Looking for iptables script
Using Slackware 12.2
Can someone point me to a script for iptables? I'm new to networking and firewalls. Is there a gui that would be helpful? I have a computer with a broadband connection to the internet. I use the computer for personal use. Thanks. |
Check out Alien Bob's idea.
|
There is a script supplied in /etc/ppp/firewall-standalone that can be copied to /etc/rc.d/rc.firewall and made executable so that it runs automatically at boot. Change the EXTIF to suit your network connection.
The script is very simple, it just blocks all incoming connection attempts, but sounds like it would suit your needs at this time. |
I've used Arno's script over the last few years and it's probably the easiest way (I think it's even easier than using a GUI) to setup a firewall. The script is well documented and constantly updated.
|
Quote:
i use firehol - also very easy to setup. Quote:
you want to do it yourself. using any of the above methods will be quite easy. Quote:
be tragic to use a GUI. besides - you're using slackware, so be prepared for a bit of command line stuff. also, the configs will likely have to be done as root - and i hope you don't run X as root. Quote:
times the router can do that for you. if your needs are simple (ie fetch http, mail etc) then that will be enough. if you want to download torrents or provide some services (web,mail,(s)ftp,ssh etc) outwards, then you will need a firewall (and maybe a bridged router). |
Hi,
'Iptables Tutorial 1.2.2' would be a good place to get a tutorial. The above link and others available from 'Slackware-Links'. More than just SlackwareŽ links! |
Here are some interesting and relevant tutorials:
http://linuxgazette.net/103/odonovan.html http://security.maruhn.com/ Two other iptables firewall I've heard of are Shorewall and SlackFire. I've never used them though. http://www.shorewall.net/ http://slackfire.berlios.de/ |
If you're using a router, it acts as a firewall basically - blocks all outgoing connections until you manually enable port-forwarding and forward a local port to the gateway. So in most cases you will not need a firewall. Of course, if your computer IP is directly exposed to the internet (i.e. a normal modem) or you need to block a lot of incoming traffic as well as outgoing traffic, you will need a strong and possibly restrictive firewall.
If you're using KDE, guarddog is what I found to be most intuitive from the point of view of commonly used services/ports for incoming and outgoing network traffic. http://www.simonzone.com/software/guarddog/ My advise is, if you can manage it, avoid direct internet connection (i.e. your machine's IP is the remote IP) and always use a router or a firewall in-between. |
Hi,
Customizing a router firewall is not feasible. So additional firewall(s) will aid you in establishing a secure environment. |
Quote:
Of course, if you're paranoid, you can implement a stricter firewall rule, but ultimately I believe in a reasonable amount of protection, but also convenience. There should be a balance between the two. Using a strict firewall often will prevent you from using VoIP chat (like SIP) and also many multi-player games which a lot of people play. Debugging the firewall rule in such cases can be frustrating sometimes, especially if the ports used by the games are not standard or keep changing dynamically. My advice is yes, use a firewall by all means. But learn what it does and how it works, not merely implement a rule blindly because a script automatically generates one for you. |
Hi,
When I'm paranoid then off to the 'dmz'. |
here's mine...
Here's one I came up with by tweaking the one over at linux.org tutorials...just set the variables at the top correctly, then delete any of the services that you don't need. As I'm adding out rules it is more secure, but also more likely to interfere with your programs.
#!/bin/sh # first, load module that helps with ftp /sbin/modprobe ip_conntrack_ftp IPTABLES=/sbin/iptables INTERFACE=eth0 MY_IP=x.x.x.x MY_NETWORK=x.x.x.0 # start by flushing the rules $IPTABLES -F # delete any user-created chains $IPTABLES -X ## allow packets coming from/going to the loopback interface $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A OUTPUT -o lo -j ACCEPT # block spoofing-packet coming in to my machine where source is 127.0.0.1 and # not loopback interface. $IPTABLES -A INPUT -s 127.0.0.0/8 -i ! lo -j DROP # block spoofing-packet coming in to my machine with my IP # (would use loopback with IP of 127.0.0.1, not actual IP) $IPTABLES -A INPUT -s $MY_IP -j DROP # stop bad packets $IPTABLES -A INPUT -m state --state INVALID -j DROP # NMAP FIN/URG/PSH $IPTABLES -A INPUT -i $INTERFACE -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP # stop Xmas Tree type scanning $IPTABLES -A INPUT -i $INTERFACE -p tcp --tcp-flags ALL ALL -j DROP $IPTABLES -A INPUT -i $INTERFACE -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP # stop null scanning $IPTABLES -A INPUT -i $INTERFACE -p tcp --tcp-flags ALL NONE -j DROP # SYN/RST $IPTABLES -A INPUT -i $INTERFACE -p tcp --tcp-flags SYN,RST SYN,RST -j DROP # SYN/FIN $IPTABLES -A INPUT -i $INTERFACE -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP # stop sync flood $IPTABLES -N SYNFLOOD $IPTABLES -A SYNFLOOD -p tcp --syn -m limit --limit 1/s -j RETURN $IPTABLES -A SYNFLOOD -p tcp -j REJECT --reject-with tcp-reset $IPTABLES -A INPUT -p tcp -m state --state NEW -j SYNFLOOD # stop ping flood attack $IPTABLES -N PING $IPTABLES -A PING -p icmp --icmp-type echo-request -m limit --limit 1/second -j RETURN $IPTABLES -A PING -p icmp -j REJECT $IPTABLES -I INPUT -p icmp --icmp-type echo-request -m state --state NEW -j PING ################################# ## What we allow ################################# # http $IPTABLES -A INPUT -p tcp --sport 80 -j ACCEPT $IPTABLES -A INPUT -p udp --sport 80 -j ACCEPT $IPTABLES -A OUTPUT -p tcp --dport 80 -j ACCEPT $IPTABLES -A OUTPUT -p udp --dport 80 -j ACCEPT # https $IPTABLES -A INPUT -p tcp --sport 443 -j ACCEPT $IPTABLES -A INPUT -p udp --sport 443 -j ACCEPT $IPTABLES -A OUTPUT -p tcp --dport 443 -j ACCEPT $IPTABLES -A OUTPUT -p udp --dport 443 -j ACCEPT # dns client $IPTABLES -A INPUT -p tcp --sport 53 -j ACCEPT $IPTABLES -A INPUT -p udp --sport 53 -j ACCEPT $IPTABLES -A OUTPUT -p tcp --dport 53 -j ACCEPT $IPTABLES -A OUTPUT -p udp --dport 53 -j ACCEPT # ftp, sftp $IPTABLES -A INPUT -p tcp --sport 20:21 -j ACCEPT $IPTABLES -A INPUT -p udp --sport 20:21 -j ACCEPT $IPTABLES -A INPUT -p tcp --sport 989:990 -j ACCEPT $IPTABLES -A INPUT -p udp --sport 989:990 -j ACCEPT $IPTABLES -A OUTPUT -p tcp --dport 20:21 -j ACCEPT $IPTABLES -A OUTPUT -p udp --dport 20:21 -j ACCEPT $IPTABLES -A OUTPUT -p tcp --dport 989:990 -j ACCEPT $IPTABLES -A OUTPUT -p udp --dport 989:990 -j ACCEPT $IPTABLES -A INPUT -m helper --helper ftp -j ACCEPT $IPTABLES -A OUTPUT -m helper --helper ftp -j ACCEPT # pop2, pop3, secure pop3 ## NOT TESTED ## $IPTABLES -A INPUT -p tcp --sport 109:110 -j ACCEPT $IPTABLES -A INPUT -p udp --sport 109:110 -j ACCEPT $IPTABLES -A INPUT -p tcp --sport 995 -j ACCEPT $IPTABLES -A INPUT -p udp --sport 995 -j ACCEPT $IPTABLES -A OUTPUT -p tcp --dport 109:110 -j ACCEPT $IPTABLES -A OUTPUT -p udp --dport 109:110 -j ACCEPT $IPTABLES -A OUTPUT -p tcp --dport 995 -j ACCEPT $IPTABLES -A OUTPUT -p udp --dport 995 -j ACCEPT # imap2, imap3, secure imap ## NOT TESTED ## $IPTABLES -A INPUT -p tcp --sport 143 -j ACCEPT $IPTABLES -A INPUT -p udp --sport 143 -j ACCEPT $IPTABLES -A INPUT -p tcp --sport 220 -j ACCEPT $IPTABLES -A INPUT -p udp --sport 220 -j ACCEPT $IPTABLES -A INPUT -p tcp --sport 993 -j ACCEPT $IPTABLES -A INPUT -p udp --sport 993 -j ACCEPT $IPTABLES -A OUTPUT -p tcp --dport 143 -j ACCEPT $IPTABLES -A OUTPUT -p udp --dport 143 -j ACCEPT $IPTABLES -A OUTPUT -p tcp --dport 220 -j ACCEPT $IPTABLES -A OUTPUT -p udp --dport 220 -j ACCEPT $IPTABLES -A OUTPUT -p tcp --dport 993 -j ACCEPT $IPTABLES -A OUTPUT -p udp --dport 993 -j ACCEPT # dhcp (only send/receive packets to/from my subnet) ## NOT TESTED ## $IPTABLES -A INPUT -p udp --sport 67:68 -s $MY_NETWORK/16 -j ACCEPT $IPTABLES -A OUTPUT -p udp --dport 67:68 -d $MY_NETWORK/16 -j ACCEPT # nfs (only send/receive packets to/from my subnet) ## NOT TESTED ## $IPTABLES -A INPUT -p tcp --sport 2049 -s $MY_NETWORK/16 -j ACCEPT $IPTABLES -A INPUT -p udp --sport 2049 -s $MY_NETWORK/16 -j ACCEPT $IPTABLES -A OUTPUT -p tcp --dport 2049 -d $MY_NETWORK/16 -j ACCEPT $IPTABLES -A OUTPUT -p udp --dport 2049 -d $MY_NETWORK/16 -j ACCEPT # ntp (network time protocol) ## NOT TESTED ## $IPTABLES -A INPUT -p tcp --sport 123 -j ACCEPT $IPTABLES -A INPUT -p udp --sport 123 -j ACCEPT $IPTABLES -A OUTPUT -p tcp --dport 123 -j ACCEPT $IPTABLES -A OUTPUT -p udp --dport 123 -j ACCEPT # ssh (only send/receive packets to/from my subnet) $IPTABLES -A INPUT -p tcp --sport 22 -s $MY_NETWORK/16 -j ACCEPT $IPTABLES -A INPUT -p udp --sport 22 -s $MY_NETWORK/16 -j ACCEPT $IPTABLES -A OUTPUT -p tcp --dport 22 -d $MY_NETWORK/16 -j ACCEPT $IPTABLES -A OUTPUT -p udp --dport 22 -d $MY_NETWORK/16 -j ACCEPT # ping (only send/receive packets to/from my subnet) $IPTABLES -A INPUT -p icmp -s $MY_NETWORK/16 -j ACCEPT $IPTABLES -A OUTPUT -p icmp -d $MY_NETWORK/16 -j ACCEPT # cups (internet printing protocol, line printer) # (only send/receive packets to/from my subnet) $IPTABLES -A INPUT -p tcp --sport 515 -s $MY_NETWORK/16 -j ACCEPT $IPTABLES -A INPUT -p tcp --sport 631 -s $MY_NETWORK/16 -j ACCEPT $IPTABLES -A INPUT -p udp --sport 631 -s $MY_NETWORK/16 -j ACCEPT $IPTABLES -A OUTPUT -p tcp --dport 515 -d $MY_NETWORK/16 -j ACCEPT $IPTABLES -A OUTPUT -p tcp --dport 631 -d $MY_NETWORK/16 -j ACCEPT $IPTABLES -A OUTPUT -p udp --dport 631 -d $MY_NETWORK/16 -j ACCEPT # samba with netbios (only send/receive packets to/from my subnet) ## NOT TESTED ## $IPTABLES -A INPUT -p tcp --sport 137:139 -s $MY_NETWORK/16 -j ACCEPT $IPTABLES -A INPUT -p udp --sport 137:139 -s $MY_NETWORK/16 -j ACCEPT $IPTABLES -A OUTPUT -p tcp --dport 137:139 -d $MY_NETWORK/16 -j ACCEPT $IPTABLES -A OUTPUT -p udp --dport 137:139 -d $MY_NETWORK/16 -j ACCEPT # mysql (only send/receive packets to/from my subnet) $IPTABLES -A INPUT -p tcp --sport 3306 -s $MY_NETWORK/16 -j ACCEPT $IPTABLES -A INPUT -p udp --sport 3306 -s $MY_NETWORK/16 -j ACCEPT $IPTABLES -A OUTPUT -p tcp --dport 3306 -d $MY_NETWORK/16 -j ACCEPT $IPTABLES -A OUTPUT -p udp --dport 3306 -d $MY_NETWORK/16 -j ACCEPT # block all incoming/outgoing that don't match rules above. must be last # rule, or overrides other rules and blocks everything. $IPTABLES -A INPUT -j DROP $IPTABLES -A OUTPUT -j DROP |
|
Hi,
Quote:
|
Thanks for the replies. I have some things I can study.
I have a couple more questions: Quote:
Quote:
Is it better to run a firewall as a dedicated firewall like IPCop or a router, rather than on the same computer or does it matter? Thanks for the help. |
Quote:
Quote:
And you last Q you can route traffic with iptables so in a sense you can setup a firewall as your router. |
All times are GMT -5. The time now is 05:39 AM. |