LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 05-07-2007, 06:18 AM   #1
soylentgreen
Member
 
Registered: Sep 2004
Location: old village
Distribution: android, BSD, CentOS, Ubuntu
Posts: 221

Rep: Reputation: 30
rc.firewall on slackware 11.0


I used to have a slackware 8+ machine that was solely used for a router/firewall box. It was a pentium pro180 and it finally died.

I had been using a (really bad) wireless router for my firewall/gateway for a while. It is now dying also cause it can't handle the traffic I'm putting through it. It did however have some very easy to use config. You could hit the address in a web page and change ports, forwarding, etc.

So now I have a slackware web server, teamspeak server and MUSH server that I added another NIC to and tried to park my old rc.firewall script on to it.

I put my firewall script and the errors below, but I have 2 questions.
1.) Is there an easier tool (with web interface) that I can manage my firewall/router settings?

2.) What is wrong with my firewall script? it used to work on the old box, the only thing i changed was the ##single rule for incoming web/ftp/teamspeak/mush stuff.

thanks for any help/suggestions.


rc.firewall
Code:
###############################################################################
### Variables
###############################################################################

IPT="/usr/sbin/iptables"
INET_IFACE="eth0"
LAN_IFACE="eth1"
LAN_IP="192.168.2.31"
LAN_NET="192.168.2.0/24"
LAN_BCAST="192.168.2.255"
LO_IFACE="lo"
LO_IP="127.0.0.1"

################ modified ###########
#LOOPBACK="127.0.0.0/8"                 # Reserved loopback address range
#CLASS_A="10.0.0.0/8"                           # Class A private networks
#CLASS_B="172.16.0.0/12"                        # Class B private networks
#CLASS_C="192.168.0.0/16"                       # Class C private networks
#CLASS_D_MULTICAST="224.0.0.0/4"                # Class D multicast addresses
#CLASS_E_RESERVED_NET="240.0.0.0/5"             # Class E reserved addresses
#BROADCAST_SRC="0.0.0.0"                        # Broadcast source address
#BROADCAST_DEST="255.255.255.255"               # Broadcast destination address
#PRIVPORTS="0:1023"                             # Well known, privileged port range
#UNPRIVPORTS="1024:65535"                       # Unprivileged port range

###############################################################################
### Modules
###############################################################################

/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_nat_irc
#/sbin/modprobe ip_conntrack_irc


###############################################################################
### Kernel Parameters
###############################################################################

echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "0" > /proc/sys/net/ipv4/tcp_timestamps
echo "2" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians


###############################################################################
### Flush Chains and Set Policies
###############################################################################

$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT


###############################################################################
### Create User Chains
###############################################################################

$IPT -N INPUT_INET2GATE
$IPT -N INPUT_LAN2GATE
$IPT -N FORWARD_INET2LAN
$IPT -N FORWARD_LAN2INET
$IPT -N BAD_PACKETS


###############################################################################
### INPUT
###############################################################################

$IPT -A INPUT -p ALL -m state --state INVALID -j DROP
$IPT -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPT -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT
$IPT -A INPUT -p ALL -j BAD_PACKETS
$IPT -A INPUT -p ALL -i $INET_IFACE -j INPUT_INET2GATE
$IPT -A INPUT -p ALL -i $LAN_IFACE -j INPUT_LAN2GATE
$IPT -A INPUT -p ALL -j LOG --log-prefix "INPUT DROP: "

###############################################################################
### FORWARD
###############################################################################

$IPT -A FORWARD -p ALL -m state --state INVALID -j DROP
$IPT -A FORWARD -p ALL -j BAD_PACKETS
$IPT -A FORWARD -p ALL -i $LAN_IFACE -o $INET_IFACE -j FORWARD_LAN2INET
$IPT -A FORWARD -p ALL -i $INET_IFACE -o $LAN_IFACE -j FORWARD_INET2LAN
$IPT -A FORWARD -p ALL -j LOG --log-prefix "FORWARD DROP: "
$IPT -A FORWARD_LAN2INET -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT

###############################################################################
### OUTPUT
###############################################################################

$IPT -A OUTPUT -p ALL -m state --state INVALID -j DROP
$IPT -A OUTPUT -p ALL -o $LO_IFACE -s $LO_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LAN_IFACE -s $LAN_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -j LOG --log-prefix "OUTPUT DROP: "


#################
###  prerouting
################

##$IPT -A PREROUTING -p TCP -i $INET_IFACE --dport 6346 -j DNAT \
##--to-destination 192.168.0.58:6346

###############################################################################
### POSTROUTING
###############################################################################

$IPT -t nat -A POSTROUTING -p ALL -o $INET_IFACE -j MASQUERADE


###############################################################################
### INPUT_INET2GATE
###############################################################################

$IPT -A INPUT_INET2GATE -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
#$IPT -A INPUT_INET2GATE -p TCP --dport 22 -m state --state NEW -j ACCEPT
$IPT -A INPUT_INET2GATE -p ALL -j RETURN
#### rule for web/ftp/teamspeak/mush incoming
# a single rule to accept SYN Packets for multiple ports (up to 15)
$IPT -A INPUT_INET2GATE -j ACCEPT -p tcp --syn -m multiport --destination-ports 873,993,995,143,80,113,21,22,23,25,53,8767,7567



###############################################################################
### INPUT_LAN2GATE
###############################################################################

$IPT -A INPUT_LAN2GATE -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT_LAN2GATE -p UDP --dport 53 -m state --state NEW -j ACCEPT
$IPT -A INPUT_LAN2GATE -p TCP --dport 22 -m state --state NEW -j ACCEPT
$IPT -A INPUT_LAN2GATE -p ICMP --icmp-type 8 -m state --state NEW -j ACCEPT
$IPT -A INPUT_LAN2GATE -p ALL -j RETURN


###############################################################################
### FORWARD_INET2LAN
###############################################################################

$IPT -A FORWARD_INET2LAN -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD_INET2LAN -p ALL -j RETURN


###############################################################################
### FORWARD_LAN2INET
###############################################################################

$IPT -A FORWARD_LAN2INET -p TCP --dport 443 -m state --state NEW -j ACCEPT
$IPT -A FORWARD_LAN2INET -p TCP --dport 80 -m state --state NEW -j ACCEPT
$IPT -A FORWARD_LAN2INET -p TCP --dport 21 -m state --state NEW -j ACCEPT
$IPT -A FORWARD_LAN2INET -p TCP --dport 22 -m state --state NEW -j ACCEPT
#

$IPT -A FORWARD_LAN2INET -p TCP --dport 569 -m state --state NEW -j ACCEPT
$IPT -A FORWARD_LAN2INET -p ICMP --icmp-type 8 -m state --state NEW -j ACCEPT
$IPT -A FORWARD_LAN2INET -p ALL -j RETURN

###############################################################################
### BAD_PACKETS
###############################################################################

$IPT -A BAD_PACKETS -p TCP ! --syn -m state --state NEW -j DROP
$IPT -A BAD_PACKETS -p ICMP --fragment -j DROP
$IPT -A BAD_PACKETS -p ALL -d 255.255.255.255 -j DROP
$IPT -A BAD_PACKETS -p ALL -d $LAN_BCAST -j DROP
$IPT -A BAD_PACKETS -p ALL -i $LAN_IFACE -s ! $LAN_NET -j DROP
$IPT -A BAD_PACKETS -p ALL -i $LAN_IFACE -s $LAN_IP -j DROP
$IPT -A BAD_PACKETS -p ALL -i $LAN_IFACE -s $LO_IP -j DROP
$IPT -A BAD_PACKETS -p ALL -i $INET_IFACE -s $LAN_NET -j DROP
$IPT -A BAD_PACKETS -p ALL -i $INET_IFACE -s $LO_IP -j DROP
$IPT -A BAD_PACKETS -p ALL -j RETURN
errors:
Code:
: command not found 4:
: command not found 13:
: command not found 25:
: command not found 29:
modprobe: Can't locate module ip_tables
modprobe: Can't locate module ip_conntrack
modprobe: Can't locate module ip_nat_ftp
modprobe: Can't locate module ip_conntrack_ftp
: command not found 36:
: command not found 37:
: command not found 41:
: No such file or directoryoc/sys/net/ipv4/ip_forward
: No such file or directoryoc/sys/net/ipv4/tcp_syncookies
: No such file or directoryoc/sys/net/ipv4/tcp_timestamps
: No such file or directoryoc/sys/net/ipv4/conf/all/rp_filter
: No such file or directoryoc/sys/net/ipv4/icmp_echo_ignore_broadcasts
: No such file or directoryoc/sys/net/ipv4/conf/all/accept_source_route
: No such file or directoryoc/sys/net/ipv4/conf/all/secure_redirects
: No such file or directoryoc/sys/net/ipv4/conf/all/log_martians
: command not found 50:
: command not found 51:
: command not found 55:
: No such file or directoryr/sbin/iptables
: No such file or directoryr/sbin/iptables
: No such file or directoryr/sbin/iptables
: No such file or directoryr/sbin/iptables
: No such file or directoryr/sbin/iptables
: No such file or directoryr/sbin/iptables
: No such file or directoryr/sbin/iptables
: No such file or directoryr/sbin/iptables
: No such file or directoryr/sbin/iptables
: No such file or directoryr/sbin/iptables
: No such file or directoryr/sbin/iptables
: command not found 67:
: command not found 68:
: command not found 72:
: No such file or directoryr/sbin/iptables
: No such file or directoryr/sbin/iptables
: No such file or directoryr/sbin/iptables
: No such file or directoryr/sbin/iptables
: No such file or directoryr/sbin/iptables
: command not found 78:
./rc.firewall: line 81: ipchains: command not found
./rc.firewall: line 82: ipchains: command not found
./rc.firewall: line 83: ipchains: command not found
./rc.firewall: line 84: ipchains: command not found
: command not found 85:
: command not found 89:
: No such file or directoryr/sbin/iptables
: No such file or directoryr/sbin/iptables
: No such file or directoryr/sbin/iptables
: No such file or directoryr/sbin/iptables
: No such file or directoryr/sbin/iptables
: No such file or directoryr/sbin/iptables
: No such file or directoryr/sbin/iptables
: command not found 97:
: command not found 101:
: No such file or directorysr/sbin/iptables
: No such file or directorysr/sbin/iptables
: No such file or directorysr/sbin/iptables
: No such file or directorysr/sbin/iptables
: No such file or directorysr/sbin/iptables
: No such file or directorysr/sbin/iptables
: command not found 108:
: command not found 112:
: No such file or directorysr/sbin/iptables
: No such file or directorysr/sbin/iptables
: No such file or directorysr/sbin/iptables
: No such file or directorysr/sbin/iptables
: No such file or directorysr/sbin/iptables
: command not found 118:
: command not found 119:
: command not found 123:
: command not found 126:
: command not found 130:
: No such file or directorysr/sbin/iptables
: command not found 132:
: command not found 133:
: command not found 137:
: No such file or directorysr/sbin/iptables
: No such file or directorysr/sbin/iptables
: No such file or directorysr/sbin/iptables
: command not found 144:
: command not found 145:
: command not found 146:
: command not found 150:
: No such file or directorysr/sbin/iptables
: No such file or directorysr/sbin/iptables
: No such file or directorysr/sbin/iptables
: No such file or directorysr/sbin/iptables
: No such file or directorysr/sbin/iptables
: command not found 156:
: command not found 157:
: command not found 161:
: No such file or directorysr/sbin/iptables
: No such file or directorysr/sbin/iptables
: command not found 164:
: command not found 165:
: command not found 169:
: No such file or directorysr/sbin/iptables
: No such file or directorysr/sbin/iptables
: No such file or directorysr/sbin/iptables
: No such file or directorysr/sbin/iptables
: No such file or directorysr/sbin/iptables
: command not found 180:
: No such file or directorysr/sbin/iptables
: No such file or directorysr/sbin/iptables
: No such file or directorysr/sbin/iptables
: command not found 184:
: command not found 188:
: No such file or directorysr/sbin/iptables
: No such file or directorysr/sbin/iptables
: No such file or directorysr/sbin/iptables
: No such file or directorysr/sbin/iptables
: No such file or directorysr/sbin/iptables
: No such file or directorysr/sbin/iptables
: No such file or directorysr/sbin/iptables
: No such file or directorysr/sbin/iptables
: No such file or directorysr/sbin/iptables
: No such file or directorysr/sbin/iptables
: command not found 199:
: command not found 200:
 
Old 05-07-2007, 06:37 AM   #2
Okie
Senior Member
 
Registered: Mar 2002
Location: Oklahoma
Posts: 1,154

Rep: Reputation: 187Reputation: 187
looks like your firewall script is not looking for iptables in the right place...

where iptables is installed is where the path in your script needs to point to...
 
Old 05-07-2007, 07:51 AM   #3
soylentgreen
Member
 
Registered: Sep 2004
Location: old village
Distribution: android, BSD, CentOS, Ubuntu
Posts: 221

Original Poster
Rep: Reputation: 30
I checked again (luckily i can SSH from work..)
but my iptables is in /usr/sbin/iptables

Quote:
:~$ /usr/sbin/iptables
iptables v1.3.5: no command specified
Try `iptables -h' or 'iptables --help' for more information.
im also not opposed (and would actually prefer) getting a web-admin interface/configurator for the firewall

any suggestions?
 
Old 05-07-2007, 10:07 AM   #4
Okie
Senior Member
 
Registered: Mar 2002
Location: Oklahoma
Posts: 1,154

Rep: Reputation: 187Reputation: 187
webmin is all i can think of at the moment, and i am not too sure about that, i do know webmin is kind of a "kitchen Sink" approach to web based admin tools (lots of plugins & extras) so it may have an iptables admin tool included...
 
Old 05-07-2007, 06:55 PM   #5
soylentgreen
Member
 
Registered: Sep 2004
Location: old village
Distribution: android, BSD, CentOS, Ubuntu
Posts: 221

Original Poster
Rep: Reputation: 30
well i visited alien bob's firewall determinator and got it up and running.
and a big thank you to TexMex cause he posted in this thread

im still having an issue with the port for teamspeak tho.

man i hate iptables! ))

oh well.. nothing good is ever easy right?

EDIT: RESOLVED!!!!!!
its a UDP port.. not a TCP port. (for teamspeak)

Last edited by soylentgreen; 05-07-2007 at 07:44 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
slackware 10 firewall skitzo2005 Slackware 2 07-09-2005 08:53 PM
Firewall in Slackware 10.0 nickbird Linux - Newbie 2 07-29-2004 04:52 PM
Firewall in Slackware 10.0 nickbird Linux - Newbie 4 07-23-2004 02:53 AM
The best firewall for Slackware? Smaugur [SWE] Linux - Security 5 03-31-2004 05:25 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 03:12 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration