, the firewall rules are modified dynamically.

I decided not to flush the iptables in rc.firewall so that it won't wipe out anything that fail2ban adds if I happen to update it and rerun it after fail2ban has started.

What I'd like to know is if this is a good way of handling the firewall, or if there are other practices I should consider.

I'm not familiar with fail2ban and where in the boot process it starts, but you may be running your firewall script twice at reboot unintentionally.

You don't mention which Slackware release you're using, but with recent releases of Slackware if the /etc/rc.d/rc.firewall script is executable then the /etc/rc.d/rc.inet2 script will execute it.

Your rc.local script is probably running the rc.firewall script a second time.

Note that the rc.inet2 script uses the argument start. You can just ignore that if you don't want to use start/stop/reset/... in your rc.firewall script.

1 members found this post helpful.

I'm running Slackware64 14.0. Thanks for the info about rc.inet2, Tracy. Before I added the iptables -F command in rc.local, I was getting duplicate rules, so it looks like it was indeed running twice. I've commented it out in rc.local.

I'm starting fail2ban in rc.local, so it starts late in the init sequence. As far as I know, there isn't anything else that starts it automatically.

I use the Project Files rc.firewall script. I configure it up, put in /etc/rc.d, and mark it as executable, and it just runs on boot.

I've been using it with Slackware for years, at least since v. 10.2.

It doesn't look like that is available anymore, Frank. When you click on the download links, you get a message on Sourceforge that says . The project has no files.

Drat.

I know the first link I had archived had vanished. I can send you a copy of mine, with my configuration removed, if you wish to send me your email address via LQ email.

Maybe I'll put it up on my website.

Update:

What the heck. I went ahead and posted it.

http://www.pineviewfarm.net/weblog/p...rewall-script/

1 members found this post helpful.

Hey, that's great. Thanks for posting it, frank.

You are welcome.

So many friendly Linux users have helped me over the years. I'm just paying it forward and really glad to have an opportunity to do so.

I use alienBob's firewall generator, with a few modifications: http://connie.slackware.com/~alien/efg/

I looked at that a few years ago, dive. My systems don't fit the description in the help text of either a single system or a private network gateway, so it didn't seem applicable to me. I think, in general, it isn't applicable to systems behind a router appliance that serves as a gateway to the internet. Once you start forwarding ports to an internal system from the firewall in the gateway appliance, such as for internet-facing servers, you begin to resemble one of those descriptions.

I like and use Eric's EFG as well.

As a matter of curiousity, do either of you have a configuration that resembles what Eric describes as "Single System" or "Gateway/Firewall"? And do you use the generated firewall on your home systems, or on non-residential business systems?

From the help text for the "Single System or Private Network Gateway" question:

Neither of those circumstances are very common in the US for residential ISP customers these days. I see that one of you is from the UK, and the other from Canada, so I'm curious if the norm is different where you reside. Here in the US, the usual case is that one or more computers in the home are connected to a dedicated router/gateway appliance (like a Netgear or D-Link or Linksys, etc., device), often supplied by the ISP, that provides a firewall, serves as the internet gateway, and usually offers a dhcp server for the local network, dns forwarding, and a wifi AP.

It has never seemed likely to me that a computer system on the small residential local LAN sitting behind one of those router/firewall/gateway appliances has much need of another firewall unless the system has internet-accessible servers running on it. The latter is true for me now, which is why I'm suddenly interested in my firewall configuration.

I've been using Alien Bob's Firewall Generator too...

Suppose I'm just installing it on my laptop: I just use the "single system" configuration... this laptop roams around my home LAN using wifi, and thus it is behind the firewall on my home LAN's router...

My home LAN's router is just another slackware box, on on this one, I selected the "gateway" option.

Strictly, my laptop is already protected by the home LAN"s firewall, so I don't really need a firewall on it when I"m home... but since I travel, and I don't know whether every hotel or coffee shop's wifi has a properly configured firewall, I keep the "single system" firewall on my laptop...

I also have an asterisk server behind the firewall on my LAN... this box has to receive requests from the external internet servers, such as my voip direct inward dial service provider--if someone calls one of my DID numbers, the service provider forward the call to my asterisk box behind my LAN, which then routes the call based on what extension someone dialed... this setup happens over TCP port 5060, because it is using SIP, and so I have to create a rule in my gateway/router's firewall to forward all tcp traffic on port 5060 to my asterisk box...

Scrolling through the long firewall script generated by Alien's firewall generator, I found a section of user defined chains for Incoming TCP, Incoming UDP, and Outgoing TCP and Outgoing UDP... it is here that I added the rule for incoming tcp traffic on port 5060... of course I can do the same for other ports for other services... can make a rule for port 80 tcp to forward to local web server... etc., etc., etc... This is what you need to open for all the ports used for your remote services, httpd, sparkle share, etc... If it is just specific boxes out there that you are communicating with, then make your rules only allow incoming from those specific ip addresses, and this will limit the bruce force attacks...

I think that Alien's EFG is pretty thorough... there are really only three situations: 1) totally unprotected (he doesn't give this option, cause you wouldn't be configuring a firewall if you wanted that)... but this is ok if you are already protected by your gateway's firewall -- a system that is not a gateway, but wants to filter ip traffic -- this is the single system option; and a gateway... I can't think of a system that doesn't fall within these three categories...

Beware... I'm just a tinkering slacker and I don't know what I'm talking about

2 members found this post helpful.