Page 5 of 29 FirstFirst ... 3456715 ... LastLast
Results 41 to 50 of 286

Thread: HOWTO: Set a custom firewall (iptables) and Tips [Beginners edition]

  1. #41
    Join Date
    Jul 2005
    Location
    Greece
    Beans
    60
    Distro
    Ubuntu

    Re: HOWTO: Set a custom firewall (iptables) and Tips

    Quote Originally Posted by frodon View Post
    Yes you shouldn't have any problems, to make the rules works for both eth0 and eth1 just remove all the "-i eth0" options thus the rules will be applied on all the network controllers you have.

    thanks for the lightning fast answer

    Merci beacoup

  2. #42
    Join Date
    Jul 2005
    Location
    Greece
    Beans
    60
    Distro
    Ubuntu

    Re: HOWTO: Set a custom firewall (iptables) and Tips

    OK it worked

    it only needed to add the loopback in the firewall bash

    whithout it it was stopping when it was trying to start gnome

    Thanks Again

    excelent HOWTO

  3. #43
    Join Date
    Feb 2005
    Location
    EU
    Beans
    549
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: HOWTO: Set a custom firewall (iptables) and Tips

    Quote Originally Posted by frodon View Post
    If you have a hardware firewall an additional software firewall is not really needed IMO.
    About your script, the rules about the TRUSTED chain are useless because you send nothing to the TRUSTED chain.
    Thanks for the tips & your help!

    cheers

    mtron

  4. #44
    Join Date
    Aug 2006
    Beans
    1

    Thumbs up Re: HOWTO: Set a custom firewall (iptables) and Tips

    I have deployed my firewall following your instruction, and it works very well, thx !!!

  5. #45
    Join Date
    Aug 2005
    Beans
    1

    Re: HOWTO: Set a custom firewall (iptables) and Tips

    Well,
    Sorry about the english but im from brazil
    I have 2 things to ask:
    1) I used your script did all the things,
    but when i logged into gnome it just crash, doesnt enter gnome for nothing.
    Why ? Does anyone else have this problem ?

    2) I have a eth0 interface where my ppp0 connection arrives,
    and i have a eth1 interface pluged in the hub, for sharing my ppp0 connection.
    I managed to share the connection, but when i used your script it just stop shaaring. What can i do to continue sharing my ppp0 connection but still have this nice firewall you built.

    Thanks for any help you can give me

  6. #46
    Join Date
    Jun 2005
    Location
    France
    Beans
    7,100
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: HOWTO: Set a custom firewall (iptables) and Tips

    1) If you have problems add the loopback access :
    Code:
    # Allow ESTABLISHED and RELATED incoming connection
    iptables -A FIREWALL -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
    # Allow loopback access
    iptables -A FIREWALL -i lo -j ACCEPT 
    # Send all package to the TRUSTED chain
    iptables -A FIREWALL -j TRUSTED
    # DROP all other packets
    iptables -A FIREWALL -j DROP
    2) My script prevent all FORWARD packets which explains why your connection sharing don't work anymore.
    Just remove this line to leave all the FORWARD packets as they were before :
    Code:
    iptables -A FORWARD -j DROP
    If you trust your network on eth1, i guess it's a local network, there's no need to apply the rules on eth1 in my opinion.

  7. #47
    Join Date
    Apr 2006
    Location
    Thimphu, Bhutan (Himalaya)
    Beans
    2
    Distro
    Ubuntu Breezy 5.10

    Re: HOWTO: Set a custom firewall (iptables) and Tips

    I'm struggling with my firewall, though I'm using my own script. I originally made it for use with DHCP on a PPP interface and static addresses on an internal wireless LAN. Later, we moved to a static address from the ISP on an ethernet connection and it was fine. But then I upgraded to Dapper and everything went Windowsy.

    Dapper is known for not handling static IP for wireless routers, so now I have to use DHCP on the LAN, but then my firewall doesn't pass the traffic through. So I have to switch back to static after making the wireless connection and run my firewall manually. Then it all works, but next time I boot up, I'm in static, so I have to go through the whole process again.

    How can I get it to pass traffic from DHCP addresses on the LAN side to a static address on the ISP side? And why does it matter that it's DHCP on the LAN side?

    Code:
    #!/bin/sh
    #Firewall for home network
    
    #configuration
    INET_IP="202.89.26.82"
    INET_IF="eth0"
    INET_BCAST="202.89.26.255"
    
    LAN_IP="192.168.0.29"
    LAN_IF="eth1"
    LAN_BCAST="192.168.0.255"
    
    SELF_IP="127.0.0.1"
    SELF_IF="lo"
    SELF_BCAST="127.0.0.255"
    
    IPTABLES="/sbin/iptables"
    MOD="/sbin/modprobe"
    
    #flush tables
    $IPTABLES --flush
    $IPTABLES -t nat --flush
    $IPTABLES --delete-chain
    $IPTABLES -t nat --delete-chain
    
    #modules
    $MOD ipt_LOG
    $MOD ipt_REJECT
    $MOD ipt_MASQUERADE
    $MOD ip_conntrack_amanda
    $MOD ip_conntrack_irc
    $MOD ip_conntrack_ftp
    $MOD ip_conntrack_tftp
    $MOD ip_nat_amanda
    $MOD ip_nat_irc
    $MOD ip_nat_ftp
    $MOD ip_nat_tftp
    $MOD ip_nat_snmp_basic
    $MOD iptable_nat
    
    #defaults to drop everything
    $IPTABLES -t filter -P INPUT ACCEPT
    $IPTABLES -t filter -P OUTPUT ACCEPT
    $IPTABLES -t filter -P FORWARD ACCEPT
    $IPTABLES -t nat -P PREROUTING ACCEPT
    $IPTABLES -t nat -P OUTPUT ACCEPT
    $IPTABLES -t nat -P POSTROUTING ACCEPT
    $IPTABLES -t mangle -P PREROUTING ACCEPT
    $IPTABLES -t mangle -P INPUT ACCEPT
    $IPTABLES -t mangle -P FORWARD ACCEPT
    $IPTABLES -t mangle -P OUTPUT ACCEPT
    $IPTABLES -t mangle -P POSTROUTING ACCEPT
    
    #INPUT FILTER
    #allow all packets from local addresses to pass
    $IPTABLES -t filter -A INPUT -i $SELF_IF -j ACCEPT
    $IPTABLES -t filter -A INPUT -i $LAN_IF -j ACCEPT
    
    #allow established and related packets from internet
    $IPTABLES -t filter -A INPUT -i $INET_IF -m state --state ESTABLISHED,RELATED -j ACCEPT
    
    #allow trace-route returns (ICMP TTL=0)
    $IPTABLES -t filter -A INPUT -i $INET_IF -p ICMP --icmp-type 11 -j ACCEPT
    
    #log all other packets
    $IPTABLES -t filter -A INPUT -m limit --limit 3/minute --limit-burst 3 \
    -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "
    
    #FORWARD FILTER
    #forward all packets from local addresses
    $IPTABLES -t filter -A FORWARD -i $SELF_IF -j ACCEPT #not sure if this is necessary
    $IPTABLES -t filter -A FORWARD -i $LAN_IF -j ACCEPT
    
    #accept the return packets
    $IPTABLES -t filter -A FORWARD -i $INET_IF -m state --state ESTABLISHED,RELATED -j ACCEPT
    
    #log all other packets
    $IPTABLES -t filter -A FORWARD -m limit --limit 3/minute --limit-burst 3 \
    -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died:"
    
    #OUTPUT FILTER
    #send all packets from local addresses
    $IPTABLES -t filter -A OUTPUT -s $SELF_IP -j ACCEPT
    $IPTABLES -t filter -A OUTPUT -s $LAN_IP -j ACCEPT
    $IPTABLES -t filter -A OUTPUT -s $INET_IP -j ACCEPT # is this safe? it should already be filtered on INPUT, right?
    
    #log all other packets
    $IPTABLES -t filter -A OUTPUT -m limit --limit 3/minute --limit-burst 3 \
    -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died:"
    
    #DHCP ADDRESS TRANSLATION
    #use masqurading to allow many pcs to access ISP with one dynamic IP address
    $IPTABLES -t nat -A POSTROUTING -o $INET_IF -j MASQUERADE
    
    #what's the command for a static ISP address?
    #$IPTABLES -t nat -A POSTROUTING -s 192.168.0.0 -j SNAT -o eth0 --to-source $INET_IP  I've tried this, but it doesn't work.  why?
    
    #enable packet forwarding by kernel
    echo 1 > /proc/sys/net/ipv4/ip_forward
    echo 1 > /proc/sys/net/ipv4/ip_dynaddr

  8. #48
    Join Date
    Nov 2005
    Location
    Oz
    Beans
    4,405

    Re: HOWTO: Set a custom firewall (iptables) and Tips

    Thanks Frodon, great HowTo, quick & easy to follow, & works perfectly!

    I've just started using BitTorent, so I thought that perhaps now was a good time to secure my system.

    I used your HowTo from the following link:

    http://doc.gwos.org/index.php/IptablesFirewall

    & tested it at Shields Up! Faultless results on all tests.

    The Sygate tests rejected my OS, so they must have recently changed their ways?

  9. #49
    Join Date
    Jun 2006
    Beans
    90

    Re: HOWTO: Set a custom firewall (iptables) and Tips

    I would like to know how to add tor and privoxy, so they will work with the firewall. They run perfectly without the firewall but with it they don't work at all and time out.

  10. #50
    Join Date
    Jun 2005
    Location
    France
    Beans
    7,100
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: HOWTO: Set a custom firewall (iptables) and Tips

    I don't use these apps but i guess you could find useful information on how use them with a firewall on their websites.
    I guess they should use some specific ports , by the way did you enable the loopback access ?
    If not add this line in your script with the other rules for the FIREWALL chain :
    Code:
    iptables -A FIREWALL -i lo -j ACCEPT

Page 5 of 29 FirstFirst ... 3456715 ... LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •