UbuntuThis forum is for the discussion of Ubuntu Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: GUI Ubuntu 14.0.4 - Server Ubuntu 14.04.5 LTS
Posts: 963
Rep:
iptables
Hi all
Any one used iptables with Ubuntu care to point me to a easy to understand and read tutorial please.
I've tried and tried but I cant get the hang of the major tutorials out there.
I have a script and I'm wondering will this running on Ubuntu 6.0.6-1
As you can see this was created some time ago for me, I haven't used on since, but now the time to try work it out, any one care to teeach me or point me to a very basic tutorial please.
Code:
*mangle
:PREROUTING ACCEPT [1:576]
:INPUT ACCEPT [1:576]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
*nat
:PREROUTING ACCEPT [2:1152]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
*filter
:INPUT ACCEPT [6:3456]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Generated by iptables-save v1.2.9 on Tue Sep 21 12:29:55 2004
*mangle
:PREROUTING ACCEPT [1644:139895]
:INPUT ACCEPT [1644:139895]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1533:369026]
:POSTROUTING ACCEPT [1532:368906]
COMMIT
# Completed on Tue Sep 21 12:29:55 2004
# Generated by iptables-save v1.2.9 on Tue Sep 21 12:29:55 2004
*nat
:PREROUTING ACCEPT [25:3104]
:POSTROUTING ACCEPT [11:736]
:OUTPUT ACCEPT [11:736]
COMMIT
# Completed on Tue Sep 21 12:29:55 2004
# Generated by iptables-save v1.2.9 on Tue Sep 21 12:29:55 2004
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [1:120]
:REJECT-PKT - [0:0]
-A INPUT -s 83.132.97.14 -j DROP
-A INPUT -s 81.199.85.110 -j DROP
-A INPUT -s 218.16.120.80 -j DROP
-A INPUT -s 210.59.228.94 -j DROP
-A INPUT -s 219.153.0.218 -j DROP
-A INPUT -s 63.93.95.121 -j DROP
-A INPUT -s 203.134.154.2 -j DROP
-A INPUT -s 67.52.65.10 -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -s 127.0.0.0/255.0.0.0 -j DROP
-A INPUT -d 127.0.0.0/255.0.0.0 -j DROP
-A INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -j REJECT-PKT
-A OUTPUT -s 127.0.0.0/255.0.0.0 -j ACCEPT
-A OUTPUT -s 10.0.0.0/255.0.0.0 -j ACCEPT
-A OUTPUT -s 192.168.1.0/255.255.255.0 -j ACCEPT
-A REJECT-PKT -p tcp -m tcp -j REJECT --reject-with tcp-reset
-A REJECT-PKT -p udp -m udp -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Tue Sep 21 12:29:55 2004
iptables can be a bit confusing. I recommend you investigate firestarter which is a GUI setup for iptables. The firestarter daemon must be run with each boot but the GUI portion only need be run when you want to look at the logs.
Distribution: GUI Ubuntu 14.0.4 - Server Ubuntu 14.04.5 LTS
Posts: 963
Original Poster
Rep:
Quote:
Originally Posted by fragos
iptables can be a bit confusing. I recommend you investigate firestarter which is a GUI setup for iptables. The firestarter daemon must be run with each boot but the GUI portion only need be run when you want to look at the logs.
thanks for the tip, but i run a command line server
building as we speak
any other idea's, I remember using a firewall before on a fedore system by running the command redhat-config-firewall I think it was, any thing like that around,
Or can I load that script i have and save, only problem is if i stuff up how can i reset iptables..I have the same network as before hasn't changed that much
Distribution: GUI Ubuntu 14.0.4 - Server Ubuntu 14.04.5 LTS
Posts: 963
Original Poster
Rep:
when adding pre-up iptables-restore < /etc/iptables.up.rules
to /etc/network/interfaces script
I get heaps of start up errors
why is this so
I saved a file /etc/iptables.up.rules with my new rules
Code:
# Generated by iptables-save v1.3.3 on Sat Jun 23 14:26:42 2007
*filter
:INPUT ACCEPT [955:73113]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [739:286876]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j DROP
COMMIT
# Completed on Sat Jun 23 14:26:42 2007
and I also saved a copy called /etc/iptables.test.rules
Code:
# Generated by iptables-save v1.3.3 on Sat Jun 23 14:10:10 2007
*filter
:INPUT ACCEPT [865:64590]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [525:201202]
COMMIT
# Completed on Sat Jun 23 14:10:10 2007
Ports found to be STEALTH were: 21, 23, 135, 139, 254, 255,
445, 593
Other than what is listed above, all ports are CLOSED.
TruStealth: FAILED - NOT all tested ports were STEALTH,
- NO unsolicited packets were received,
- A PING REPLY (ICMP Echo) WAS RECEIVED.
but when i use nmap and scan the server pc which is on my network it shows me this
Quote:
when i ran /etc/init.d/firewall stop
Starting Nmap 4.20 ( http://insecure.org ) at 2007-06-24 14:22 WST
Interesting ports on rockinghamgateway.com (192.168.1.4):
Not shown: 1687 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp open pop3
143/tcp open imap
443/tcp open https
993/tcp open imaps
995/tcp open pop3s
3306/tcp open mysql
Nmap finished: 1 IP address (1 host up) scanned in 0.235 seconds
when i ran /etc/init.d/firewall restart
Starting Nmap 4.20 ( http://insecure.org ) at 2007-06-24 14:23 WST
Note: Host seems down. If it is really up, but blocking our ping probes, try -P0
Nmap finished: 1 IP address (0 hosts up) scanned in 4.007 seconds
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.