im asking this as a last resort. im looking for some one that would be willing to write me an iptables script for slackware 9 on 2.4.22 kernel w/ static dsl connection. i need to have passive ftp enabled with primary connections on port 5150. also irc with dcc send and chat available, all forwarded to a win xp box behind the nat. ive looked all over but im to stupid to understand 99% of the howto's for setting up iptables. if you could provide a link to a faq/howto that breakes it down to complete retard level that would be apperciated also. thanks

Goto freshmeat and download arno-iptables. There is an easy to understand config script.

isn't there documentation in japanese for this already?

http://www.netfilter.org/documentati...ilter-faq.html

ok, maybe it's complicated, but here's how you start:

1) take a very basic firewall (i'll provide it and comment it)

2) look through each of the rules to understand how packets get through or get stopped (there's not that many)

3) add rules as necessary. one at a time preferably

if you have further specific questions, ask after reading through this:

(all this goes where your usual firewall script goes)
# begin radix's firewall script

# variable definitions

IPTABLES="/usr/sbin/iptables"
LOG_LEVEL="info"

# load appropriate modules to do the filtering (i've loaded a
# bunch, but you won't need all of them immediately)

/sbin/depmod -a

/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
#/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
/sbin/modprobe ipt_mac
/sbin/modprobe ipt_owner
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
#/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ip_nat_irc


# /proc setup

# you'll need this if you have a network setup where
# more than one computer is "behind" the linux firewall
echo "1" > /proc/sys/net/ipv4/ip_forward

# flushing old rulesets

$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F FORWARD
$IPTABLES -F OUTPUT
$IPTABLES -X

# setting default policies for base chains

$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP



##################
# rules for INPUT
##################

# accept inbound packets from the loopback
$IPTABLES -A INPUT -i lo -s 127.0.0.1 -j ACCEPT

# this only allows established and related connections inbound
# from the interface eth0; this is to stop people from making
# NEW connections to your computer (that's GOOD)
$IPTABLES -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT


###################
# rules for OUTPUT
###################

# allow the loopback packets out
$IPTABLES -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT

# let all traffic that is not (!) INVALID out the interface eth0
$IPTABLES -A OUTPUT -p ALL -o eth0 -m state ! --state INVALID -j ACCEPT

(EOF)

from here add your own rules, it's not that hard :P.

cheers,
y-p

ok, any idea why these wont load? i got 1.2.8, installed it to the dir i built the kernel in, recompiled but nothing.


#/sbin/modprobe ip_tables
#/sbin/modprobe ip_conntrack
#/sbin/modprobe iptable_filter
#/sbin/modprobe iptable_mangle
#/sbin/modprobe iptable_nat
#/sbin/modprobe ipt_LOG
#/sbin/modprobe ipt_limit
#/sbin/modprobe ipt_state
#/sbin/modprobe ipt_mac
#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE

i found the modules under /lib/modules/2.4.22/build/net/ipv4/netfilter but it doesnt look like they got linked. also, i think that the modules that are being loaded are comming from the 2.4.20 dir....... how can i change that?

Did you run make modules_install

The directory /lib/modules/2.4.22/build/net/ipv4/netfilter is actually pointing back to your kernel source tree. If you do make modules_install the modules should be put in.
/lib/modules/2.4.22/kernel/net/ipv4/netfilter.

As for your original question, go to www.linuxguruz.com/iptables and start downloading firewall scripts. There are alot to choose from, and I'm sure one will work for you.