How to setup a firewall to deny or allow certain hosts to connect to my computer?

download fwbuilder

or guarddog

and set them up

Or use a pretty nailed down firewall written from scratch :-)

hey, i installed guarddog... then, i see the first messagebox prompt out when i first run it...
it says something like: Guarddog was unable to read the file at /etc/rc.firewall as being a Guarddog Firewall. This probably means that file is not actually a Guarddog firewall.... and bla bla bla.....
what does it mean???

does /etc/rc.firewall exist? anyways you can always choose to folllow my path which will work ...

yes... the file is exists...the file has 744 file permission. what does u mean by ur path?? pls help

I've included a simple firewall script below. However, you should also consider the option of restricting ip-addresses to specific services in the /etc/xinetd.d/ directory.

For more info on iptables, Oskar Andreasson has write excellent documentation on the use of iptables along with examples.
http://www.linuxsecurity.com/resourc...-tutorial.html


#!/bin/sh
# This is the location of the iptables command
IPTABLES="/sbin/iptables"
#
. /etc/rc.d/init.d/functions

case "$1" in
stop)
action "Shutting down firewall:" echo
$IPTABLES -F
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP
;;
status)
echo "Status is not supported for firewall"
;;
restart|reload)
$0 stop
$0 start
;;
start)
action "Starting Firewall:" echo

################################################################
#Insert modules- should be done automatically if needed
dmesg -n 1 #Kill copyright display on module load
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
dmesg -n 6
#
## Flush everything, start from scratch
#
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD

# originally tcp_syncookies and ip_dynaddr were 1
echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

# You can change this value quite a bit. It's the range of user ports.
echo "55000 65000" >/proc/sys/net/ipv4/ip_local_port_range

#---------- Reduce DoS'ing ability by reducing timeouts
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack

#---------- iptables defaults to these if no matches are found below.
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP

##--------- Set basic rules
#----------- Above list ripped from http://www.linux-mag.com/2000-01/bestdefense_02.html
$IPTABLES -A INPUT -m unclean -j DROP
$IPTABLES -A INPUT -m state --state INVALID -j DROP

$IPTABLES -A FORWARD -m unclean -j DROP
$IPTABLES -A FORWARD -m state --state INVALID -j DROP

$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT # allow replies coming in

#----------------------------------------------------------------------
# This is where you would start customizing your permissions.
#----------------------------------------------------------------------

# Disallow TELNET and log the attempt.
$IPTABLES -A INPUT -p tcp --dport 23 -j LOG --log-prefix "__TELNET__"
$IPTABLES -A INPUT -p tcp --dport 23 -j DROP

# Allow SSH for all ip addresses
# $IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT

# Allow SSH for a specific ip address
# $IPTABLES -A INPUT -p tcp -s 10.50.1.99/32 --dport 22 -j ACCEPT

# I'm sure you can through ranges in there too.

#NON REDHAT SYSTEMS, COMMENT/REMOVE ALL BELOW
;;
*)
echo "Useage: firewall (start|stop|restart)"
exit 1
esac

exit 0

yenonn, that warning just means that you havent run Guarddog on your machine before, and the firewall script isnt in the order that Guarddog would generate it. It'll only happen when you start Guarddog after making changes to your firewall without using Guarddog.

ok, i just find out, guarddog only can performing IP filtering, and what if i want guarddog to perform an IP routing for me...??
so, can i do it??? i really doubting for it....
guarddog is writting the iptables rules in /etc/rc.firewall file...
how can it make thing work??
i mean somehow iptables should have a config file for user to customize (i am not sure what is the name of the file, i am just have a wild guess on it). so, i am wondering how can guarddog make iptables rules available?
may be i will look for the iptable tutorial, Oskar Andreasson's documentation. actually, i hate reading.... reading is just making me sleeping....especially the Oskar's documentation is really bulky and it seems to be so technical... so.... are there any others resources that give me a straight forward, at least giving me a rough idea what can the iptables does....thanks....

The firewall is simply a script that you run. In the case of GuardDog ==> ./etc/rc.firewall
You can list the current rules currently in use with ==> iptables -L
By "performing an ip routing", are you referring to having a firewall that allows internal PCs to access the internet? If so, you can find some fine examples by searching for NAT, ip masquerading, or ip masking.

Guarddog is a firewall only. According to the people that make the program IP routing and masquerading aren't primarily security devices and are therefore not in the program.

But they provide a program called "Guidedog" for this (can't comment on it, as I've never used it).
http://www.simonzone.com/software/guidedog/

Assuming you've compiled your kernel with the correct modules for ipfiltering and have installed iptables, the script that guarddog writes should work.