iptables

tommytomato · 06-24-2007, 07:54 PM

[QUOTE=spurious]

Quote:

Originally Posted by tommytomato

Can any one please tell me why i get this error

Code:

/etc/init.d/firewall restart
Removing all iptables rules:  [End of flush]
Iptables rules creation: iptables: Invalid argument
iptables: Invalid argument
iptables: Invalid argument
iptables: Invalid argument

Please post your firewall iptables script.

here it is

Code:

~# cat /etc/firewall.bash
#!/bin/bash

# No spoofing
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
then
for filtre in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo 1 > $filtre
done
fi 

# No icmp
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

#load some modules you may need
modprobe ip_tables
modprobe ip_nat_ftp
modprobe ip_nat_irc
modprobe iptable_filter
modprobe iptable_nat 

# Remove all rules and chains
iptables -F
iptables -X

# first set the default behaviour => accept connections
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

# Create 2 chains, it allows to write a clean script
iptables -N FIREWALL
iptables -N TRUSTED

iptables -A INPUT -s 83.132.97.14 -j DROP
iptables -A INPUT -s 81.199.85.110 -j DROP
iptables -A INPUT -s 218.16.120.80 -j DROP 
iptables -A INPUT -s 210.59.228.94 -j DROP 
iptables -A INPUT -s 219.153.0.218 -j DROP 
iptables -A INPUT -s 63.93.95.121 -j DROP 
iptables -A INPUT -s 203.134.154.2 -j DROP 
iptables -A INPUT -s 67.52.65.10 -j DROP 
iptables -A INPUT -i lo -j ACCEPT 
iptables -A INPUT -s 127.0.0.0/255.0.0.0 -j DROP 
iptables -A INPUT -d 127.0.0.0/255.0.0.0 -j DROP
iptables -A INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT 
iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT 
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT 
iptables -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT

I want to be able to open up ports 25 and 110 on my router, but block all access from the outside apart from my localnetwork, can this be done ?

I still want to be able to send and recive from the out side thou

I hope that makes sence

TT

spurious · 06-26-2007, 10:28 PM

Quote:

I want to be able to open up ports 25 and 110 on my router, but block all access from the outside apart from my localnetwork, can this be done ?

I still want to be able to send and recive from the out side thou I hope that makes sence

Your post above is ambiguous; is your router a hardware router (like a Linksys WRT54G) or are you using your Linux computer (that you're trying to develop a firewall for) as a router for the rest of your "localnetwork"? Are the other computers on your "localnetwork" connected to the Linux computer, or to a hardware router?

I will assume that you have your Linux computer attached to a hardware router, and that you are forwarding ports 25 and 110 from your router to the Linux computer. You want to block all other access. I will also assume that you don't need NAT masquerading (ie Internet sharing). If that's all you want, here is a simple iptables script (written for a Debian or Ubuntu based system):

Delete (after backing up, if you want) any firewall scripts you have done so far. Now, open a terminal and enter sudo gedit /etc/init.d/firewall. (If you don't have gedit, use any other text editor that you prefer). Cut and paste the following:

Code:

#!/bin/sh
# /etc/init.d/firewall
# from http://wiki.linuxquestions.org/wiki/A_basic_firewall_configuration_suitable_for_a_workstation

set -e

iptables="/sbin/iptables"
modprobe="/sbin/modprobe"

load () {

 echo "Loading kernel modules..."
 $modprobe ip_tables
 $modprobe ip_conntrack
 $modprobe iptable_filter
 $modprobe ipt_state
 $modprobe iptable_nat
 echo "Kernel modules loaded."

 echo "Loading rules..."
 $iptables -P FORWARD DROP
 $iptables -P INPUT DROP

# open some ports
$iptables -A INPUT -p tcp -m tcp --destination-port 25 -j ACCEPT
$iptables -A INPUT -p tcp -m tcp --destination-port 110 -j ACCEPT

# block out other access
$iptables -A INPUT -i eth0 -m state --state NEW,INVALID -j DROP
$iptables -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP

# defaults
$iptables -A INPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A INPUT -s 127.0.0.1 -j ACCEPT

echo "Rules loaded."

}

flush () {

 echo "Flushing rules..."
 $iptables -P FORWARD ACCEPT
 $iptables -F INPUT
 $iptables -P INPUT ACCEPT
 echo "Rules flushed."

}

case "$1" in

 start|restart)
   flush
   load
   ;;
 stop)
   flush
   ;;
 *)
   echo "usage: start|stop|restart."
   ;;

esac
exit 0

Save and exit the text editor. In the terminal, enter sudo chmod +x /etc/init.d/firewall && sudo update-rc.d firewall defaults.

To start the firewall script manually, open a terminal and enter sudo /etc/init.d/firewall start; to stop it, enter sudo /etc/init.d/firewall stop; if you edit it and want to reload it, enter sudo /etc/init.d/firewall restart.

To remove the firewall from your start-up scripts, enter sudo update-rc.d firewall remove

Hope this helps.

tommytomato · 06-27-2007, 05:20 AM

Quote:

Your post above is ambiguous; is your router a hardware router (like a Linksys WRT54G) or are you using your Linux computer (that you're trying to develop a firewall for) as a router for the rest of your "localnetwork"? Are the other computers on your "localnetwork" connected to the Linux computer, or to a hardware router?

No I have a NB1300 plus router 4 port router, rest of my computers ( kids PC's ) are connected to the router not my linux box.

Quote:

I will assume that you have your Linux computer attached to a hardware router, and that you are forwarding ports 25 and 110 from your router to the Linux computer.

Yes thats correct

Quote:

You want to block all other access.

Yes I want to be able to send and recive mail from local and the out side, but block all other access from the out sides unless I give access, say like a brother conntecting if that makes sence.

Quote:

I will also assume that you don't need NAT masquerading (ie Internet sharing).

I can edit the hosts file on each PC to view my domain, but no one else conntects the server for ssh only email, if that makes sence.

Please exuse me, I'm quiet new to all the terms, but I'm slowy getting the hang of things.

TT

fragos · 06-27-2007, 02:53 PM

Blocking incoming SMTP traffic is the norm because of people using your mail server to send SPAM. Blocking incoming POP traffic would be a bit unusual for an enterprise or a family with any members that travel.

spurious · 06-30-2007, 02:40 PM

Quote:

Originally Posted by tommytomato

No I have a NB1300 plus router 4 port router, rest of my computers ( kids PC's ) are connected to the router not my linux box.

Yes thats correct

Yes I want to be able to send and recive mail from local and the out side, but block all other access from the out sides unless I give access, say like a brother conntecting if that makes sence.

I can edit the hosts file on each PC to view my domain, but no one else conntects the server for ssh only email, if that makes sence.

Please exuse me, I'm quiet new to all the terms, but I'm slowy getting the hang of things.

TT

You don't need to open ports 25 and 110 just to send and retrieve email. You would only need to open these ports if you were actually running a mail server from your Linux box. From your posts, it doesn't seem like you are doing this.

Leaving these ports open, when they are not needed, presents a security risk to you (especially port 25). I recommend that you keep them closed, and do not open them on your router, either.

Therefore, in the firewall script that I provided for you above, remove or comment out the lines for ports 25 and 110.

If you want to ssh into your Linux box, the default ssh port is 22. You would need to open port 22 on your Linux box; in the firewall script, simply add the line

$iptables -A INPUT -p tcp -m tcp --destination-port 22 -j ACCEPT

under the ##### Ports ###### section.

Now having said this, you can also pick a different port for ssh traffic; I've done this myself, because I was getting a lot of automated botnet traffic trying to bruteforce ssh login attempts on port 22. If you decide on a different port for ssh, just add it to your /etc/ssh/sshd_config file and restart your ssh server (see the comments in the sshd_config file for details).