I have had a problem with my shorewall firewall in that I can't get access to the web unless I set shorewall to allow everything (no firewall).

The following script was supplied by a member called qwijibow to another user with the same problem and similar configuration but he didn't explain where the script is supposed to be placed on a mandrake 10 community setup.

# qwijibow code start:

# reset firewall
iptables -F
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT

# allow loopback traffic
iptables -A INPUT -d lo -j ACCEPT

# un comment out if you want this machine to respond to pings
# iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

# allow established or related connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# un-comment out to trust all pc's on your lan.
#iptables -A INPUT -s 192.168.0.0/16 -j ACCEPT

# un comment out if this machine is a printer server, and you have NOT truested all machies on your lan
#iptables -A INPUT -p tcp --dport 631 -s 192.168.0.0/16 -j ACCEPT

# qwijibow code end

In my ignorance, I placed it in the shorewall start file as it states in that file that any commands that you want to be carried out after shorewall resets or starts should be in there. It did seem to work at first without booting the system and I thought everything was fixed but after a cold start it froze after going into KDE with just a mouse pointer.

I commented out my entries in the shorewall start file and rebooted and KDE started ok.

Can anyone tell me where a script like this is a) likely or b) supposed to go.

I won't hold anyone to ransom if it doesn't work as I'm prepared to experiment.

I would appreciate any help. Thanks





__________________
Registered Linux user #359285
http://counter.li.org/ qwijibow

This looks like a firewall script sometimes called rc.scripts
When you have a script like this you have an either or situation. You can either use this script or use shorewall. But not them togather, its possible to use them togather but the way that shorewall works it might cause conflicts with this script.

So the best thing to do if you want to use this script is put the whole script like it is just paste it into the rc.local file
Its the last file that loads your configs.
i believe it is located at
/etc/rc.d/rc.local or
/etc/init.d/rc.local or

Thank you very much ZATRIZ.

I did post this a while ago but didn't get any replies so did a bit of experimenting of my own. I saved the script as an executable file called mywall in the executables path. When I start the PC I login as root and execute mywall and then login again as my user name. Although it's a bit long winded It seems to work fine for blocking everything. No pings and all ports stealth.

I will however try what you have suggested so that the process can be automated.

I think that if Linux ensured that newbies, using a single PC, could get up and running with a secure connection to the internet immediately. Then things would be a lot simpler and newbies could start Googling for tips and tricks.

Setting up a firewall is not even easy for experienced users as the posts to these boards show.

Thank you again for taking the trouble to reply

you can even just type the location of the mywall in the rc.local file and that will work just as well.
like in the rc.local file type put
/home/mywall
if thats where it is and that will work fine

I don't know how well you know shell scripting but if you are interested, you can make a great firewall script that way. For example, my firewall script is 1347 lines. What I did was made a script that uses a configuration file to setup the firewall rules. Say I want to allow ssh connections... I just go to my 20 line configuration script and change "ALLOW_SSH=0" to "ALLOW_SSH=1" and restart my firewall script. I got the original script off of the internet (god bless the man who originally put in all the code) and tweeked it for my own computer. I was trying to find it again so I could give you the address but I was unable to locate it. Just an idea to give you some other options.

if you want to go that route then check out shorewall
i think the best firewall iptables ever made shorewall.

Thanks again for your suggestions.