LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Zenwalk
User Name
Password
Zenwalk This forum is for the discussion of Zenwalk Linux.

Notices

Reply
 
Search this Thread
Old 12-10-2007, 02:27 PM   #1
Hacker X
Member
 
Registered: Jun 2006
Location: Urbana, Illinois, US
Distribution: Zenwalk, Vector
Posts: 76

Rep: Reputation: 15
Question Using iptables


The Packet Filtering HowTo
http://www.netfilter.org/documentati...OWTO.html#toc1

seems to say that all you need to do to use iptables is make an init script that sets up the tables in the kernel.

I have a personal pc with a dsl modem conected to the ethernet card.

Two questions:
1. Is that all there is to it, or is there anything else you have do to?
2. Is there some documentation on how to design good ip tables?

EDIT: I have the iptables tutorial, maybe that's enough. I'll post more specific questions if necessary.

Last edited by Hacker X; 12-10-2007 at 07:23 PM.
 
Old 12-10-2007, 07:18 PM   #2
ehawk
Senior Member
 
Registered: Jul 2003
Posts: 1,257

Rep: Reputation: 48
http://iptables-tutorial.frozentux.n...-tutorial.html
 
Old 12-10-2007, 10:26 PM   #3
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by Hacker X View Post
seems to say that all you need to do to use iptables is make an init script that sets up the tables in the kernel.
There's basically two approaches. The first is to make a shell script with your iptables commands in it and set that script to execute at boot. The second approach is to execute your iptables commands (either at the command line or from a script), and then save the active configuration to a file, using the iptables-save command. This approach is used a lot on boxes in which the startup scripts are "factory set" set to use iptables-restore to activate a saved configuration. Typically the file used for storing the config is /etc/sysconfig/iptables. If you use the first approach, make sure you can do it so that the iptables commands are executed prior to the network being activated, as otherwise there will be a small window of exposure when your firewall rules aren't active. Distros tha use the second method already take this into consideration.
 
Old 12-11-2007, 02:27 PM   #4
Hacker X
Member
 
Registered: Jun 2006
Location: Urbana, Illinois, US
Distribution: Zenwalk, Vector
Posts: 76

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by ehawk View Post
This tutorial is insanely long. The best news is that much of it seems unnecessary for a single home pc.

Quote:
Originally Posted by win32sux View Post
There's basically two approaches. ... shell script ... iptables-save ...
Thanks, that's simple enough. So the answer to my first question is No?
I didn't know if there's some software to download, a bunch of config files to edit, or what.

Quote:
Distros tha use the second method already take this into consideration.
My system has /usr/sbin/iptables-[save|restore], but that's all I know about it so far.

Last edited by Hacker X; 12-11-2007 at 03:13 PM.
 
Old 12-11-2007, 08:29 PM   #5
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by Hacker X View Post
Thanks, that's simple enough. So the answer to my first question is No?
I didn't know if there's some software to download, a bunch of config files to edit, or what.
You're using Zenwalk right? IIRC, that's a distro based on Slackware. So if they kept the "Slackware way" intact, you basically just need to create a /etc/rc.d/rc.firewall file with your iptables commands in it. Patrick Volkerding (the Slackware creator/maintainer) has already designed the startup scripts such that rc.firewall is loaded at the proper time. So yeah, on Slackware-based distros you basically just stick your iptables script in /etc/rc.d/rc.firewall and you're done.

For a home PC, said script can be super simple, like say:
Code:
#!/bin/sh

iptables -P INPUT DROP

iptables -F INPUT

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A INPUT -i lo -j ACCEPT
This extremely simple script would provide you with a full stealth firewall configuration.

EDIT: Remember to make the rc.firewall root-owned and executable.

Last edited by win32sux; 12-11-2007 at 11:34 PM. Reason: Added "-F" in case script is re-executed.
 
Old 12-12-2007, 12:14 AM   #6
Hacker X
Member
 
Registered: Jun 2006
Location: Urbana, Illinois, US
Distribution: Zenwalk, Vector
Posts: 76

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by win32sux View Post
You're using Zenwalk right?
Yes.
Quote:
you basically just need to create a /etc/rc.d/rc.firewall file with your iptables commands in it.
In /etc, inittab calls rc.d/rc.M in multiuser mode, rc.M is already set up to call rc.netfilter if it's executable, and rc.netfilter has some calls to iptable and a function where I can put more. Do I need rc.firewall in addition to that, or is rc.netfilter some kind of substitute?

Quote:
For a home PC, said script can be super simple, like say:
Code:
#!/bin/sh
iptables -P INPUT DROP
iptables -F INPUT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
Thanks, I'll try that.

Quote:
This extremely simple script would provide you with a full stealth firewall configuration.
Good. Is there any reason I would want to allow forwarding?
This line is in rc.netfilter:
Code:
iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
 
Old 12-12-2007, 01:19 AM   #7
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by Hacker X View Post
In /etc, inittab calls rc.d/rc.M in multiuser mode, rc.M is already set up to call rc.netfilter if it's executable, and rc.netfilter has some calls to iptable and a function where I can put more. Do I need rc.firewall in addition to that, or is rc.netfilter some kind of substitute?
Sounds like the Zenwalk developers decided to tweak the "Slackware way" a little bit. I would expect rc.netfilter to be their replacement, so you'd only need to use that. I only say this because it would be quite weird IMHO to have two different files for setting up the firewall rules. So yeah, just stick the rules in rc.netfilter. Then reboot and check that they became active by doing a:
Code:
iptables -nvL
Quote:
Good. Is there any reason I would want to allow forwarding?
This line is in rc.netfilter:
Code:
iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
The only reason to have FORWARD rules is if you have forwarding enabled, which would only be necessary if your box is configured to act as a gateway for a LAN or something of that nature. You can check if forwarding is enabled by doing a:
Code:
cat /proc/sys/net/ipv4/ip_forward
If you get a zero as output, then forwarding is disabled - in which case any FORWARD rules will be pointless. So if you aren't a gateway, there's no need for any FORWARD rules.

BTW, can you post the contents of the default rc.netfilter file? I did a quick google and I got the impression it uses some sort of special layout, unlike rc.firewall.

EDIT: According to this post on the Zenwalk forums, you just need to use iptables-save to save the configuration to the /etc/netfilter/policy.netfilter file. The startup script will pick it up from there. I don't know if this is true, though. I downloaded the Zenwalk manual and searched through it but couldn't find anything about how Zenwalk wants firewall rules to be set. I think you should get much better support in the LQ Zenwalk forum, as this is extremely distro-specific. So I'm moving this thread over there, and leaving a permanent redirect here in Security.

Last edited by win32sux; 12-12-2007 at 01:41 AM.
 
Old 12-17-2007, 02:08 PM   #8
bioe007
Member
 
Registered: Apr 2006
Location: lynnwood, wa - usa
Distribution: archlinux
Posts: 654

Rep: Reputation: 30
@Hacker X, what version & edition of zenwalk are you running?

current is 4.8, snapshot is 5.0. but anyways, the 'stock' zenwalk init scripts include a firewall in /etc/rc.d/rc.inet1

if you want an rc.firewall script you can do so but have to modify /etc/rc.d/rc.inet1 to source rc.firewall

like this:
Code:
########################
# LOAD FIREWALL POLICY #
########################

load_netfilter(){
  if [ "${NETFILTER}" = "yes" ]; then
    ## Load the saved policy
        if [ -e /etc/netfilter/policy.netfilter ]; then
                sh /etc/rc.d/rc.firewall restore
        # start firewall
        else
                sh /etc/rc.d/rc.firewall
                sh /etc/rc.d/rc.firewall save
        fi 
        # flush 
  else
        sh /etc/rc.d/rc.firewall stop   
  fi
}
this is how I do it. I have only been using zenwalk since 4.6, never seen an rc.netfilter file. Keeping the control by $NETFILTER variable allows you to switch it on/off from the settings manager network config gui.

I'm not a iptables guru though, I just use Alien Bob's easy firewall generator to create rc.firewall.

hth
 
Old 12-18-2007, 01:04 AM   #9
Hacker X
Member
 
Registered: Jun 2006
Location: Urbana, Illinois, US
Distribution: Zenwalk, Vector
Posts: 76

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by bioe007 View Post
@Hacker X, what version & edition of zenwalk are you running?
2.6. What's an edition, and how do you determine what it is?

Quote:
the 'stock' zenwalk init scripts include a firewall in /etc/rc.d/rc.inet1
I don't see anything in rc.inet1 except ifconfig and dhcp.
In 2.6, iptables is all in rc.netfilter, including all the rules that win32sux suggested.

Quote:
I have only been using zenwalk since 4.6, never seen an rc.netfilter file.
It's called in multiuser mode by rc.M if it's executable by root.
 
Old 12-19-2007, 12:32 PM   #10
bioe007
Member
 
Registered: Apr 2006
Location: lynnwood, wa - usa
Distribution: archlinux
Posts: 654

Rep: Reputation: 30
zw2.6 is pretty old stuff. sorry I wouldn't have the foggiest about whats on there..

there are four 'editions' of zenwalk : standard, core, live, and server. Whatever iso you have should be labeled as such, otw I have no idea where you'd find it. Its most likely something like standard, I don't know how many or if any of the other editions existed in 2.6.

Quote:
It's called in multiuser mode by rc.M if it's executable by root.
I see it now, but there is no actual rc.netfilter file ( anymore ?) at least not in 4.8, -current or snapshot. maybe a forgotten dinosaur, or a way to give users something similar to slackware's +x rc.firewall flexibility.
 
  


Reply

Tags
iptables


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables v1.2.9: Unknown arg `/sbin/iptables' Try `iptables -h' or 'iptables --help' Niceman2005 Linux - Security 4 12-29-2005 08:20 PM
Iptables - Couldn't load target `ACCPET':/lib/iptables/libipt_ACCPET.so: z00t Linux - Security 3 01-26-2004 02:24 AM
IPtables Log Analyzer from http://www.gege.org/iptables/ brainlego Linux - Software 0 08-11-2003 06:08 AM
iptables book wich one can you pll recomment to be an iptables expert? linuxownt Linux - General 2 06-26-2003 04:38 PM
My iptables script is /etc/sysconfig/iptables. How do i make this baby execute on boo ForumKid Linux - General 3 01-22-2002 07:36 AM


All times are GMT -5. The time now is 08:23 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration