Basic iptable help

hamish · 07-27-2004, 07:22 AM

Hello.

I'm trying to get a firewall running on my desktop (which is inside my home lan.) Home LAN is run by a Linksys Router.

I have been trying to get this set up for ages, but i'm still lost.

I just need my computer to
- ping out and back again (I had this working on internal lan, but I could not ping google)
- access web pages etc.
- SSH in and out

Those are the 3 main things I need. I spent last night Googling, but everything is just so confusing.

I was wondering if anyone had a set of rules which are as simple as what I need (surely there must be lots of people with a simple set of firewall rules for their desktop) which they could post for me to have a look at.

Thanks in advance.

hamish

ToniT · 07-27-2004, 07:35 AM

Please be more spesific. How are your wires connected? Do you have other computers you want to get connected to the internet? Do you want a firewall inside your lan or you you want it to be a barrier between lan and internet? Do you get real IP addresses from your router, does it work as a dhcp server? Do you have enough real/served IP addresses or do you have to NAT some connections?

hamish · 07-27-2004, 08:14 AM

The internet come into the Linksys router/modem/gateway (it does it all) and each of the other 3 computers in the flat are connected to the router.

IPs are static.

There is a firewall on the linksys router, but I want one on my Desktop to add another layer of protection.

I would just like to block the ports on my desktop which I do not use.

I have read about SNAT, NAT, POSTROUTING etc and I'm not quite sure what they are. I was under the impression that these were only used if the firewall was on a gateway computer. That is, these are options used to route one internet connection to other computers. Just like my Linksys thing does.

Thanks for your help and I hope this is useful.

Hamish

ToniT · 07-27-2004, 10:32 AM

Ok.

You are right, for the computer to work as a firewall for other computers, it has to be at the junction point of the network.

So, what you want to is:
1. Send anything to other machines
2. Recieve anything from others in case you have first initiated a connection (eg. get a web page when you ask for one).
3. Get ping replies from others
4. Recieve ping requests from others.
5. Recieve ssh connection requests from others.
6. Allow the machine to connect to itself.
7. Block anything else coming from the net.

Next I'm going to assume that you have got the system working so that points 1-6 are working. Meaning that you have setup your routing so, that you can access the internet, but only the firewall is missing.

Let's generate a script.

Code:

#!/bin/sh
#The first line is just a regular header for a script.

#I now assume that your network interface is named as eth0.
#Change the following line to match your configuration.
IF_INET=eth0

#Next,  clean everything, so old firewall confgurations don't get on the way:
iptables --flush
iptables --table nat --flush
#Without arguments, the --delete-chain deletes all the additional chains.
iptables --delete-chain

#Now do the point 7 that disallows everything not explicitly allowed.
iptables --policy INPUT DROP
iptables --policy FORWARD DROP
iptables --policy OUTPUT DROP

#But because of point 1, we want to allow ourself to send anything.
#(this reverts the previous OUTPUT policy)
iptables --policy OUTPUT ACCEPT

#Point 2 and 3:
iptables --append INPUT --in-interface $IF_INET -m state --state ESTABLISHED,RELATED -j ACCEPT

#Point 4:
iptables --append INPUT --in-interface $IF_INET -p icmp --icmp-type echo-request -j ACCEPT

#Point 5:
iptables --append INPUT --in-interface $IF_INET -p tcp --destination-port 22 -j ACCEPT


#Point 6:
iptables --append INPUT --in-interface lo --jump ACCEPT

Thats about it.

ppuru · 07-27-2004, 10:48 AM

You can do a

#netstat -plan

to get a list of ports that are open for traffic. Shutdown the services you think you would not need.

For example, portmap, nfs perhaps httpd

You can also use tcpwrappers - /etc/hosts.allow and /etc/hosts.deny to further restrict access to your system.

hamish · 07-28-2004, 02:17 AM

Hey! Thanks for the set of rules. I tried them and unfortunately I can't ping, ssh or use the web.

I have to go to work now, but I will look into it this evening. Do you think there is any way that the firewall on the Linksys router could interfere with my iptables? That is, the reason they aren't working is because of the firewall on the router.

Thanks for all your help.

Hamish

ToniT · 07-28-2004, 02:42 AM

But you can ping, ssh and use the web before setting those firewall rules?

mobassir · 07-28-2004, 04:44 AM

Hello

I am also working on iptables and firwall but still not sueceeded , i find these usefull site , vists it may help u.
here u can genrate urs own scrpts as u like.
1-firewall script gerator
http://easyfwgen.morizot.net/

2-Iptables scripts genrator
http://iptables-script.dk/index1.php

GoodLuck

hamish · 07-28-2004, 05:16 AM

yes, I could ping/ssh/web before I enabled those rules. The strange thing is that I can't ping internally either. Therfore, I don't know if it could be the linksys firewall which is the problem.

I will definately check out that script when i get home tonight.

Hamish

Kess78 · 07-28-2004, 05:29 AM

Aloha people....
If you want an iptables or ipfw, or whatelse firewall running on your linux box you don't have to learn how all these script commands work.
You can simply install a free builder for your rules. You can use a GUI to do that, setting up output, input, forward rules and NAT.
This free software is called Firewall Builder and can be downloaded from http://www.fwbuilder.org
Install it, open it, add your network components (pc, routers, etc...), save your rules in an xml file, compile your rules and finally execute the automatically generated script located under the same directory of your xml config/design file.

It's very simple to use.
This would help you a lot, there's also a wizard to help you build your firewalling rules.

You can chose if you want to protect only your pc, or the pc and your internal net, or your pc, your internal net and your DMZ !!!!!
Try it, it's spectacular.
Bye Kess...

ppuru · 07-28-2004, 05:42 AM

Quote:

The strange thing is that I can't ping internally either. Therfore, I don't know if it could be the linksys firewall which is the problem.

You can verify this by turning iptables off. Not sure what distro you are currently on.

RedHat -> as root, service iptables stop

Alternateive the code below can clear your iptables rules.

Code:

iptables -F
iptables -X
iptables -Z

iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

Just a doubt .. hope you have applied the firewall to the correct interface. IF_INET on TonIT script is set to eth0.

hamish · 07-28-2004, 06:51 AM

Hey.

I have downloaded FWbuilder but haven't yet got to the point of installing it. I have the XML but havn't looked into turning it into a .sh to install it with.

Yeah, i'm definatedly using the right interface.

I can ping everything fine when i turn of the iptables on my desktop.,

I'm running Gentoo.

The thing is, the script which TonIT sent me seems reasonable. I can understand it all. This makes it even more frustrating when it doesn't work.

Thanks
Hamish

hamish · 07-30-2004, 02:17 AM

Hey.

I have now managed to get ping replyies working within my network, by adding:
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

to the rules.

One problem i get at the moment is that this line:
iptables --append INPUT --in-interface $IF_INET -m state --state ESTABLISHED,RELATED -j ACCEPT

give the error "iptables: No chain/target/match by that name". I'm wondering if this has something to do with the problem.

I have verified that the firewall on my router is not the problem.

Thanks for all your help so far guys. I feel that I'm very close to getting it working

Hamish

ToniT · 08-04-2004, 08:54 PM

Do you have ipt_state module availabe/loaded, or statically linked to your kernel?
(CONFIG_IP_NF_MATCH_STATE=m or y)