Re: HOWTO: Set a custom firewall (iptables) and Tips
Quote:
Originally Posted by
marx2k
Now the only thing Im wondering, with this setup...that although I want traffic to come through on port 64738, 64739... (and it is coming through now) ...wil it still filter through moblock? I think it will. What do you, the reader, think?
It depends on how moblock filter, if it filter on a IP basis then opening ports won't modify the moblock filtering.
Re: HOWTO: Set a custom firewall (iptables) and Tips
Quote:
Originally Posted by
SundaY82
Hi!
I got the advice from another thread that i should post here about my iptables problems. So instead of retyping all here is the post, feel free to answer here or in the other post.
http://www.ubuntuforums.org/showthread.php?p=2059884
Would really appreciate all the help i can get.
Your forwarding problem is not clear for me and you don't give the whole script you use.
About forwarding udp and tcp as far as i know there's no other solution than writing aline for each protocol.
Re: HOWTO: Set a custom firewall (iptables) and Tips
Hello, this is a great tool! I send people to it all the time from IRC.
Here's a question that I figured I'd find answered in these last 9 pages, but did not: How do I allow SSH in?
As it is, on my ssh server, /etc/firewall.bash is just like in the example, but I have added this line between the sections labeled "# Allow https" and "# Allow amule".
Code:
# Allow SSH
iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
I've found a few resources from Google about configuring iptables for SSH, but I get confused because I don't fully understand about chains and how they're used in this script.
I know the problem is somewhere in /etc/firewall.bash, because when I stop the firewall by typing "sudo /etc/init.d/firewall stop", I can SSH into the machine.
Can anyone tell me how to get SSH working?
Thank you!
Re: HOWTO: Set a custom firewall (iptables) and Tips
Be careful ssh use both tcp and udp so you need to add a line for the udp protocol on port 22. So add the following line and tell me if it works now, if not i'll search a little bit :
Code:
iptables -A TRUSTED -i eth0 -p udp -m udp --dport 22 -j ACCEPT
Re: HOWTO: Set a custom firewall (iptables) and Tips
Frodon,
Thanks for the reply.
I added that line and it still doesn't work.
iptables -L shows both of those entries under the TRUSTED chain, if that helps.
I've also noticed that my http server (thttpd, on the same machine) is no longer accessible, so I added port 80 in another two entries, one for tcp and one for udp, but it's still not working, either. But it, too, works fine when the script is stopped.
I've been decoding this script using the iptables man page (I'm not fluent in iptable speak yet) and it all seems to _me_ like it should work! If you do have any further suggestions, I'll much appreciate them :)
-ADAM
Re: HOWTO: Set a custom firewall (iptables) and Tips
Hi, I have installed a DC Client, Linux DC ++ version 0.674, and when I want to connect to a hub with it, I don't conect directly to the internet, but I use a passive connection, due to the fact that my internet comes though my roommate's computer( who has shared his internet connection with me). Because of this I cannot set Linux DC to use certain ports, so I don't think I can set the ports for this program though the iptables. Tried with firestarter and guarddog, but haven't succeeded...:(....The thing is that Linux DC connects to the hub, but when somebody tries to get something from me, the application shutsdown my internet connection and I have to reboot again and again and again....Can anyone help me with this, cause I'm a little lost...:(
Re: HOWTO: Set a custom firewall (iptables) and Tips
Quote:
Originally Posted by
adamonline
Frodon,
Thanks for the reply.
I added that line and it still doesn't work.
iptables -L shows both of those entries under the TRUSTED chain, if that helps.
I've also noticed that my http server (thttpd, on the same machine) is no longer accessible, so I added port 80 in another two entries, one for tcp and one for udp, but it's still not working, either. But it, too, works fine when the script is stopped.
I've been decoding this script using the iptables man page (I'm not fluent in iptable speak yet) and it all seems to _me_ like it should work! If you do have any further suggestions, I'll much appreciate them :)
-ADAM
Yes it should work, replace the --dport option by --sport just to try if it isn't the issue but it should have worked like that even for your http server.
Paste your whole firewall script here, i'll have a look to it and see if it miss something from what i know.
Re: HOWTO: Set a custom firewall (iptables) and Tips
Quote:
Originally Posted by
frodon
Yes it should work, replace the --dport option by --sport just to try if it isn't the issue but it should have worked like that even for your http server.
Paste your whole firewall script here, i'll have a look to it and see if it miss something from what i know.
Here's the script:
Code:
#!/bin/bash
# No spoofing
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
then
for filtre in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo 1 > $filtre
done
fi
# No icmp
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#load some modules you may need
modprobe ip_tables
modprobe ip_nat_ftp
modprobe ip_nat_irc
modprobe iptable_filter
modprobe iptable_nat
# Remove all rules and chains
iptables -F
iptables -X
# first set the default behaviour => accept connections
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
# Create 2 chains, it allows to write a clean script
iptables -N FIREWALL
iptables -N TRUSTED
# Allow ESTABLISHED and RELATED incoming connection
iptables -A FIREWALL -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# I added this for debugging purposes, don't know entirely what it means though...
iptables -A FIREWALL -i eth0 -m state --state NEW,INVALID -j ACCEPT
# Allow loopback traffic
iptables -A FIREWALL -i lo -j ACCEPT
# Send all package to the TRUSTED chain
iptables -A FIREWALL -j TRUSTED
# DROP all other packets
iptables -A FIREWALL -j DROP
# Send all INPUT packets to the FIREWALL chain
iptables -A INPUT -j FIREWALL
# DROP all forward packets, we don't share internet connection in this example
iptables -A FORWARD -j DROP
# Allow https
iptables -A TRUSTED -i eth0 -p udp -m udp --sport 443 -j ACCEPT
iptables -A TRUSTED -i eth0 -p tcp -m tcp --sport 443 -j ACCEPT
# Allow SSH # I added this, and...
iptables -A TRUSTED -i eth0 -p udp -m udp --dport 22 -j ACCEPT
iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A TRUSTED -i eth0 -p udp -m udp --sport 22 -j ACCEPT
iptables -A TRUSTED -i eth0 -p tcp -m tcp --sport 22 -j ACCEPT
# Allow amule
iptables -A TRUSTED -i eth0 -p udp -m udp --dport 5349 -j ACCEPT
iptables -A TRUSTED -i eth0 -p udp -m udp --dport 5351 -j ACCEPT
iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 5348 -j ACCEPT
# Allow IRC IDENT & DCC
iptables -A TRUSTED -i eth0 -p tcp -m tcp --sport 6667 -j ACCEPT
iptables -A TRUSTED -i eth0 -p tcp -m tcp --sport 113 -j ACCEPT
# Allow bittorrent
iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 6881:6889 -j ACCEPT
# Allow httpd # ...I added this...
iptables -A TRUSTED -i eth0 -p udp -m udp --dport 80 -j ACCEPT
iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A TRUSTED -i eth0 -p udp -m udp --sport 80 -j ACCEPT
iptables -A TRUSTED -i eth0 -p tcp -m tcp --sport 80 -j ACCEPT
# End message
echo " [End iptables rules setting]"
I added a few things, as you can see. Accepting NEW and INVALID packets (for debugging purposes), allowing ssh port 22, and allowing http port 80; both udp and tcp, and both sport and dport.
I am using the default ports for both the http and ssh daemons.
Any thoughts, Frodon? And thanks again :D
EDIT: apt-get update didn't work, either! But did when I disabled the firewall. That's weird, it works fine on THIS computer and I have the same script, but without the changes you see here.
Here's the output of iptables -L:
Code:
Chain FIREWALL (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state INVALID,NEW
ACCEPT all -- anywhere anywhere
TRUSTED all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain INPUT (policy ACCEPT)
target prot opt source destination
FIREWALL all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain TRUSTED (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp spt:https
ACCEPT tcp -- anywhere anywhere tcp spt:https
ACCEPT udp -- anywhere anywhere udp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT udp -- anywhere anywhere udp spt:ssh
ACCEPT tcp -- anywhere anywhere tcp spt:ssh
ACCEPT udp -- anywhere anywhere udp dpt:5349
ACCEPT udp -- anywhere anywhere udp dpt:5351
ACCEPT tcp -- anywhere anywhere tcp dpt:5348
ACCEPT tcp -- anywhere anywhere tcp spt:ircd
ACCEPT tcp -- anywhere anywhere tcp spt:auth
ACCEPT tcp -- anywhere anywhere tcp dpts:6881:6889
ACCEPT udp -- anywhere anywhere udp dpt:www
ACCEPT tcp -- anywhere anywhere tcp dpt:www
ACCEPT udp -- anywhere anywhere udp spt:www
ACCEPT tcp -- anywhere anywhere tcp spt:www
Re: HOWTO: Set a custom firewall (iptables) and Tips
Quote:
Originally Posted by
dustman
Hi, I have installed a DC Client, Linux DC ++ version 0.674, and when I want to connect to a hub with it, I don't conect directly to the internet, but I use a passive connection, due to the fact that my internet comes though my roommate's computer( who has shared his internet connection with me). Because of this I cannot set Linux DC to use certain ports, so I don't think I can set the ports for this program though the iptables. Tried with firestarter and guarddog, but haven't succeeded...:(....The thing is that Linux DC connects to the hub, but when somebody tries to get something from me, the application shutsdown my internet connection and I have to reboot again and again and again....Can anyone help me with this, cause I'm a little lost...:(
Hi Dustman,
I don't know if I can help you too greatly since I'm not familiar with DC. It sounds to me though that your internet packets have to go through your roommate's firewall before they even get to your firewall. So (I THINK) you could open all ports on your firewall and still not get anything that can't get through his. He can open the ports that you need to receive on _his_ firewall, and in theory, you could then access those ports. If he doesn't want to leave that port open on his computer, he can set it so the port gets forwarded to your computer. If he's using Windows, I don't know how that could be done. If he's using Linux, well, I'll do the best I can with my limited understanding:
If he's using Linux AND this script, he would have to change the line that blocks port forwarding from iptables -A FORWARD -j DROP to iptables -A FORWARD -j ACCEPT and add a block like this in the area just before "# End message":
Code:
# Allow DC
# These will allow all traffic to your computer on the specified port
iptables -A TRUSTED -i eth0 -o eth1 -p udp -m udp -sport <port#> -j ACCEPT
iptables -A TRUSTED -i eth0 -o eth1 -p tcp -m tcp -sport <port#> -j ACCEPT
iptables -A TRUSTED -i eth0 -o eth1 -p udp -m tcp -dport <port#> -j ACCEPT
iptables -A TRUSTED -i eth0 -o eth1 -p tcp -m tcp -dport <port#> -j ACCEPT
This assumes his eth0 faces the internet, and his eth1 faces your computer. It's a gross method, as it probably opens more ports on more protocols than needed, but it might work. I believe that it will only allow the packets to go through that port that are en route to your machine, due to the "-o eth1", so he should still be secured on that port. As an added boost to his security, he can specify that only things en-route to your ip are accepted on those protocols and ports, by adding the parameter -d your.ip.addy.here. If he's just using Linux without this script, he should replace all the TRUSTED in the above code block with FORWARD and enter the lines one by one at the command line.
Again, I would like to stress that I know just enough to be dangerous and can't even get my own problem fixed :D But I've been doing a helluva lot of research on iptables and that is the best advice I can give; hopefully it will make a good starting point and if anything's incorrect there somebody can chime in.
If possible, you can try disabling his firewall for a short period and seeing if you can then receive packets on the port you need. If so, then you know his firewall is stopping the packets from even reaching your firewall :)
As for why your internet connection stops and you have to restart... Well, that sounds unrelated to this script. It could be a bug in Linux DC; something that doesn't handle closed ports well. I don't know, that's the part I can't help with ;)
Good luck!
-ADAM
Re: HOWTO: Set a custom firewall (iptables) and Tips
This guide was very helpful. I got everything up and running in just a few minutes and it works very well.
Thanks so much for writing this! :D
Quote:
Originally Posted by
frodon
It should be easier to read the guide on the UDSF :
http://doc.gwos.org/index.php/IptablesFirewall
3.1-The firewall script
This exemple will fit the needs of most users, it blocks all incoming and forward traffic and allows : web browsers, https, amule, bittorent, ftp, gaim, IRC, mail protocols (smtp, pop, imap).
Blocking outgoing access is not needed (incoming is enough).
* We create 2 chain the one called FIREWALL and the second is called TRUSTED
FIREWALL chain : this chain will allow related and established incoming connection (eth0 interface), then send all other packets to the TRUSTED chain and DROP all the rest. We will send in this chain all INPUT packets.
TRUSTED chain : In this chain you will add all the ports you may need to open depending on what you use on your computer.
Now create the firewall script:
Code:
sudo gedit /etc/firewall.bash
Minor correction:
I would use gksudo for graphical editors:
Code:
gksudo gedit /etc/firewall.bash
I know it likely won't harm anything to use sudo, but it's just in the interest of being consistent: terminal commands use sudo; graphical programs use gksudo.
See http://www.psychocats.net/ubuntu/graphicalsudo