Slackware 10.1 and iptables configuration help

houler · 04-01-2005, 11:10 PM

Ok i read a whole bunch of documentation on iptables (through google), and i get the idea of how to set the rules. My question is, how do i set-up iptables on my slackware 10.1 distro?

Is there a config file that i can edit? where is it stored? how do i run iptables on startup, as i don't see any start-up scripts pertaining to /etc/rc.d directory.

I ran iptables-save to save the current config, but i have no idea where it is stored so I can edit the contents.

Bruce Hill · 04-02-2005, 01:04 AM

Unless and until someone more experienced comes along, I can give you some pointers to start. Because I am setting up iptables on my Slack-10.1 box right now.

Easy Firewall Generator for IPTables will generate a rc.firewall script for you. Just select the options that apply to your system, press Generate Firewall! and then save the page as a text file named rc.firewall

After that you must put it in /etc/rc.d/ and then you make it owned by root (chown root:root /etc/rc.d/rc.firewall) and then you make it the proper permissions (chmod 755 /etc/rc.d/rc.firewall).

For this script to run in Slackware, you'll have to edit the path. Where it says

Code:

# IPTables Location - adjust if needed

IPT="/sbin/iptables"
IPTS="/sbin/iptables-save"
IPTR="/sbin/iptables-restore"

you'll need to change that to

Code:

# IPTables Location - adjust if needed

IPT="/usr/sbin/iptables"
IPTS="/usr/sbin/iptables-save"
IPTR="/usr/sbin/iptables-restore"

Then you can browse to Iptables Tutorial 1.1.19 and read that novel. That's what I'm doing, and it's a start.

I hope someone more knowledgable will come add more to this so that we can learn...

houler · 04-02-2005, 02:08 AM

Nice, it works, thanks.

geletine · 04-26-2005, 07:55 AM

i am new to slackware and iptables, i tried to use firestarter with xfce, it never worked, i don't have the appropriate gnome libraries, and i didn't have the option to install gnome, i am using a cd from a linux magazine in England which only has xfce, anyway i saw this post and i asking what that script does?
any help appreciated

houler · 04-26-2005, 03:14 PM

Quote:

Originally posted by geletine
i am new to slackware and iptables, i tried to use firestarter with xfce, it never worked, i don't have the appropriate gnome libraries, and i didn't have the option to install gnome, i am using a cd from a linux magazine in England which only has xfce, anyway i saw this post and i asking what that script does?
any help appreciated

Iptables is a firewall. This firewall controls what goes in and out with instructions (rules). Some people may find writing these rules 'manually' a bit cumbersome because of all the knowledge that is required to make these rules. What this script does is automatically generate rules for you, using a 'choosing scheme' of what interface you have, what services and servers you are running, and creates a table of rules, custom to your choosing.

win32sux · 04-27-2005, 12:27 AM

Quote:

Originally posted by houler
Iptables is a firewall.

actually, iptables is NOT a firewall... the linux firewall code is netfilter... iptables is simply the tool we use to configure the way netfilter behaves...

also, i'd like to point out that using these iptables script generators and stuff is convenient for the linux newcomer, and in fact, it can provide the linux newcomer with good material to study (by looking at the generated script), but anybody that is serious about linux system adminsitration should really learn to write their own iptables scripts from scratch - it's actually quite easy once you get the hang of it...

geletine · 04-27-2005, 05:48 AM

one i have inserted rc.firewall, its all done?, i am using dhcp to connect to the internet, which i heard needs to be set up diffrently.

is the script very basic, what do you advise to do afterwards?

win32sux · 04-27-2005, 06:19 AM

Quote:

Originally posted by geletine
one i have inserted rc.firewall, its all done?, i am using dhcp to connect to the internet, which i heard needs to be set up diffrently.

is the script very basic, what do you advise to do afterwards?

are you already using dhcp successfully or are you asking how to setup dhcp also??

how many network interfaces do you have?? what are you trying to accomplish with your firewall??

PS: yes, on slackware you basically put all the firewall rules in /etc/rc.d/rc.firewall and they get executed every time you boot...

win32sux · 04-27-2005, 07:22 AM

if you have a single-interface slackware PC and what you want is basically protection from all the nasties crawling around the internet then something simple like this /etc/rc.d/rc.firewall can be enough for a lot of people:

Code:

#!/bin/sh

echo "0" > /proc/sys/net/ipv4/ip_forward

iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -m state --state NEW -j ACCEPT

/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc

but it's a good idea to add some extra security measures into the mix:

Code:

#!/bin/sh

IPT="/usr/sbin/iptables"

echo "0" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "0" > /proc/sys/net/ipv4/tcp_timestamps
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

$IPT -F
$IPT -F -t nat
$IPT -F -t mangle

$IPT -X
$IPT -X -t nat
$IPT -X -t mangle

$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT

$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i lo -m state --state NEW -j ACCEPT
$IPT -A INPUT -j LOG --log-prefix "INPUT DROP: "

/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc

echo "So let it be written. So let it be done."

set that as your /etc/rc.d/rc.firewall on your single-interface slackware PC and you'll have a very powerful netfilter stealth firewall sitting between you and the bad guys...

just my two cents...

EDIT 1: removed modprobes for ip_nat_ftp and ip_nat_irc as we aren't doing any NAT...

EDIT 2: removed FORWARD rule as we aren't doing any forwarding, hehe...

houler · 04-27-2005, 09:33 PM

Quote:

Originally posted by win32sux
actually, iptables is NOT a firewall... the linux firewall code is netfilter... iptables is simply the tool we use to configure the way netfilter behaves...

also, i'd like to point out that using these iptables script generators and stuff is convenient for the linux newcomer, and in fact, it can provide the linux newcomer with good material to study (by looking at the generated script), but anybody that is serious about linux system adminsitration should really learn to write their own iptables scripts from scratch - it's actually quite easy once you get the hang of it...

Thanks for the correction. Always learn something new everyday.

houler · 04-27-2005, 10:00 PM

Quote:

Originally posted by win32sux
actually, iptables is NOT a firewall... the linux firewall code is netfilter... iptables is simply the tool we use to configure the way netfilter behaves...

also, i'd like to point out that using these iptables script generators and stuff is convenient for the linux newcomer, and in fact, it can provide the linux newcomer with good material to study (by looking at the generated script), but anybody that is serious about linux system adminsitration should really learn to write their own iptables scripts from scratch - it's actually quite easy once you get the hang of it...

Ok, what if one knows how to write their own iptables scripts, but doesn't know what to filter against?

(eg. block icmp [smurf attacks, dos, and the like])

is there like a website or something to show what one should filter against? inc. examples and explanations (why)

Quote:

Originally posted by win32sux
if you have a single-interface slackware PC and what you want is basically protection from all the nasties crawling around the internet then something simple like this /etc/rc.d/rc.firewall can be enough for a lot of people:

Code:

#!/bin/sh echo "0" > /proc/sys/net/ipv4/ip_forward iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i lo -m state --state NEW -j ACCEPT /sbin/modprobe ip_conntrack_ftp /sbin/modprobe ip_nat_ftp /sbin/modprobe ip_conntrack_irc /sbin/modprobe ip_nat_irc

but it's a good idea to add some extra security measures into the mix:

Code:

#!/bin/sh IPT="/usr/sbin/iptables" echo "0" > /proc/sys/net/ipv4/ip_forward echo "1" > /proc/sys/net/ipv4/tcp_syncookies echo "0" > /proc/sys/net/ipv4/tcp_timestamps echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects echo "1" > /proc/sys/net/ipv4/conf/all/log_martians $IPT -F $IPT -F -t nat $IPT -F -t mangle $IPT -X $IPT -X -t nat $IPT -X -t mangle $IPT -P INPUT DROP $IPT -P OUTPUT ACCEPT $IPT -P FORWARD DROP $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A INPUT -i lo -m state --state NEW -j ACCEPT $IPT -A INPUT -j LOG --log-prefix "INPUT DROP: " /sbin/modprobe ip_conntrack_ftp /sbin/modprobe ip_nat_ftp /sbin/modprobe ip_conntrack_irc /sbin/modprobe ip_nat_irc echo "So let it be written. So let it be done."

set that as your /etc/rc.d/rc.firewall on your single-interface slackware PC and you'll have a very powerful netfilter stealth firewall sitting between you and the bad guys...

just my two cents...

Nice. What does all that do? You probably don't want to explain all that. link?

geletine · 04-28-2005, 04:21 AM

houler quote
"Ok, what if one knows how to write their own iptables scripts, but doesn't know what to filter against?

(eg. block icmp [smurf attacks, dos, and the like])

is there like a website or something to show what one should filter against? inc. examples and explanations (why)"

thats what i don't understand

sorry i have dhcp running successfully

thanks for the advice

win32sux · 04-28-2005, 06:55 AM

Quote:

Originally posted by houler
Ok, what if one knows how to write their own iptables scripts, but doesn't know what to filter against?

(eg. block icmp [smurf attacks, dos, and the like])

is there like a website or something to show what one should filter against? inc. examples and explanations (why)

usually one doesn't start writing a firewall script with rules that filter out certain things... one starts by setting a policy that filters EVERYTHING first... once everything is filtered, one begins to add rules allowing the things one wants/needs...

there's certain iptables rules which can be useful to check for weird packets, though... if you search this site you will find plenty of those... but they tend to be more useful to someone running servers... for example the ubiquitous "new not syn" rule... someone using a home pc which is completely stealthed won't have much use for a lot of those rules, and will meet most of their needs by setting a few kernel parameters (as is done in the first section of the script i provided)...

you can find plenty example scripts (with comments) here:

http://www.linuxguruz.com/iptables

win32sux · 04-28-2005, 02:27 PM

Quote:

Originally posted by houler
Nice. What does all that do?

i've added some comments to the script, here you go:

Code:

#!/bin/sh

IPT="/usr/sbin/iptables"

# Let's make sure forwarding is DISABLED:
echo "0" > /proc/sys/net/ipv4/ip_forward

# Let's enable SYN cookies (to protect against SYN floods):
echo "1" > /proc/sys/net/ipv4/tcp_syncookies

# Let's disable TCP timestamps to reduce the TCP stack workload:
echo "0" > /proc/sys/net/ipv4/tcp_timestamps

# Let's enable reverse path filtering for anti-spoofing:
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter

# Let's ignore PINGs which have been BROADCAST:
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Let's disable source routed packets as they are ridiculous:
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route

# Let's allow redirects from trusted gateways only:
echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects

# Let's log any UFOs which are spotted:
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

# Let's flush-out all the chains in our tables:
$IPT -F
$IPT -F -t nat
$IPT -F -t mangle

# Let's delete every non-builtin chains in our tables:
$IPT -X
$IPT -X -t nat
$IPT -X -t mangle

# Let's set our INPUT policy to DROP:
$IPT -P INPUT DROP

# Let's set our OUTPUT policy to ACCEPT, because we can
# appreciate this kinda flexibility on a Home PC:
$IPT -P OUTPUT ACCEPT

# Let's accept incoming packets which belong to connections
# that have ALREADY been initiated:
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Let's allow all packets initiating new connections LOCALLY:
$IPT -A INPUT -i lo -m state --state NEW -j ACCEPT

# Let's log every packet that reaches this rule, right before
# it hits our INPUT policy and gets a DROP:
$IPT -A INPUT -j LOG --log-prefix "INPUT DROP: "

# Let's load the module allowing Connection Tracking for FTP:
/sbin/modprobe ip_conntrack_ftp

# Let's load the module allowing Connection Tracking for IRC:
/sbin/modprobe ip_conntrack_irc

# No rc.firewall script is complete without the ubiquitous echo:
echo "So let it be written. So let it be done."

Poetics · 04-29-2005, 01:50 AM

That was very useful, especially for those of us just now venturing into the world of iptables and added network security

Question though. "# Let's delete every non-builtin chains in our tables:"

Care to elaborate between "bulitin" and "non-bulitin" chains?