Page 3 of 7 FirstFirst 12345 ... LastLast
Results 21 to 30 of 69

Thread: HOWTO: Set a custom firewall (iptables) and Tips [Advanced user only]

  1. #21
    Join Date
    Dec 2006
    Beans
    5

    Re: HOWTO: Set a custom firewall (iptables) and Tips [Advanced user only]

    Hello,
    I want to ask if this script can be used with two interfacesne eth0 internet and another one eth1 lan,so from eth1 other hosts in the lan can
    browse internet and use p2p programs.

    Thanks in advance and keep on going helping other people with your knowledge.
    Thanks again.

  2. #22
    Join Date
    Nov 2008
    Beans
    3

    Re: HOWTO: Set a custom firewall (iptables) and Tips [Advanced user only]

    Actually this a mighty good proposal my friend.
    two interfaces is what i also need, have been mesing with it 2 days now, the way of noob is heavy

    so far i have tried to add
    HTML Code:
    iptables -A FORWARD -o eth1 -i eth0 -j ACCEPT 
    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE 
    echo 1 > /proc/sys/net/ipv4/ip_forward 
    iptables -A FORWARD -j DROP
    as well as
    Code:
    iptables -A FIREWALL-o eth1 -i eth0 -j ACCEPT 
    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE 
    echo 1 > /proc/sys/net/ipv4/ip_forward 
    iptables -A FIREWALL -j DROP
    whell forwarding goes trough, but any other roule as http allow and others dont apply
    HTML Code:
    root@triber:~# /etc/init.d/firewall status
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination
    ACCEPT     all  --  192.168.0.0/24       anywhere            state NEW
    ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    Chain PREROUTING (policy ACCEPT)
    target     prot opt source               destination
    
    Chain POSTROUTING (policy ACCEPT)
    target     prot opt source               destination
    MASQUERADE  all  --  anywhere             anywhere
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    So if OP or iptables guru´s could find time to respond me and many others would really appreciate it.

  3. #23
    Join Date
    Jun 2005
    Location
    France
    Beans
    7,100
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: HOWTO: Set a custom firewall (iptables) and Tips [Advanced user only]

    The best in this case if you don't want to forward all is to add a FORWARD rule for each traffic you want to forward then DROP the rest instead of forwarding all with your first forward rule.
    Handling forward rules separately looks more clean IMO as your firewall and what you forward are 2 different things.

    For ex if you want to forward web :
    Code:
    iptables -A FORWARD -o eth1 -i eth0 --sport 80 --dport 80 -j ACCEPT

  4. #24
    Join Date
    Nov 2008
    Beans
    3

    Re: HOWTO: Set a custom firewall (iptables) and Tips [Advanced user only]

    Thanx for quick reply Frodon, will try it today

  5. #25
    Join Date
    Nov 2008
    Beans
    3

    Re: HOWTO: Set a custom firewall (iptables) and Tips [Advanced user only]

    Hello, i ve found this to be wonderfull, i understand chains now and how they work..

    I only have one question, for example what does NEW, ESTABLISHED, RELATED actually means, or should i ask how is it handled..

    iptables -A FIREWALL -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

    iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 51000 -j ACCEPT


    For example, FIREWALL chain allows all connections that are established and related under TRUSTED. Trusted then allows all connections, tcp, on this port..

    What i dont understand is how people can still upload from me, that is that they connect on me, shouldnt i add NEW as well, or is torrent connection actually RELATED, and if so, what does that mean? Or torrents, since i need to establish connection with other people with the same file as well, goes under ESTABLISHED so it gets through?

    And i would also like to know what this -m tcp means.. Does maybe this -m tcp tells to allow all NEW RELATED AND ESTABLISHED connection?


    I would like to know when to add this NEW parameter ... Is new meant for things like -> if an unknown ip connects to your service, and then enters username password, and if sucsess, it is ESTABLISHED?


    EDIT: For example i didnt allow input http on 80 port.. So how come i can browse ? I receive input from page as well.. Or does that mean since i asked for a page, like google, i connected and that connection became established, so it gets through ? Or things like browsing goes under OUT only and since i allow all i can send requests and receive data no problems ?
    Last edited by Samurai-; November 14th, 2008 at 10:19 PM.

  6. #26
    Join Date
    Jun 2005
    Location
    France
    Beans
    7,100
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: HOWTO: Set a custom firewall (iptables) and Tips [Advanced user only]

    Simple, any connection you open yourself (eg web browser) is allowed thanks to the established and related rules.

    Never wondered why you can browse internet behind a NAT router without redirecting port 80 on your computer ?
    It's the same principle here browsing a site you open a connection on port 80 and then receive an answer from the website and in the frame you receive you have in the header all the infos telling that the frame is the answer from your request. Once this done you have an ESTABLISHED connection, RELATED connection are connections that may need to be opened from your established connection.

    As a general rule you never need to accept input connection except if you are running a service. Because in this case your computer receive an unkown frame and is the service that provide the answer of this request made by a remote computer (eg you run a web server).

  7. #27
    Join Date
    Nov 2008
    Beans
    3

    Re: HOWTO: Set a custom firewall (iptables) and Tips [Advanced user only]

    Quote Originally Posted by frodon View Post
    Simple, any connection you open yourself (eg web browser) is allowed thanks to the established and related rules.

    Never wondered why you can browse internet behind a NAT router without redirecting port 80 on your computer ?
    It's the same principle here browsing a site you open a connection on port 80 and then receive an answer from the website and in the frame you receive you have in the header all the infos telling that the frame is the answer from your request. Once this done you have an ESTABLISHED connection, RELATED connection are connections that may need to be opened from your established connection.

    As a general rule you never need to accept input connection except if you are running a service. Because in this case your computer receive an unkown frame and is the service that provide the answer of this request made by a remote computer (eg you run a web server).
    Holy ****, fast answer..

    Thanks, jea, i have just been reading this page, which might help others who dont understand..

    http://www.kalamazoolinux.org/presen...conntrack.html

    I understand now perfectly and i agree with
    As a general rule you never need to accept input connection except if you are running a service. Because in this case your computer receive an unkown frame and is the service that provide the answer of this request made by a remote computer (eg you run a web server).
    one thing left

    iptables -A FIREWALL -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

    iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 51000 -j ACCEPT


    what does that -m tcp means.. its not under man iptables :/



    EDIT:

    for example, if i have SSHD server up on 4444 port, and would like to connect from some other machine through SSH to my machine, if i put this

    iptables -A TRUSTED -o eth0 -p tcp -m tcp --dport 4444 -m state --state NEW -j ACCEPT


    Would that allow incomming connection?

    or would it be blocked here already, since its not established :\

    iptables -A FIREWALL -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

    If so, how do i need to write it if wish to have SSHD connectable from outside
    Last edited by Samurai-; November 14th, 2008 at 11:05 PM.

  8. #28
    Join Date
    Jun 2005
    Location
    France
    Beans
    7,100
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: HOWTO: Set a custom firewall (iptables) and Tips [Advanced user only]

    It's the mangle table of netfilter (netfilter is the firewall embedded in the kernel iptables being the tool to configure it), i'm not expert of this part.
    But in some way it's like defining the protocol used if that could help you to understand.

  9. #29
    Join Date
    Nov 2008
    Beans
    3

    Re: HOWTO: Set a custom firewall (iptables) and Tips [Advanced user only]

    Quote Originally Posted by Samurai- View Post


    EDIT:

    for example, if i have SSHD server up on 4444 port, and would like to connect from some other machine through SSH to my machine, if i put this

    iptables -A TRUSTED -i eth0 -p tcp -m tcp --sport 4444 -m state --state NEW -j ACCEPT


    Would that allow incomming connection?

    or would it be blocked here already, since its not established :\

    iptables -A FIREWALL -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

    If so, how do i need to write it if wish to have SSHD connectable from outside
    Ok, i think that things would go like this

    It would check chain INPUT and would say it wont go through, then it would check input on local and its not right, then it would check TRUSTED chain and since there is NEW specified there on -i , it should allow connection, right?

    it wouldnt be droped...


    EDIT: jeah i talk to my self, i understand now how this thing works, i only started on iptables today, yesterday i didnt even know what it is.. Only thing i ll need to test is if i need to add -m -> NEW or i can just accept connections to that port and all are NEW by default..

    anyway, great work here>..
    Last edited by Samurai-; November 15th, 2008 at 12:03 AM.

  10. #30
    Join Date
    Feb 2006
    Beans
    330
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: HOWTO: Set a custom firewall (iptables) and Tips [Advanced user only]

    So I'm trying to configure a system to accept connections from my laptop's wireless connection. The problem is that my ip is constantly changing so it's not just a matter of allowing that ip to connect. I have no way of getting a fixed ip (university network) so I had hoped to find another way to do this. I thought I could allow/deny by MAC address, and tried this command:
    Code:
    iptables -A INPUT --mac-source xx:xx:xx:xx:xx:xx -j ACCEPT
    I get this error: iptables v1.3.8: Unknown arg `--mac-source'

    Any suggestions on how I can do this?

    Thanks

Page 3 of 7 FirstFirst 12345 ... LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •