UbuntuThis forum is for the discussion of Ubuntu Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
~# cat /etc/firewall.bash
#!/bin/bash
# No spoofing
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
then
for filtre in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo 1 > $filtre
done
fi
# No icmp
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#load some modules you may need
modprobe ip_tables
modprobe ip_nat_ftp
modprobe ip_nat_irc
modprobe iptable_filter
modprobe iptable_nat
# Remove all rules and chains
iptables -F
iptables -X
# first set the default behaviour => accept connections
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
# Create 2 chains, it allows to write a clean script
iptables -N FIREWALL
iptables -N TRUSTED
iptables -A INPUT -s 83.132.97.14 -j DROP
iptables -A INPUT -s 81.199.85.110 -j DROP
iptables -A INPUT -s 218.16.120.80 -j DROP
iptables -A INPUT -s 210.59.228.94 -j DROP
iptables -A INPUT -s 219.153.0.218 -j DROP
iptables -A INPUT -s 63.93.95.121 -j DROP
iptables -A INPUT -s 203.134.154.2 -j DROP
iptables -A INPUT -s 67.52.65.10 -j DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -s 127.0.0.0/255.0.0.0 -j DROP
iptables -A INPUT -d 127.0.0.0/255.0.0.0 -j DROP
iptables -A INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
I want to be able to open up ports 25 and 110 on my router, but block all access from the outside apart from my localnetwork, can this be done ?
I still want to be able to send and recive from the out side thou I hope that makes sence
I want to be able to open up ports 25 and 110 on my router, but block all access from the outside apart from my localnetwork, can this be done ?
I still want to be able to send and recive from the out side thou I hope that makes sence
Your post above is ambiguous; is your router a hardware router (like a Linksys WRT54G) or are you using your Linux computer (that you're trying to develop a firewall for) as a router for the rest of your "localnetwork"? Are the other computers on your "localnetwork" connected to the Linux computer, or to a hardware router?
I will assume that you have your Linux computer attached to a hardware router, and that you are forwarding ports 25 and 110 from your router to the Linux computer. You want to block all other access. I will also assume that you don't need NAT masquerading (ie Internet sharing). If that's all you want, here is a simple iptables script (written for a Debian or Ubuntu based system):
Delete (after backing up, if you want) any firewall scripts you have done so far. Now, open a terminal and enter sudo gedit /etc/init.d/firewall. (If you don't have gedit, use any other text editor that you prefer). Cut and paste the following:
Code:
#!/bin/sh
# /etc/init.d/firewall
# from http://wiki.linuxquestions.org/wiki/A_basic_firewall_configuration_suitable_for_a_workstation
set -e
iptables="/sbin/iptables"
modprobe="/sbin/modprobe"
load () {
echo "Loading kernel modules..."
$modprobe ip_tables
$modprobe ip_conntrack
$modprobe iptable_filter
$modprobe ipt_state
$modprobe iptable_nat
echo "Kernel modules loaded."
echo "Loading rules..."
$iptables -P FORWARD DROP
$iptables -P INPUT DROP
# open some ports
$iptables -A INPUT -p tcp -m tcp --destination-port 25 -j ACCEPT
$iptables -A INPUT -p tcp -m tcp --destination-port 110 -j ACCEPT
# block out other access
$iptables -A INPUT -i eth0 -m state --state NEW,INVALID -j DROP
$iptables -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP
# defaults
$iptables -A INPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A INPUT -s 127.0.0.1 -j ACCEPT
echo "Rules loaded."
}
flush () {
echo "Flushing rules..."
$iptables -P FORWARD ACCEPT
$iptables -F INPUT
$iptables -P INPUT ACCEPT
echo "Rules flushed."
}
case "$1" in
start|restart)
flush
load
;;
stop)
flush
;;
*)
echo "usage: start|stop|restart."
;;
esac
exit 0
Save and exit the text editor. In the terminal, enter sudo chmod +x /etc/init.d/firewall && sudo update-rc.d firewall defaults.
To start the firewall script manually, open a terminal and enter sudo /etc/init.d/firewall start; to stop it, enter sudo /etc/init.d/firewall stop; if you edit it and want to reload it, enter sudo /etc/init.d/firewall restart.
To remove the firewall from your start-up scripts, enter sudo update-rc.d firewall remove
Distribution: GUI Ubuntu 14.0.4 - Server Ubuntu 14.04.5 LTS
Posts: 963
Original Poster
Rep:
Quote:
Your post above is ambiguous; is your router a hardware router (like a Linksys WRT54G) or are you using your Linux computer (that you're trying to develop a firewall for) as a router for the rest of your "localnetwork"? Are the other computers on your "localnetwork" connected to the Linux computer, or to a hardware router?
No I have a NB1300 plus router 4 port router, rest of my computers ( kids PC's ) are connected to the router not my linux box.
Quote:
I will assume that you have your Linux computer attached to a hardware router, and that you are forwarding ports 25 and 110 from your router to the Linux computer.
Yes thats correct
Quote:
You want to block all other access.
Yes I want to be able to send and recive mail from local and the out side, but block all other access from the out sides unless I give access, say like a brother conntecting if that makes sence.
Quote:
I will also assume that you don't need NAT masquerading (ie Internet sharing).
I can edit the hosts file on each PC to view my domain, but no one else conntects the server for ssh only email, if that makes sence.
Please exuse me, I'm quiet new to all the terms, but I'm slowy getting the hang of things.
Blocking incoming SMTP traffic is the norm because of people using your mail server to send SPAM. Blocking incoming POP traffic would be a bit unusual for an enterprise or a family with any members that travel.
No I have a NB1300 plus router 4 port router, rest of my computers ( kids PC's ) are connected to the router not my linux box.
Yes thats correct
Yes I want to be able to send and recive mail from local and the out side, but block all other access from the out sides unless I give access, say like a brother conntecting if that makes sence.
I can edit the hosts file on each PC to view my domain, but no one else conntects the server for ssh only email, if that makes sence.
Please exuse me, I'm quiet new to all the terms, but I'm slowy getting the hang of things.
TT
You don't need to open ports 25 and 110 just to send and retrieve email. You would only need to open these ports if you were actually running a mail server from your Linux box. From your posts, it doesn't seem like you are doing this.
Leaving these ports open, when they are not needed, presents a security risk to you (especially port 25). I recommend that you keep them closed, and do not open them on your router, either.
Therefore, in the firewall script that I provided for you above, remove or comment out the lines for ports 25 and 110.
If you want to ssh into your Linux box, the default ssh port is 22. You would need to open port 22 on your Linux box; in the firewall script, simply add the line
Now having said this, you can also pick a different port for ssh traffic; I've done this myself, because I was getting a lot of automated botnet traffic trying to bruteforce ssh login attempts on port 22. If you decide on a different port for ssh, just add it to your /etc/ssh/sshd_config file and restart your ssh server (see the comments in the sshd_config file for details).
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.