You have a typo or syntax error somewhere in firewall.bash.
You have a typo or syntax error somewhere in firewall.bash.
Code:#!/bin/bash # No spoofing if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ] then for filtre in /proc/sys/net/ipv4/conf/*/rp_filter do echo 1 > $filtre done fi # No icmp echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts #load some modules you may need modprobe ip_tables modprobe ip_nat_ftp modprobe ip_nat_irc modprobe iptable_filter modprobe iptable_nat modprobe ip_conntrack_irc modprobe ip_conntrack_ftp # Remove all rules and chains iptables -F iptables -X # first set the default behaviour => accept connections iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT # Create 2 chains, it allows to write a clean script iptables -N FIREWALL iptables -N TRUSTED # Allow ESTABLISHED and RELATED incoming connection iptables -A FIREWALL -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow loopback traffic iptables -A FIREWALL -i lo -j ACCEPT # Send all package to the TRUSTED chain iptables -A FIREWALL -j TRUSTED # DROP all other packets iptables -A FIREWALL -j DROP # Send all INPUT packets to the FIREWALL chain iptables -A INPUT -j FIREWALL # DROP all forward packets, we don't share internet connection in this example iptables -A FORWARD -j DROP # Allow IRC iptables -A INPUT -i eth0 -p tcp -m tcp --sport 6667 -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp -m tcp --dport 6667 -j ACCEPT iptables -A INPUT -i eth0 -p udp -m tcp --sport 133 -j ACCEPT # identification port iptables -A OUTPUT -o eth0 -p udp -m tcp --dport 133 -j ACCEPT # identification port iptables -A INPUT -i eth0 -p tcp -m tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -i eth0 -p tcp -m tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp -m tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp -m tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow bittorrent iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 6881:6889 -j ACCEPT # End message echo " [End iptables rules setting]"
Internets //<http://www.stevey.eu>
Advice given with no warranty implied. Results are the users own responsibility.
Paragraphs, spelling, and grammar. All very useful, please use them. It makes reading much easier.
Disable the PC Speaker!
You can first start by deleteting all OUTPUT lines which are useless since OUTPUT packets are not dropped by default in this config.
Then replace all INPUT chain rules at the end of the file by TRUSTED chain rules as in the script i provide new rules must be added TO the TRUSTED chain due to INPUT packets being all send through FIREWALL chain then finally to TRUSTED chain which aims to add your custom rules.
Finally i'm not sure if comments at the end of the line works or not, i guess yes but just in case put tyhem on a dedicated line.
Internets //<http://www.stevey.eu>
Advice given with no warranty implied. Results are the users own responsibility.
Paragraphs, spelling, and grammar. All very useful, please use them. It makes reading much easier.
Disable the PC Speaker!
The examples and the script are 2 different things. The example have for only purpose to make you understand how iptables work.
In the script i provide, i have already chosen a layout for the script so if you want to use it and tweak it you must respect the layout put in place. In the script i give INPUT chain is not supposed to be handled directly as i send all INPUT packets through FIREWALL chain which apply the rules that will allow you almost all you need then all the remaining packets (not allowed yet) are sent to the TRUSTED chain to see if one rule of the TRUSTED chain can allow them if not they are finally DROP at the end of the FIREWALL chain.
This is why in my script all custom rules MUST be added to the TRUSTED chain at the end of the file.
INPUT => FIREWALL => TRUSTED => if not allowed via previous chains then DROP
Internets //<http://www.stevey.eu>
Advice given with no warranty implied. Results are the users own responsibility.
Paragraphs, spelling, and grammar. All very useful, please use them. It makes reading much easier.
Disable the PC Speaker!
No
You are a bit misleading because everything in what you posted made me think that you were using the script you posted in post #252 and now you are telling that you are not using this one but the default one.
I'm completely lost sorry, i don't understand what script you are using.
I copied and pasted the script from your advanced tutorial but am having troubles with the bittorrent download client. Everything else works fine but the client will just sit there stalled until I stop the firewall.
Not quite sure where to look?
hey i get this:
root@kubuntu:~# sudo /etc/init.d/firewall start
sudo: /etc/init.d/firewall: command not found
what i do wrong?
very nice post, gotta try this one out
i'll be back with the results...
*hoping not to run on any problems
Bookmarks