SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
#!/bin/bash
# These two rules set the default policies, i.e. what to do if a
# packet doesn't match any other rule, to drop any packet coming
# into (INPUT) or routing through (FORWARD) the box.
iptables -P INPUT DROP
iptables -P FORWARD DROP
# These rules are added (-A) to the INPUT chain. They allow packets
# from any previously established connections and accept anything
# from the loopback interface.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -i lo -j ACCEPT
# Below rule is needed ONLY if you want to have ssh connections.
# Comment this line if you do NOT want to use ssh connections.
# This rule added to the INPUT chain accepts any ssh connections.
# Change ethx to reflect your network setup, i.e. use the name
# of the device that connects to the Internet (e.g. eth0).
iptables -A INPUT -p tcp --dport 22 -i ethx -j ACCEPT
(Honestly, I can't understand this script.)
Is it really necessary for a newly intalled slackware to have this firewall script?
In the commented part, you can read exactly what the rules do. It's a very well documented script, so read the comments and you understand what it does.
For security reasons, it is advisable to have a script like this one, to prevent unwanted connections from the outside world to services you have running locally and listening on ports. (httpd, cups, samba are some things that come to mind as services that one may commonly find running)
For more information on iptables: man iptables
In essence, it is a firewall that builds a wall on your network device(s) with "peekholes" for the ports that you open up. As far as I know, you can't do content scanning / validation. (if anyone knows about such setups, I'd be interested to see how ISA servers can easily be replaced ;-)
bad day to post that considering slackware.com's dns is up the swanny.
Here's the one I've been using for a while now:
Code:
#!/bin/sh
IPT='/usr/sbin/iptables'
MODPROBE="/sbin/modprobe"
########################################################################
# Load FTP connection tracking helper modules
# (needed for proper operation of ftp client connections)
$MODPROBE nf_conntrack
$MODPROBE nf_conntrack_ftp
########################################################################
# Set default policies for packets that get to the end of a chain
# without matching a rule.
# DROP packets on reaching end of INPUT, FORWARD and OUTPUT chain
# (a.k.a "Better safe than sorry" mode)
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP
# These next ones aren't strictly necessary as we're not using these
# chains, but setting them to a known state is never a bad idea.
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P FORWARD ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT
$IPT -t raw -P PREROUTING ACCEPT
$IPT -t raw -P OUTPUT ACCEPT
########################################################################
# Flush any existing rules and chains
#
$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -F -t raw
$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
$IPT -X -t raw
########################################################################
# Now insert our own ruleset
#
# INPUT CHAIN
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
# Example of opening up ports to new incoming connections
# $IPT -A INPUT -p tcp -i eth0 -m multiport --dports 21,22,25,80,443 \
# --syn -m state --state NEW -j ACCEPT
# OUTPUT CHAIN
$IPT -A OUTPUT -j ACCEPT
########################################################################
Robby's firewall scripts are pretty awesome! He provides enough scripts to at least get you going regardless of your set up. They are very easy to follow too!
Is it really necessary for a newly intalled slackware to have this firewall script?
Depends. If you are behind a router, I'd say not really.
The only time I would enable the firewall would be a computer; I want to isolate on my LAN, running in the DMZ, running open ports, or direct (ISP box) connection to the Internet.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
