LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 07-27-2004, 07:22 AM   #1
hamish
Member
 
Registered: Aug 2003
Location: Edinburgh
Distribution: Server: Gentoo2004; Desktop: Ubuntu
Posts: 720

Rep: Reputation: 30
Basic iptable help


Hello.

I'm trying to get a firewall running on my desktop (which is inside my home lan.) Home LAN is run by a Linksys Router.

I have been trying to get this set up for ages, but i'm still lost.

I just need my computer to
- ping out and back again (I had this working on internal lan, but I could not ping google)
- access web pages etc.
- SSH in and out

Those are the 3 main things I need. I spent last night Googling, but everything is just so confusing.

I was wondering if anyone had a set of rules which are as simple as what I need (surely there must be lots of people with a simple set of firewall rules for their desktop) which they could post for me to have a look at.

Thanks in advance.

hamish
 
Old 07-27-2004, 07:35 AM   #2
ToniT
Senior Member
 
Registered: Oct 2003
Location: Zurich, Switzerland
Distribution: Debian/unstable
Posts: 1,357

Rep: Reputation: 47
Please be more spesific. How are your wires connected? Do you have other computers you want to get connected to the internet? Do you want a firewall inside your lan or you you want it to be a barrier between lan and internet? Do you get real IP addresses from your router, does it work as a dhcp server? Do you have enough real/served IP addresses or do you have to NAT some connections?
 
Old 07-27-2004, 08:14 AM   #3
hamish
Member
 
Registered: Aug 2003
Location: Edinburgh
Distribution: Server: Gentoo2004; Desktop: Ubuntu
Posts: 720

Original Poster
Rep: Reputation: 30
The internet come into the Linksys router/modem/gateway (it does it all) and each of the other 3 computers in the flat are connected to the router.

IPs are static.

There is a firewall on the linksys router, but I want one on my Desktop to add another layer of protection.

I would just like to block the ports on my desktop which I do not use.

I have read about SNAT, NAT, POSTROUTING etc and I'm not quite sure what they are. I was under the impression that these were only used if the firewall was on a gateway computer. That is, these are options used to route one internet connection to other computers. Just like my Linksys thing does.

Thanks for your help and I hope this is useful.

Hamish
 
Old 07-27-2004, 10:32 AM   #4
ToniT
Senior Member
 
Registered: Oct 2003
Location: Zurich, Switzerland
Distribution: Debian/unstable
Posts: 1,357

Rep: Reputation: 47
Ok.

You are right, for the computer to work as a firewall for other computers, it has to be at the junction point of the network.

So, what you want to is:
1. Send anything to other machines
2. Recieve anything from others in case you have first initiated a connection (eg. get a web page when you ask for one).
3. Get ping replies from others
4. Recieve ping requests from others.
5. Recieve ssh connection requests from others.
6. Allow the machine to connect to itself.
7. Block anything else coming from the net.


Next I'm going to assume that you have got the system working so that points 1-6 are working. Meaning that you have setup your routing so, that you can access the internet, but only the firewall is missing.

Let's generate a script.
Code:
#!/bin/sh
#The first line is just a regular header for a script.

#I now assume that your network interface is named as eth0.
#Change the following line to match your configuration.
IF_INET=eth0

#Next,  clean everything, so old firewall confgurations don't get on the way:
iptables --flush
iptables --table nat --flush
#Without arguments, the --delete-chain deletes all the additional chains.
iptables --delete-chain

#Now do the point 7 that disallows everything not explicitly allowed.
iptables --policy INPUT DROP
iptables --policy FORWARD DROP
iptables --policy OUTPUT DROP

#But because of point 1, we want to allow ourself to send anything.
#(this reverts the previous OUTPUT policy)
iptables --policy OUTPUT ACCEPT

#Point 2 and 3:
iptables --append INPUT --in-interface $IF_INET -m state --state ESTABLISHED,RELATED -j ACCEPT

#Point 4:
iptables --append INPUT --in-interface $IF_INET -p icmp --icmp-type echo-request -j ACCEPT

#Point 5:
iptables --append INPUT --in-interface $IF_INET -p tcp --destination-port 22 -j ACCEPT


#Point 6:
iptables --append INPUT --in-interface lo --jump ACCEPT
Thats about it.
 
Old 07-27-2004, 10:48 AM   #5
ppuru
Senior Member
 
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791

Rep: Reputation: 50
You can do a

#netstat -plan

to get a list of ports that are open for traffic. Shutdown the services you think you would not need.

For example, portmap, nfs perhaps httpd

You can also use tcpwrappers - /etc/hosts.allow and /etc/hosts.deny to further restrict access to your system.
 
Old 07-28-2004, 02:17 AM   #6
hamish
Member
 
Registered: Aug 2003
Location: Edinburgh
Distribution: Server: Gentoo2004; Desktop: Ubuntu
Posts: 720

Original Poster
Rep: Reputation: 30
Hey! Thanks for the set of rules. I tried them and unfortunately I can't ping, ssh or use the web.

I have to go to work now, but I will look into it this evening. Do you think there is any way that the firewall on the Linksys router could interfere with my iptables? That is, the reason they aren't working is because of the firewall on the router.

Thanks for all your help.

Hamish
 
Old 07-28-2004, 02:42 AM   #7
ToniT
Senior Member
 
Registered: Oct 2003
Location: Zurich, Switzerland
Distribution: Debian/unstable
Posts: 1,357

Rep: Reputation: 47
But you can ping, ssh and use the web before setting those firewall rules?
 
Old 07-28-2004, 04:44 AM   #8
mobassir
Member
 
Registered: Jul 2003
Location: Pakistan
Distribution: Redhat , SME
Posts: 346

Rep: Reputation: 30
Hello

I am also working on iptables and firwall but still not sueceeded , i find these usefull site , vists it may help u.
here u can genrate urs own scrpts as u like.
1-firewall script gerator
http://easyfwgen.morizot.net/

2-Iptables scripts genrator
http://iptables-script.dk/index1.php

GoodLuck
 
Old 07-28-2004, 05:16 AM   #9
hamish
Member
 
Registered: Aug 2003
Location: Edinburgh
Distribution: Server: Gentoo2004; Desktop: Ubuntu
Posts: 720

Original Poster
Rep: Reputation: 30
yes, I could ping/ssh/web before I enabled those rules. The strange thing is that I can't ping internally either. Therfore, I don't know if it could be the linksys firewall which is the problem.

I will definately check out that script when i get home tonight.

Hamish
 
Old 07-28-2004, 05:29 AM   #10
Kess78
Member
 
Registered: Jul 2004
Location: Switzerland
Distribution: Debi@n, SuSE
Posts: 36

Rep: Reputation: 15
Aloha people....
If you want an iptables or ipfw, or whatelse firewall running on your linux box you don't have to learn how all these script commands work.
You can simply install a free builder for your rules. You can use a GUI to do that, setting up output, input, forward rules and NAT.
This free software is called Firewall Builder and can be downloaded from http://www.fwbuilder.org
Install it, open it, add your network components (pc, routers, etc...), save your rules in an xml file, compile your rules and finally execute the automatically generated script located under the same directory of your xml config/design file.

It's very simple to use.
This would help you a lot, there's also a wizard to help you build your firewalling rules.

You can chose if you want to protect only your pc, or the pc and your internal net, or your pc, your internal net and your DMZ !!!!!
Try it, it's spectacular.
Bye Kess...
 
Old 07-28-2004, 05:42 AM   #11
ppuru
Senior Member
 
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791

Rep: Reputation: 50
Quote:
The strange thing is that I can't ping internally either. Therfore, I don't know if it could be the linksys firewall which is the problem.
You can verify this by turning iptables off. Not sure what distro you are currently on.

RedHat -> as root, service iptables stop

Alternateive the code below can clear your iptables rules.
Code:
iptables -F
iptables -X
iptables -Z

iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
Just a doubt .. hope you have applied the firewall to the correct interface. IF_INET on TonIT script is set to eth0.
 
Old 07-28-2004, 06:51 AM   #12
hamish
Member
 
Registered: Aug 2003
Location: Edinburgh
Distribution: Server: Gentoo2004; Desktop: Ubuntu
Posts: 720

Original Poster
Rep: Reputation: 30
Hey.

I have downloaded FWbuilder but haven't yet got to the point of installing it. I have the XML but havn't looked into turning it into a .sh to install it with.

Yeah, i'm definatedly using the right interface.

I can ping everything fine when i turn of the iptables on my desktop.,

I'm running Gentoo.

The thing is, the script which TonIT sent me seems reasonable. I can understand it all. This makes it even more frustrating when it doesn't work.

Thanks
Hamish
 
Old 07-30-2004, 02:17 AM   #13
hamish
Member
 
Registered: Aug 2003
Location: Edinburgh
Distribution: Server: Gentoo2004; Desktop: Ubuntu
Posts: 720

Original Poster
Rep: Reputation: 30
Hey.

I have now managed to get ping replyies working within my network, by adding:
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

to the rules.

One problem i get at the moment is that this line:
iptables --append INPUT --in-interface $IF_INET -m state --state ESTABLISHED,RELATED -j ACCEPT

give the error "iptables: No chain/target/match by that name". I'm wondering if this has something to do with the problem.

I have verified that the firewall on my router is not the problem.

Thanks for all your help so far guys. I feel that I'm very close to getting it working
Hamish
 
Old 08-04-2004, 08:54 PM   #14
ToniT
Senior Member
 
Registered: Oct 2003
Location: Zurich, Switzerland
Distribution: Debian/unstable
Posts: 1,357

Rep: Reputation: 47
Do you have ipt_state module availabe/loaded, or statically linked to your kernel?
(CONFIG_IP_NF_MATCH_STATE=m or y)
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Basic IP and MAC spoofing Iptable rules? stjoan1 Linux - Security 3 11-13-2005 05:17 PM
iptable summerfish Linux - Networking 1 07-16-2004 02:28 AM
Basic networking IPTable Do I have to?? I canīt ping my machines jimdaworm Linux - Networking 18 11-29-2003 11:10 PM
iptable help Syntax Linux - General 1 12-29-2002 11:04 PM
I'm a BASIC chap, looking for some info on BASIC programming CragStar Programming 2 01-21-2001 09:19 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 01:37 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration