help with firewall rules .. ipfilter<-->iptables

playahater · 03-04-2006, 08:05 AM

I have Efficient Networks 5861 DSL Router with, as far as i know, IP Filter. I say "as far as i know" cuz i have read the iptables and ipfilter howto`s and the syntax doesn`t match to neither of them. I`m trying to configure only the firewall on that router and protect 3 computers in lan connected to it .. i have gentoo on all machines in lan and my plan is not to setup any fw on them since the router has ipfilter.
I want as little as possible trafick in and out. Beside standard/basic ports, I need P2P, chat, ssh, nfs, samba, but nfs and samba only in lan.
I found a little fw script which ipfilter uses as default one and i have changed it to suite my needs.
Now .. i`m not sure if I did it right, so PLEASE, if anyone knows how to setup this or has any idea help .. cuz this editing is pure logic ..
if there is any "faster"/"better" way for this script to function .. please share .. :lol:

Code:

# Maxsec Firewall script - 6/7/01
# For DSL router
# Allow protocols: HTTP, HTTPS, SMTP, POP3, SNTP, Telnet,
#                  DNS, FTP (passive), L2TP, IPSec, IKE

# Flush all existing filters
remote ipfilter flush input internet
remote ipfilter flush output internet
remote ipfilter flush transmit internet
remote ipfilter flush receive internet
eth ip filter flush input 0
eth ip filter flush output 0
eth ip filter flush transmit 0
eth ip filter flush receive 0

# No incoming connections
remote ipfilter append input drop -p tcp -tcp syn internet

# SSH
remote ipfilter append input accept -p tcp -sp 22 internet
remote ipfilter append output accept -p tcp -dp 22 internet

# TORRENT / DONKEY / OVERNET / KADEMLIA / FASTTRACK /
# GNUTELLA / GNUTELLA2 /
remote ipfilter append input accept -p tcp -sp 6881 internet
remote ipfilter append output accept -p tcp -dp 6881 internet
remote ipfilter append input accept -p tcp -sp 6882 internet
remote ipfilter append output accept -p tcp -dp 6882 internet
remote ipfilter append input accept -p tcp -sp 6883 internet
remote ipfilter append output accept -p tcp -dp 6883 internet
remote ipfilter append input accept -p tcp -sp 6884 internet
remote ipfilter append output accept -p tcp -dp 6884 internet
remote ipfilter append input accept -p tcp -sp 6885 internet
remote ipfilter append output accept -p tcp -dp 6885 internet
remote ipfilter append input accept -p tcp -sp 6886 internet
remote ipfilter append output accept -p tcp -dp 6886 internet
remote ipfilter append input accept -p tcp -sp 6887 internet
remote ipfilter append output accept -p tcp -dp 6887 internet
remote ipfilter append input accept -p tcp -sp 6888 internet
remote ipfilter append output accept -p tcp -dp 6888 internet
remote ipfilter append input accept -p tcp -sp 6889 internet
remote ipfilter append output accept -p tcp -dp 6889 internet
remote ipfilter append input accept -p tcp -sp 4662 internet
remote ipfilter append output accept -p tcp -dp 4662 internet
remote ipfilter append input accept -p tcp -sp 10124 internet
remote ipfilter append output accept -p tcp -dp 10124 internet
remote ipfilter append input accept -p tcp -sp 17626 internet
remote ipfilter append output accept -p tcp -dp 17626 internet
remote ipfilter append input accept -p tcp -sp 1214 internet
remote ipfilter append output accept -p tcp -dp 1214 internet
remote ipfilter append input accept -p tcp -sp 6346 internet
remote ipfilter append output accept -p tcp -dp 6346 internet
remote ipfilter append input accept -p tcp -sp 6347 internet
remote ipfilter append output accept -p tcp -dp 6347 internet


# Windows / Samba / NFS / PORTMAP
remote ipfilter append input accept -p tcp -sp 445 internet
remote ipfilter append output accept -p tcp -dp 445 internet
remote ipfilter append input accept -p tcp -sp 426 internet
remote ipfilter append output accept -p tcp -dp 426 internet
remote ipfilter append input accept -p tcp -sp 137 internet
remote ipfilter append output accept -p tcp -dp 137 internet
remote ipfilter append input accept -p tcp -sp 138 internet
remote ipfilter append output accept -p tcp -dp 138 internet
remote ipfilter append input accept -p tcp -sp 139 internet
remote ipfilter append output accept -p tcp -dp 139 internet
remote ipfilter append input accept -p tcp -sp 2049 internet
remote ipfilter append output accept -p tcp -dp 2049 internet

# ICQ / YAHOO / MSN / JABBER
remote ipfilter append input accept -p tcp -sp 5190 internet
remote ipfilter append output accept -p tcp -dp 5190 internet
remote ipfilter append input accept -p tcp -sp 5050 internet
remote ipfilter append output accept -p tcp -dp 5050 internet
remote ipfilter append input accept -p tcp -sp 1863 internet
remote ipfilter append output accept -p tcp -dp 1863 internet
remote ipfilter append input accept -p tcp -sp 5222 internet
remote ipfilter append output accept -p tcp -dp 5222 internet


# HTTP
remote ipfilter append input accept -p tcp -sp 80 internet
remote ipfilter append output accept -p tcp -dp 80 internet

# HTTPS (SSL)
remote ipfilter append input accept -p tcp -sp 443 internet
remote ipfilter append output accept -p tcp -dp 443 internet

# SMTP
remote ipfilter append input accept -p tcp -sp 25 internet
remote ipfilter append output accept -p tcp -dp 25 internet

# POP3
remote ipfilter append input accept -p tcp -sp 110 internet
remote ipfilter append output accept -p tcp -dp 110 internet

# SNTP
# - allow requests and responses to the router only
#
remote ipfilter append receive accept -p udp -dp 8123 -sp 123 internet
remote ipfilter append transmit accept -p udp -dp 123 -sp 8123 internet
remote ipfilter append input accept -p udp -sp 123 internet
remote ipfilter append output accept -p udp -dp 123 internet
eth ip filter append output drop -p udp -sp 123 0
eth ip filter append output drop -p udp -dp 123 0

# Telnet
remote ipfilter append input accept -p tcp -sp 23 internet
remote ipfilter append output accept -p tcp -dp 23 internet

# DNS
remote ipfilter append input accept -p udp -sp 53 internet
remote ipfilter append output accept -p udp -dp 53 internet

# FTP
remote ipfilter append input accept -p tcp -sp 20:21 internet
remote ipfilter append output accept -p tcp -dp 20:21 internet

# L2TP
# - allow requests and responses to the router only
#
remote ipfilter append input accept -p udp -sp 1701 internet
remote ipfilter append output accept -p udp -dp 1701 internet
eth ip filter append output drop -p udp -sp 1701 0
eth ip filter append output drop -p udp -dp 1701 0

# Allow IPSec, IKE packets
remote ipfilter append input accept -p udp -sp 500 -dp 500 internet
remote ipfilter append input accept -p 50 internet
remote ipfilter append input accept -p 51 internet
remote ipfilter append output accept -p udp -sp 500 -dp 500 internet
remote ipfilter append output accept -p 50 internet
remote ipfilter append output accept -p 51 internet

# Drop all other traffic not listed above
remote ipfilter append input drop internet
remote ipfilter append output drop internet

# Watch the results
remote ipfilter watch on internet

save

10x in advance

Cheers

gilead · 03-05-2006, 04:00 AM

It's not iptables syntax, I believe it's a proprietary syntax used by that router. There's a small howto at http://www.uk-bug.net/modules.php?op...ntpage&artid=9 but I haven't used it myself - I hope it helps.