Hi all,
I'm still trying to wade through this nightmarish documentation and figure out how to set up a firewall with iptables. I understand the syntax and how it all works - I just can't translate what I want to do into the relevant commands.
I have the most basic set up imaginable - a single pc connected to a cable modem via eth0, with no servers or anything running on it. All I want it to do is be secure as possible, but also to allow decent upload/download speeds with bittorrent. I've done a lot of reading around and I reckon that this should work:

But my upload/download speeds are very bad...I know there's been loads of threads on iptables, but can someone let me know if I'm on the right track in terms of having ports 6881-6889 accessible for bittorrent? Maybe I need to issue some more commands?
All help very appreciated!

what do you want to set "ipchains" or "iptables"?...
you are talking about iptables, but you wrote ipchain rules below...

I'm talking about iptables - I'm using kernel 2.6.5.
The output in the previous post was a result of 'iptables -nL' - I thought that might be more helpful at a glance, rather than just printing out the whole of iptables.rules

if this is the output of iptables -L, currently you're accepting all input and output, as I see it - same as having no firewall...

now...
I don't know how this software works, but if the only ports needed open are 6881 to 6889 your rules should look something like this:


iptables -A INPUT -p tcp -s 0/0 --dport 6881:6889 -j ACCEPT #accepting any TCP incoming connection with destination port (to your port) 6881 to 6889
iptables -A INPUT -p udp -s 0/0 --dport 6881:6889 -j ACCEPT #accepting any UDP incoming connection with destination port (to your port) 6881 to 6889

iptables -A OUTPUT -p tcp --sport 6881:6889 -d 0/0 -j ACCEPT #accepting any TCP outgoing connection with sourceport (from your port) 6881 to 6889
iptables -A OUTPUT -p udp --sport 6881:6889 -d 0/0 -j ACCEPT #accepting any UDP outgoing connection with sourceport (from your port) 6881 to 6889

iptables -A INPUT -j DROP #drops all forward
iptables -A OUTPUT -j DROP #drops any outgoing connection
iptables -A FORWARD -j DROP #drops any incomming connection


again - I don't know the exact requirements of your software...
ask if some declaration is not clear and meaningfull...

Thanks for your help THeHellsMaster, I'm almost there!
I set all the policies to DROP so I thought that would reject everything by default - which would be safer, wouldn't it?

I tried what you suggested but I had no luck, then it occurred to me that logically you would need to specify a SOURCE port on the INPUT chain, rather than a DESTINATION port. And similarly, you need to specify the DESTINATION port on the OUTPUT chain, and no the source port. Well, after trying that I can now get a good upload speed with my bittorrent client, which is what I wanted!

Just to confirm, as long as I have done
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
I am not letting anything in unless specified - correct?

Thanks again for your time and your help,
robot5x

I told you I don't know how the software works, but I taught about reversing the ports just after I send the post and I was about to tell you if no success, but you figured it by yourself... :-)
anyway...

do you understand why the rules are set in such manner?...
if "yes" - now you know how to set simple firewall rules...

on your question - yes...
just check the policies if they contain rules as I typed them...
if those are your last 'rows' in the firewall you're dropping everything with them so only the rules above them will let something pass and only if specified - I suppose you know how the firewall works and why this is so...
I can explain if you need it...

anyway - if there's something else you can always post me a message... :-)

have a nice day...

dude, you need to enable port forwarding to the range of ports that bit torrent uses, not just poke a hole for it to go trhough.

cant remember the syntax off the top of my head, google for it and it should be easy enough to find.

Hmm...ok...
so what is the technical difference between simply opening a port, and FORWARDING a port.
This is probably basic stuff, but those networking how-to's are a real headache
Is there some security issue with opening ports like this?

I'm nore sure why port forwarding is really nessessary.

If your eth0 is connected directly to your cable modem,
then your eth0 IP should be your actual internet IP address.
All packets coming into and out of your eth0 interface
will be filtered by your INPUT and OUTPUT chains.
If you had a server or router in between your cable modem
and host computer, then you could configure
port forwarding on that device, or better yet, allow
that traffic through, so your whole network can recieve it.

By adding the suggested rules, you open a range of ports,
allowing applications listening to that range to communicate.
In this case Bittorrent. As far as what ports
it uses, I'm not sure, but you may want to look into that. It's
possible that when someone connects to you, they use
the destination ports you expect, yet with completely different
source ports. So how would you communicate the other way?
Your rules would only allow one way
communcation, the direction depending on which rules you've
matched to which chain. A solution would be to log the traffic and
note the ports used, or to specify both directions in your rules.

As far as the clarification of port forwarding and FOWARD:

It is possible to enable forwarding of packets between
multiple devices, such as if you had two network cards,
and wanted to share an internet connction.

# echo "1" > /proc/sys/net/ipv4/ip_forward

This, in combination with iptables rules would allow you
to share a connection through MASQUERADING, or
even enable port forwarding rules. These could, for
instance, forward (send) all packets destined for
a certain port, to a certain computer. This is done
through SNAT rules in the PREROUTING chain of the
nat table (iptables -L -t nat)

Your FOWARD chain filters the packets that are forwarded,
for instance, eth0 to eth1. It is like your INPUT, OUTPUT
chains in that it is designed for accepting and rejecting packets
based on what you specify.

Hope this helps