Looking for iptables script
 

Using Slackware 12.2
Can someone point me to a script for iptables?
I'm new to networking and firewalls.
Is there a gui that would be helpful?
I have a computer with a broadband connection to the internet.
I use the computer for personal use.

Thanks.

Check out Alien Bob's idea.

There is a script supplied in /etc/ppp/firewall-standalone that can be copied to /etc/rc.d/rc.firewall and made executable so that it runs automatically at boot. Change the EXTIF to suit your network connection.
The script is very simple, it just blocks all incoming connection attempts, but sounds like it would suit your needs at this time.

I've used Arno's script over the last few years and it's probably the easiest way (I think it's even easier than using a GUI) to setup a firewall. The script is well documented and constantly updated.

someone mentioned arno's - that's good.
i use firehol - also very easy to setup.

firewalls are not for the faint-hearted if
you want to do it yourself. using any of the
above methods will be quite easy.

the above methods are so easy it would almost
be tragic to use a GUI. besides - you're using
slackware, so be prepared for a bit of command
line stuff. also, the configs will likely have to
be done as root - and i hope you don't run X
as root.

then you will definitely want a firewall. altho' many
times the router can do that for you. if your needs
are simple (ie fetch http, mail etc) then that will
be enough. if you want to download torrents or provide
some services (web,mail,(s)ftp,ssh etc) outwards, then
you will need a firewall (and maybe a bridged router).

Hi,

'Iptables Tutorial 1.2.2' would be a good place to get a tutorial.

The above link and others available from 'Slackware-Links'. More than just Slackware® links!

Here are some interesting and relevant tutorials:
http://linuxgazette.net/103/odonovan.html
http://security.maruhn.com/

Two other iptables firewall I've heard of are Shorewall and SlackFire. I've never used them though.
http://www.shorewall.net/
http://slackfire.berlios.de/

If you're using a router, it acts as a firewall basically - blocks all outgoing connections until you manually enable port-forwarding and forward a local port to the gateway. So in most cases you will not need a firewall. Of course, if your computer IP is directly exposed to the internet (i.e. a normal modem) or you need to block a lot of incoming traffic as well as outgoing traffic, you will need a strong and possibly restrictive firewall.

If you're using KDE, guarddog is what I found to be most intuitive from the point of view of commonly used services/ports for incoming and outgoing network traffic.

http://www.simonzone.com/software/guarddog/

My advise is, if you can manage it, avoid direct internet connection (i.e. your machine's IP is the remote IP) and always use a router or a firewall in-between.

Hi,

Customizing a router firewall is not feasible. So additional firewall(s) will aid you in establishing a secure environment.

Yes, but for 99% of desktop use, where you're not even running additional services is secure for most of us.

Of course, if you're paranoid, you can implement a stricter firewall rule, but ultimately I believe in a reasonable amount of protection, but also convenience. There should be a balance between the two.

Using a strict firewall often will prevent you from using VoIP chat (like SIP) and also many multi-player games which a lot of people play. Debugging the firewall rule in such cases can be frustrating sometimes, especially if the ports used by the games are not standard or keep changing dynamically.

My advice is yes, use a firewall by all means. But learn what it does and how it works, not merely implement a rule blindly because a script automatically generates one for you.

Hi,

When I'm paranoid then off to the 'dmz'.

here's mine...
 

Here's one I came up with by tweaking the one over at linux.org tutorials...just set the variables at the top correctly, then delete any of the services that you don't need. As I'm adding out rules it is more secure, but also more likely to interfere with your programs.

#!/bin/sh
# first, load module that helps with ftp
/sbin/modprobe ip_conntrack_ftp

IPTABLES=/sbin/iptables
INTERFACE=eth0
MY_IP=x.x.x.x
MY_NETWORK=x.x.x.0

# start by flushing the rules
$IPTABLES -F
# delete any user-created chains
$IPTABLES -X

## allow packets coming from/going to the loopback interface
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT

# block spoofing-packet coming in to my machine where source is 127.0.0.1 and
# not loopback interface.
$IPTABLES -A INPUT -s 127.0.0.0/8 -i ! lo -j DROP
# block spoofing-packet coming in to my machine with my IP
# (would use loopback with IP of 127.0.0.1, not actual IP)
$IPTABLES -A INPUT -s $MY_IP -j DROP

# stop bad packets
$IPTABLES -A INPUT -m state --state INVALID -j DROP

# NMAP FIN/URG/PSH
$IPTABLES -A INPUT -i $INTERFACE -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
# stop Xmas Tree type scanning
$IPTABLES -A INPUT -i $INTERFACE -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A INPUT -i $INTERFACE -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
# stop null scanning
$IPTABLES -A INPUT -i $INTERFACE -p tcp --tcp-flags ALL NONE -j DROP
# SYN/RST
$IPTABLES -A INPUT -i $INTERFACE -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# SYN/FIN
$IPTABLES -A INPUT -i $INTERFACE -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# stop sync flood
$IPTABLES -N SYNFLOOD
$IPTABLES -A SYNFLOOD -p tcp --syn -m limit --limit 1/s -j RETURN
$IPTABLES -A SYNFLOOD -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A INPUT -p tcp -m state --state NEW -j SYNFLOOD
# stop ping flood attack
$IPTABLES -N PING
$IPTABLES -A PING -p icmp --icmp-type echo-request -m limit --limit 1/second -j RETURN
$IPTABLES -A PING -p icmp -j REJECT
$IPTABLES -I INPUT -p icmp --icmp-type echo-request -m state --state NEW -j PING

#################################
## What we allow
#################################

# http
$IPTABLES -A INPUT -p tcp --sport 80 -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 80 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 80 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 80 -j ACCEPT

# https
$IPTABLES -A INPUT -p tcp --sport 443 -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 443 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 443 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 443 -j ACCEPT

# dns client
$IPTABLES -A INPUT -p tcp --sport 53 -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 53 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 53 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 53 -j ACCEPT

# ftp, sftp
$IPTABLES -A INPUT -p tcp --sport 20:21 -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 20:21 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 989:990 -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 989:990 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 20:21 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 20:21 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 989:990 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 989:990 -j ACCEPT
$IPTABLES -A INPUT -m helper --helper ftp -j ACCEPT
$IPTABLES -A OUTPUT -m helper --helper ftp -j ACCEPT

# pop2, pop3, secure pop3
## NOT TESTED ##
$IPTABLES -A INPUT -p tcp --sport 109:110 -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 109:110 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 995 -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 995 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 109:110 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 109:110 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 995 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 995 -j ACCEPT

# imap2, imap3, secure imap
## NOT TESTED ##
$IPTABLES -A INPUT -p tcp --sport 143 -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 143 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 220 -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 220 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 993 -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 993 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 143 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 143 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 220 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 220 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 993 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 993 -j ACCEPT

# dhcp (only send/receive packets to/from my subnet)
## NOT TESTED ##
$IPTABLES -A INPUT -p udp --sport 67:68 -s $MY_NETWORK/16 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 67:68 -d $MY_NETWORK/16 -j ACCEPT

# nfs (only send/receive packets to/from my subnet)
## NOT TESTED ##
$IPTABLES -A INPUT -p tcp --sport 2049 -s $MY_NETWORK/16 -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 2049 -s $MY_NETWORK/16 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 2049 -d $MY_NETWORK/16 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 2049 -d $MY_NETWORK/16 -j ACCEPT

# ntp (network time protocol)
## NOT TESTED ##
$IPTABLES -A INPUT -p tcp --sport 123 -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 123 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 123 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 123 -j ACCEPT

# ssh (only send/receive packets to/from my subnet)
$IPTABLES -A INPUT -p tcp --sport 22 -s $MY_NETWORK/16 -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 22 -s $MY_NETWORK/16 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 22 -d $MY_NETWORK/16 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 22 -d $MY_NETWORK/16 -j ACCEPT

# ping (only send/receive packets to/from my subnet)
$IPTABLES -A INPUT -p icmp -s $MY_NETWORK/16 -j ACCEPT
$IPTABLES -A OUTPUT -p icmp -d $MY_NETWORK/16 -j ACCEPT

# cups (internet printing protocol, line printer)
# (only send/receive packets to/from my subnet)
$IPTABLES -A INPUT -p tcp --sport 515 -s $MY_NETWORK/16 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 631 -s $MY_NETWORK/16 -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 631 -s $MY_NETWORK/16 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 515 -d $MY_NETWORK/16 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 631 -d $MY_NETWORK/16 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 631 -d $MY_NETWORK/16 -j ACCEPT

# samba with netbios (only send/receive packets to/from my subnet)
## NOT TESTED ##
$IPTABLES -A INPUT -p tcp --sport 137:139 -s $MY_NETWORK/16 -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 137:139 -s $MY_NETWORK/16 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 137:139 -d $MY_NETWORK/16 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 137:139 -d $MY_NETWORK/16 -j ACCEPT

# mysql (only send/receive packets to/from my subnet)
$IPTABLES -A INPUT -p tcp --sport 3306 -s $MY_NETWORK/16 -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 3306 -s $MY_NETWORK/16 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 3306 -d $MY_NETWORK/16 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 3306 -d $MY_NETWORK/16 -j ACCEPT

# block all incoming/outgoing that don't match rules above. must be last
# rule, or overrides other rules and blocks everything.
$IPTABLES -A INPUT -j DROP
$IPTABLES -A OUTPUT -j DROP

Hi,

It would be nice if you place the long listings in the vbcode tags. Like I did in the quote of your post. If you use the vbcode tags the post will be cleaner therefore easier to read. You can edit your post then highlight the list, click code(#) or Quote(balloon to the left of #).

Thanks for the replies. I have some things I can study.
I have a couple more questions:

If I use a firewall such as Iptables will that hide the IP of my machine?


Why is it a problem to use a gui when running as root?

Is it better to run a firewall as a dedicated firewall like IPCop or
a router, rather than on the same computer or does it matter?

Thanks for the help.

There is no way to hide the IP of your machine. Unless your using a proxy you can hide your IP to say websites or other servers depends on what the proxy supports. But as soon as you directly connect to any service it is impossible to hide your IP.

Because you always want to be careful what commands you are running as root. And GUI's don't let you see exactly what your doing. And one wrong slip of the mouse or simple mistake can cause major damage to your system.

And you last Q you can route traffic with iptables so in a sense you can setup a firewall as your router.