Using iptables
 

The Packet Filtering HowTo
http://www.netfilter.org/documentati...OWTO.html#toc1

seems to say that all you need to do to use iptables is make an init script that sets up the tables in the kernel.

I have a personal pc with a dsl modem conected to the ethernet card.

Two questions:
1. Is that all there is to it, or is there anything else you have do to?
2. Is there some documentation on how to design good ip tables?

EDIT: I have the iptables tutorial, maybe that's enough. I'll post more specific questions if necessary.

There's basically two approaches. The first is to make a shell script with your iptables commands in it and set that script to execute at boot. The second approach is to execute your iptables commands (either at the command line or from a script), and then save the active configuration to a file, using the iptables-save command. This approach is used a lot on boxes in which the startup scripts are "factory set" set to use iptables-restore to activate a saved configuration. Typically the file used for storing the config is /etc/sysconfig/iptables. If you use the first approach, make sure you can do it so that the iptables commands are executed prior to the network being activated, as otherwise there will be a small window of exposure when your firewall rules aren't active. Distros tha use the second method already take this into consideration.

This tutorial is insanely long. The best news is that much of it seems unnecessary for a single home pc.

Thanks, that's simple enough. So the answer to my first question is No?
I didn't know if there's some software to download, a bunch of config files to edit, or what.

My system has /usr/sbin/iptables-[save|restore], but that's all I know about it so far.

You're using Zenwalk right? IIRC, that's a distro based on Slackware. So if they kept the "Slackware way" intact, you basically just need to create a /etc/rc.d/rc.firewall file with your iptables commands in it. Patrick Volkerding (the Slackware creator/maintainer) has already designed the startup scripts such that rc.firewall is loaded at the proper time. So yeah, on Slackware-based distros you basically just stick your iptables script in /etc/rc.d/rc.firewall and you're done.

For a home PC, said script can be super simple, like say:This extremely simple script would provide you with a full stealth firewall configuration.

EDIT: Remember to make the rc.firewall root-owned and executable.

Yes.
In /etc, inittab calls rc.d/rc.M in multiuser mode, rc.M is already set up to call rc.netfilter if it's executable, and rc.netfilter has some calls to iptable and a function where I can put more. Do I need rc.firewall in addition to that, or is rc.netfilter some kind of substitute?

Thanks, I'll try that.

Good. Is there any reason I would want to allow forwarding?
This line is in rc.netfilter:

Sounds like the Zenwalk developers decided to tweak the "Slackware way" a little bit. I would expect rc.netfilter to be their replacement, so you'd only need to use that. I only say this because it would be quite weird IMHO to have two different files for setting up the firewall rules. So yeah, just stick the rules in rc.netfilter. Then reboot and check that they became active by doing a:The only reason to have FORWARD rules is if you have forwarding enabled, which would only be necessary if your box is configured to act as a gateway for a LAN or something of that nature. You can check if forwarding is enabled by doing a:If you get a zero as output, then forwarding is disabled - in which case any FORWARD rules will be pointless. So if you aren't a gateway, there's no need for any FORWARD rules.

BTW, can you post the contents of the default rc.netfilter file? I did a quick google and I got the impression it uses some sort of special layout, unlike rc.firewall.

EDIT: According to this post on the Zenwalk forums, you just need to use iptables-save to save the configuration to the /etc/netfilter/policy.netfilter file. The startup script will pick it up from there. I don't know if this is true, though. I downloaded the Zenwalk manual and searched through it but couldn't find anything about how Zenwalk wants firewall rules to be set. I think you should get much better support in the LQ Zenwalk forum, as this is extremely distro-specific. So I'm moving this thread over there, and leaving a permanent redirect here in Security.

@Hacker X, what version & edition of zenwalk are you running?

current is 4.8, snapshot is 5.0. but anyways, the 'stock' zenwalk init scripts include a firewall in /etc/rc.d/rc.inet1

if you want an rc.firewall script you can do so but have to modify /etc/rc.d/rc.inet1 to source rc.firewall

like this:
this is how I do it. I have only been using zenwalk since 4.6, never seen an rc.netfilter file. Keeping the control by $NETFILTER variable allows you to switch it on/off from the settings manager network config gui.

I'm not a iptables guru though, I just use Alien Bob's easy firewall generator to create rc.firewall.

hth

2.6. What's an edition, and how do you determine what it is?

I don't see anything in rc.inet1 except ifconfig and dhcp.
In 2.6, iptables is all in rc.netfilter, including all the rules that win32sux suggested.

It's called in multiuser mode by rc.M if it's executable by root.

zw2.6 is pretty old stuff. sorry I wouldn't have the foggiest about whats on there..

there are four 'editions' of zenwalk : standard, core, live, and server. Whatever iso you have should be labeled as such, otw I have no idea where you'd find it. Its most likely something like standard, I don't know how many or if any of the other editions existed in 2.6.

I see it now, but there is no actual rc.netfilter file ( anymore ?) at least not in 4.8, -current or snapshot. maybe a forgotten dinosaur, or a way to give users something similar to slackware's +x rc.firewall flexibility.