SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have to admit, I have some reading to do here. I have used a fairly strict iptables configuration in /etc/rc.local and hosts* policies by default w/out much understanding. I recently switched from a dial up ISP to a cable modem and I had to disable my iptables to get this working but I left my host* files alone. I'd appreciate a critique and some good cable modem iptable rules. My PC does not act like a server in any capcity. I did of course enable dhcpcd for the cable modem. I suspect iptables is messing up ports 6768 which I believe DHCP uses.
Thanks!
********************************
Here's my /etc/hosts information:
# For loopbacking.
127.0.0.1 localhost
127.0.0.1 bairco.bairco.org bairco
# End of hosts.
********************************
Here's my /etc/hosts.allow information:
ALL: bairco, localhos
********************************
Here's my /etc/hosts.allow information:
ALL: ALL
********************************
Here's my iptables setup from /etc/rc.local
# **** iptables setup begin *****
## Clean and flush all chains to an empty state.
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -t nat -X
iptables -t mangle -X
## Set the default policies of the built-in chains. If no match for any of
## the rules below, these will be the defaults that iptables uses
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
## Setup masquerade: (could use this once LAN is established)
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
## Insert connection-tracking modules (not needed if built into kernel)
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc
## New Chain: dlog, Drop and Log (log before drop!)
iptables -N dlog
iptables -A dlog -m limit --limit 15/minute -j LOG --log-prefix="iptables: " --log-tcp-options --log-ip-options
iptables -A dlog -j DROP
## New Chain: block, create chain which blocks new connections, except if
## coming from inside
iptables -N block
iptables -A block -m state --state INVALID -j dlog
iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT
iptables -A block -j dlog
## Jump to the block chain from INPUT and FORWARD chains
iptables -A INPUT -j block
iptables -A FORWARD -j block
# **** iptables setup end *****
I can't really help with the specifics, maybe try the security forum. However, I believe that rc.local is not the correct place for an iptables firewall. You should put it in /etc/rc.d/rc.firewall, which you need to create.
Having looked at your firewall, and being not experienced, have you got loopback allowed? [iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT] This line might be it, and if it is, you might need to change it. 'ppp0' is possibly for a dial-up. If, for example, you're now using ethernet, you might need to change the interface to 'eth0'.
Duh! I missed the ppp0. For now, I've changed that to eth0 and all the old rules are "working" as they did. I'd still be interested in a critique/recommendation(s).
Besides what simcox said about having it in a different rc.* file, if it works, it works.
That's the best thing about Slack/linux ... Configure it til it breaks, then back off a smidge
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.