Page 8 of 29 FirstFirst ... 67891018 ... LastLast
Results 71 to 80 of 286

Thread: HOWTO: Set a custom firewall (iptables) and Tips [Beginners edition]

  1. #71
    Join Date
    Oct 2006
    Location
    Wisconsin
    Beans
    455
    Distro
    Kubuntu

    Re: HOWTO: Set a custom firewall (iptables) and Tips

    I fixed the problem. All this hair pulling and it turned out to be the smallest discrepancy (which probably amounts to a lot...)

    The line I had previously:
    iptables -A TRUSTED -i eth1 -p tcp -m tcp --sport 2234:2239 -j ACCEPT

    The change that made it work:
    iptables -A TRUSTED -i eth1 -p tcp -m tcp --dport 2234:2239 -j ACCEPT

    I changed sport to dport

    and now it works. Who'da thunk it.

    Can someone give a description as to the diff between the two?

  2. #72
    Join Date
    May 2005
    Beans
    91

    Re: HOWTO: Set a custom firewall (iptables) and Tips

    ahem...

    can anybody adapt the script for me to block ALL incoming services but imap?

  3. #73
    Join Date
    Oct 2006
    Location
    Wisconsin
    Beans
    455
    Distro
    Kubuntu

    Re: HOWTO: Set a custom firewall (iptables) and Tips

    And one final question. How does script work out with MoBlock which also plays with IPTables?

  4. #74
    Join Date
    Oct 2006
    Location
    Wisconsin
    Beans
    455
    Distro
    Kubuntu

    Re: HOWTO: Set a custom firewall (iptables) and Tips

    Quote Originally Posted by pau View Post
    ahem...

    can anybody adapt the script for me to block ALL incoming services but imap?
    I think this should work for you:
    Code:
    #!/bin/bash
    
    # No spoofing
    if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
    then
    for filtre in /proc/sys/net/ipv4/conf/*/rp_filter
    do
    echo 1 > $filtre
    done
    fi 
    
    # No icmp
    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
    
    #load some modules you may need
    modprobe ip_tables
    modprobe ip_nat_ftp
    modprobe ip_nat_irc
    modprobe iptable_filter
    modprobe iptable_nat 
    
    # Remove all rules and chains
    iptables -F
    iptables -X
    
    # first set the default behaviour => accept connections
    iptables -P INPUT ACCEPT
    iptables -P OUTPUT ACCEPT
    iptables -P FORWARD ACCEPT
    
    # Create 2 chains, it allows to write a clean script
    iptables -N FIREWALL
    iptables -N TRUSTED
    
    # Allow ESTABLISHED and RELATED incoming connection
    iptables -A FIREWALL -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
    # Allow loopback traffic
    iptables -A FIREWALL -i lo -j ACCEPT
    # Send all package to the TRUSTED chain
    iptables -A FIREWALL -j TRUSTED
    # DROP all other packets
    iptables -A FIREWALL -j DROP
    
    # Send all INPUT packets to the FIREWALL chain
    iptables -A INPUT -j FIREWALL
    # DROP all forward packets, we don't share internet connection in this example
    iptables -A FORWARD -j DROP
    
    # Allow imap
    iptables -A TRUSTED -i eth1 -p udp -m udp --sport 143 -j ACCEPT
    iptables -A TRUSTED -i eth1 -p tcp -m tcp --sport 143 -j ACCEPT
    
    # End message
    echo " [End iptables rules setting]"

  5. #75
    Join Date
    Jun 2005
    Location
    France
    Beans
    7,100
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: HOWTO: Set a custom firewall (iptables) and Tips

    Quote Originally Posted by marx2k View Post
    And one final question. How does script work out with MoBlock which also plays with IPTables?
    Hum, it is a bad idea to use 2 different scripts to set your iptables firewall, i advice you to choose the one you prefer and use only this one.

  6. #76
    Join Date
    Oct 2006
    Location
    Wisconsin
    Beans
    455
    Distro
    Kubuntu

    Re: HOWTO: Set a custom firewall (iptables) and Tips

    Quote Originally Posted by frodon View Post
    Hum, it is a bad idea to use 2 different scripts to set your iptables firewall, i advice you to choose the one you prefer and use only this one.
    Well, the problem is that one script lets me set my firewall up easily (this one) and one keeps the MPAA/RIAA off my back by blocking selected IPs downloaded through a daily list ( http://moblock-deb.sourceforge.net/ )

    I'm just wondering if MoBlock would be putting an added layer of protection by filtering IP's on top of this script or if it would completely break this script.

    I will try to install it on Monday and see how it goes. If anything, I can always remove it and restart this script and it will re-lay-down the correct iptables for me

  7. #77
    Join Date
    Jun 2005
    Location
    France
    Beans
    7,100
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: HOWTO: Set a custom firewall (iptables) and Tips

    Ha ok, if it does only IP blocking i think there's no problem to use both, so i would say that you shouldn't get any problems.

  8. #78
    Join Date
    Oct 2006
    Location
    Wisconsin
    Beans
    455
    Distro
    Kubuntu

    Re: HOWTO: Set a custom firewall (iptables) and Tips

    I will give it a shot and report back because if it actually doesn't interfere, that'd be great since I find this script amazingly useful (Actually, a lot more useful and configurable in less time than firestarter - and I dont need another program to take up memory space when using this)

  9. #79
    Join Date
    Oct 2006
    Location
    Wisconsin
    Beans
    455
    Distro
    Kubuntu

    Re: HOWTO: Set a custom firewall (iptables) and Tips

    Ok so it seems like they play well together if you start moblock AFTER the firewall script ---

    Here is IPTables after the firewall script...
    Code:
    marx2k@Commodore-64:~/source/nicotine+$ sudo iptables -L
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination         
    FIREWALL   all  --  anywhere             anywhere            
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination         
    DROP       all  --  anywhere             anywhere            
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain FIREWALL (1 references)
    target     prot opt source               destination         
    ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
    ACCEPT     all  --  anywhere             anywhere            
    TRUSTED    all  --  anywhere             anywhere            
    DROP       all  --  anywhere             anywhere            
    
    Chain TRUSTED (1 references)
    target     prot opt source               destination         
    ACCEPT     tcp  --  anywhere             anywhere            tcp dpts:2234:2239 
    ACCEPT     tcp  --  anywhere             anywhere            tcp dpts:64738:64739 
    ACCEPT     udp  --  anywhere             anywhere            udp dpts:64738:64739 
    ACCEPT     udp  --  anywhere             anywhere            udp spt:https 
    ACCEPT     tcp  --  anywhere             anywhere            tcp spt:https
    And here it is after moblock is run...
    Code:
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination         
    ACCEPT     all  --  anywhere             anywhere            
    MOBLOCK_IN  all  --  anywhere             anywhere            state NEW 
    FIREWALL   all  --  anywhere             anywhere            
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination         
    MOBLOCK_FW  all  --  anywhere             anywhere            state NEW 
    DROP       all  --  anywhere             anywhere            
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination         
    ACCEPT     all  --  anywhere             anywhere            
    MOBLOCK_OUT  all  --  anywhere             anywhere            state NEW 
    
    Chain FIREWALL (1 references)
    target     prot opt source               destination         
    ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
    ACCEPT     all  --  anywhere             anywhere            
    TRUSTED    all  --  anywhere             anywhere            
    DROP       all  --  anywhere             anywhere            
    
    Chain MOBLOCK_FW (1 references)
    target     prot opt source               destination         
    NFQUEUE    all  --  anywhere             anywhere            NFQUEUE num 0
    
    Chain MOBLOCK_IN (1 references)
    target     prot opt source               destination         
    
    ACCEPT     all  --  anywhere             qb-in-f109.google.com 
    NFQUEUE    all  --  anywhere             anywhere            NFQUEUE num 0
    
    Chain MOBLOCK_OUT (1 references)
    target     prot opt source               destination         
    ACCEPT     all  --  anywhere             199.203.34.59       
    ACCEPT     all  --  anywhere             198.150.221.249     
    ACCEPT     all  --  anywhere             198.150.221.250     
    ACCEPT     all  --  anywhere             qb-in-f109.google.com 
    ACCEPT     all  --  anywhere             tricia.gtlib.gatech.edu 
    ACCEPT     all  --  anywhere             mail.charter.net    
    ACCEPT     all  --  anywhere             69.28.186.121       
    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtp 
    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh 
    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https 
    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:www 
    NFQUEUE    all  --  anywhere             anywhere            NFQUEUE num 0
    
    Chain TRUSTED (1 references)
    target     prot opt source               destination         
    ACCEPT     tcp  --  anywhere             anywhere            tcp dpts:2234:2239 
    ACCEPT     tcp  --  anywhere             anywhere            tcp dpts:64738:64739 
    ACCEPT     udp  --  anywhere             anywhere            udp dpts:64738:64739 
    ACCEPT     udp  --  anywhere             anywhere            udp spt:https 
    ACCEPT     tcp  --  anywhere             anywhere            tcp spt:https
    So it looks like they are playing well together!

    Now the only thing Im wondering, with this setup...that although I want traffic to come through on port 64738, 64739... (and it is coming through now) ...wil it still filter through moblock? I think it will. What do you, the reader, think?
    Last edited by marx2k; January 24th, 2007 at 06:53 PM. Reason: Messed up editing

  10. #80
    Join Date
    Dec 2005
    Beans
    30

    Re: HOWTO: Set a custom firewall (iptables) and Tips

    Hi!

    I got the advice from another thread that i should post here about my iptables problems. So instead of retyping all here is the post, feel free to answer here or in the other post.

    http://www.ubuntuforums.org/showthread.php?p=2059884

    Would really appreciate all the help i can get.

Page 8 of 29 FirstFirst ... 67891018 ... LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •