Page 4 of 29 FirstFirst ... 2345614 ... LastLast
Results 31 to 40 of 286

Thread: HOWTO: Set a custom firewall (iptables) and Tips [Beginners edition]

  1. #31
    Join Date
    Jul 2006
    Location
    Cheshire, UK
    Beans
    91
    Distro
    Ubuntu 6.10 Edgy

    Re: HOWTO: Set a custom firewall (iptables) and Tips

    Quote Originally Posted by Roque View Post
    This is the script I am running: it's the same you posted but with eth0 replaced with ppp0.
    Code:
    #!/bin/bash
    
    # No spoofing
    if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
    then
    for filtre in /proc/sys/net/ipv4/conf/*/rp_filter
    do
    echo 1 > $filtre
    done
    fi 
    
    # No icmp
    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
    
    #load some modules you may need
    modprobe ip_tables
    modprobe ip_nat_ftp
    modprobe ip_nat_irc
    modprobe iptable_filter
    modprobe iptable_nat 
    
    # Remove all rules and chains
    iptables -F
    iptables -X
    
    # first set the default behaviour => accept connections
    iptables -P INPUT ACCEPT
    iptables -P OUTPUT ACCEPT
    iptables -P FORWARD ACCEPT
    
    # Create 2 chains, it allows to write a clean script
    iptables -N FIREWALL
    iptables -N TRUSTED
    
    # Allow ESTABLISHED and RELATED incoming connection
    iptables -A FIREWALL -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
    # Send all package to the TRUSTED chain
    iptables -A FIREWALL -j TRUSTED
    # DROP all other packets
    iptables -A FIREWALL -j DROP
    
    # Send all INPUT packets to the FIREWALL chain
    iptables -A INPUT -j FIREWALL
    # DROP all forward packets, we don't share internet connection in this example
    iptables -A FORWARD -j DROP
    
    # Allow https
    iptables -A TRUSTED -i ppp0 -p udp -m udp --sport 443 -j ACCEPT
    iptables -A TRUSTED -i ppp0 -p tcp -m tcp --sport 443 -j ACCEPT
    
    # Allow amule
    iptables -A TRUSTED -i ppp0 -p udp -m udp --dport 5349 -j ACCEPT
    iptables -A TRUSTED -i ppp0 -p udp -m udp --dport 5351 -j ACCEPT
    iptables -A TRUSTED -i ppp0 -p tcp -m tcp --dport 5348 -j ACCEPT
    
    # Allow IRC IDENT & DCC
    iptables -A TRUSTED -i ppp0 -p tcp -m tcp --sport 6667 -j ACCEPT
    iptables -A TRUSTED -i ppp0 -p tcp -m tcp --sport 113 -j ACCEPT
    
    # Allow bittorrent
    iptables -A TRUSTED -i ppp0 -p tcp -m tcp --dport 6881:6889 -j ACCEPT
    
    # End message
    echo " [End iptables rules setting]"
    How can I use your script? Do I download it and then run it or something?

  2. #32
    Join Date
    Apr 2006
    Location
    Chicago
    Beans
    1,405
    Distro
    Ubuntu Intrepid Ibex (testing)

    Re: HOWTO: Set a custom firewall (iptables) and Tips

    Can I use a different port for bittorrent like 16881:16889?
    I ask because I read that some isp will limit download rates on the default bittorrent ports.

  3. #33
    Join Date
    Jun 2005
    Location
    France
    Beans
    7,100
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: HOWTO: Set a custom firewall (iptables) and Tips

    Yes, you can do that, it should work without any problems.

  4. #34
    Join Date
    Apr 2006
    Location
    Chicago
    Beans
    1,405
    Distro
    Ubuntu Intrepid Ibex (testing)

    Re: HOWTO: Set a custom firewall (iptables) and Tips

    One more thing how do forward my udp port for "listing" (azureus dht)
    this is what I added to the script

    Code:
    iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 6881:6889 -j ACCEPT
    iptables -A TRUSTED -i eth0 -p udp -m udp --dport 6881:6889 -j ACCEPT

  5. #35
    Join Date
    May 2006
    Beans
    97

    Re: HOWTO: Set a custom firewall (iptables) and Tips

    u only need 1 tcp port for azureus to work. port range or udp is not needed. recommended by the azureus team is any port above 50000

    example:

    Code:
    iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 55555 -j ACCEPT

  6. #36
    Join Date
    Apr 2006
    Location
    Chicago
    Beans
    1,405
    Distro
    Ubuntu Intrepid Ibex (testing)

    Re: HOWTO: Set a custom firewall (iptables) and Tips

    Quote Originally Posted by dolby View Post
    u only need 1 tcp port for azureus to work. port range or udp is not needed. recommended by the azureus team is any port above 50000

    example:

    Code:
    iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 55555 -j ACCEPT
    Right, but for DHT I need UDP, which I got working

  7. #37
    Join Date
    Feb 2005
    Location
    EU
    Beans
    549
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: HOWTO: Set a custom firewall (iptables) and Tips

    Thanks!

    It's often much easier to work with conf files (or scripts in this case) than clicking through guis like firestarter!

    Your explanation of Iptables rules is very good, and it was very easy to setup a home network and allow the services on my server (http, ftp)

    Great work! +++

    One questin: My server (runs dnsmasq for dhcp ip adress assignment & ipmasq) connects via eth0 to the world, the hub for my home network (with some windows & ubuntu clients connect ) is on eth1.

    this is my firewall.bash script. As you can see i had to modify it a bit. Especially i commented out the
    Code:
    # Allow ESTABLISHED and RELATED incoming connection
    #iptables -A FIREWALL -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
    # Send all package to the TRUSTED chain
    #iptables -A FIREWALL -j TRUSTED
    # DROP all other packets
    #iptables -A FIREWALL -j DROP
    part. As i understand it this is ok with my further settings, but due to the fact that i was running a "hardware" firewall till now, i'm not sure if this might represent a security risk to my network. Could you please share your thoughts about my rules?

    thanks in advance!

    complete firewall.bash

  8. #38
    Join Date
    Jun 2005
    Location
    France
    Beans
    7,100
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: HOWTO: Set a custom firewall (iptables) and Tips

    If you have a hardware firewall an additional software firewall is not really needed IMO.
    About your script, the rules about the TRUSTED chain are useless because you send nothing to the TRUSTED chain.
    In my script example the i send all the input packets in the FIREWALL chain then all the FIREWALL chain packets to the TRUSTED chain.
    In your case you don't use any sub-chain therefore just use directly the input chain :
    Code:
    iptables -A INPUT -i eth0 -p udp -m udp --sport 443 -j ACCEPT
    iptables -A INPUT -i eth0 -p tcp -m tcp --sport 443 -j ACCEPT
    
    # Allow amule
    iptables -A INPUT -i eth0 -p udp -m udp --dport 5349 -j ACCEPT
    iptables -A INPUT -i eth0 -p udp -m udp --dport 5351 -j ACCEPT
    iptables -A INPUT -i eth0 -p tcp -m tcp --dport 5348 -j ACCEPT
    
    # Allow IRC IDENT & DCC
    iptables -A INPUT -i eth0 -p tcp -m tcp --sport 6667 -j ACCEPT
    iptables -A INPUT -i eth0 -p tcp -m tcp --sport 113 -j ACCEPT
    
    # Allow bittorrent
    iptables -A INPUT -i eth0 -p tcp -m tcp --dport 6881:6889 -j ACCEPT
    
    # Webmin
    iptables -A INPUT -i eth0 -p tcp -m tcp --sport 10000 -j ACCEPT
    Your OUTPUT rules are useless too because the default behaviour specified by "iptables -P OUTPUT ACCEPT" allow all the OUTPUT packets.

    Filter the OUTPUT packets is not really needed, most of firewalls (especially under windows) only filter incoming packets.

    Except that all sounds good.

  9. #39
    Join Date
    Jul 2005
    Location
    Greece
    Beans
    60
    Distro
    Ubuntu

    Re: HOWTO: Set a custom firewall (iptables) and Tips

    because i have trouble with firestarter and NetworkManager i want to ask a question before i go with your script

    i want to make it work with both eth0 (ethernet) and eth1 (wireless) whithout having to modify it

    can i just ad the same rules for eth0 and eth1 in the same file???
    will there be any problem when i go from ethernet to wireless ??(nm does this automaticaly when you plug or unplug an ethernet cable)

  10. #40
    Join Date
    Jun 2005
    Location
    France
    Beans
    7,100
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: HOWTO: Set a custom firewall (iptables) and Tips

    Yes you shouldn't have any problems, to make the rules works for both eth0 and eth1 just remove all the "-i eth0" options thus the rules will be applied on all the network controllers you have.

Page 4 of 29 FirstFirst ... 2345614 ... LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •