Hello, this is a great tool! I send people to it all the time from IRC.
Here's a question that I figured I'd find answered in these last 9 pages, but did not: How do I allow SSH in?
As it is, on my ssh server, /etc/firewall.bash is just like in the example, but I have added this line between the sections labeled "# Allow https" and "# Allow amule".
I've found a few resources from Google about configuring iptables for SSH, but I get confused because I don't fully understand about chains and how they're used in this script.Code:# Allow SSH iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
I know the problem is somewhere in /etc/firewall.bash, because when I stop the firewall by typing "sudo /etc/init.d/firewall stop", I can SSH into the machine.
Can anyone tell me how to get SSH working?
Be careful ssh use both tcp and udp so you need to add a line for the udp protocol on port 22. So add the following line and tell me if it works now, if not i'll search a little bit :
Code:iptables -A TRUSTED -i eth0 -p udp -m udp --dport 22 -j ACCEPT
Thanks for the reply.
I added that line and it still doesn't work.
iptables -L shows both of those entries under the TRUSTED chain, if that helps.
I've also noticed that my http server (thttpd, on the same machine) is no longer accessible, so I added port 80 in another two entries, one for tcp and one for udp, but it's still not working, either. But it, too, works fine when the script is stopped.
I've been decoding this script using the iptables man page (I'm not fluent in iptable speak yet) and it all seems to _me_ like it should work! If you do have any further suggestions, I'll much appreciate them
Hi, I have installed a DC Client, Linux DC ++ version 0.674, and when I want to connect to a hub with it, I don't conect directly to the internet, but I use a passive connection, due to the fact that my internet comes though my roommate's computer( who has shared his internet connection with me). Because of this I cannot set Linux DC to use certain ports, so I don't think I can set the ports for this program though the iptables. Tried with firestarter and guarddog, but haven't succeeded.......The thing is that Linux DC connects to the hub, but when somebody tries to get something from me, the application shutsdown my internet connection and I have to reboot again and again and again....Can anyone help me with this, cause I'm a little lost...
Last edited by frodon; January 28th, 2007 at 04:28 PM.
I added a few things, as you can see. Accepting NEW and INVALID packets (for debugging purposes), allowing ssh port 22, and allowing http port 80; both udp and tcp, and both sport and dport.Code:#!/bin/bash # No spoofing if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ] then for filtre in /proc/sys/net/ipv4/conf/*/rp_filter do echo 1 > $filtre done fi # No icmp echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts #load some modules you may need modprobe ip_tables modprobe ip_nat_ftp modprobe ip_nat_irc modprobe iptable_filter modprobe iptable_nat # Remove all rules and chains iptables -F iptables -X # first set the default behaviour => accept connections iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT # Create 2 chains, it allows to write a clean script iptables -N FIREWALL iptables -N TRUSTED # Allow ESTABLISHED and RELATED incoming connection iptables -A FIREWALL -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT # I added this for debugging purposes, don't know entirely what it means though... iptables -A FIREWALL -i eth0 -m state --state NEW,INVALID -j ACCEPT # Allow loopback traffic iptables -A FIREWALL -i lo -j ACCEPT # Send all package to the TRUSTED chain iptables -A FIREWALL -j TRUSTED # DROP all other packets iptables -A FIREWALL -j DROP # Send all INPUT packets to the FIREWALL chain iptables -A INPUT -j FIREWALL # DROP all forward packets, we don't share internet connection in this example iptables -A FORWARD -j DROP # Allow https iptables -A TRUSTED -i eth0 -p udp -m udp --sport 443 -j ACCEPT iptables -A TRUSTED -i eth0 -p tcp -m tcp --sport 443 -j ACCEPT # Allow SSH # I added this, and... iptables -A TRUSTED -i eth0 -p udp -m udp --dport 22 -j ACCEPT iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT iptables -A TRUSTED -i eth0 -p udp -m udp --sport 22 -j ACCEPT iptables -A TRUSTED -i eth0 -p tcp -m tcp --sport 22 -j ACCEPT # Allow amule iptables -A TRUSTED -i eth0 -p udp -m udp --dport 5349 -j ACCEPT iptables -A TRUSTED -i eth0 -p udp -m udp --dport 5351 -j ACCEPT iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 5348 -j ACCEPT # Allow IRC IDENT & DCC iptables -A TRUSTED -i eth0 -p tcp -m tcp --sport 6667 -j ACCEPT iptables -A TRUSTED -i eth0 -p tcp -m tcp --sport 113 -j ACCEPT # Allow bittorrent iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 6881:6889 -j ACCEPT # Allow httpd # ...I added this... iptables -A TRUSTED -i eth0 -p udp -m udp --dport 80 -j ACCEPT iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT iptables -A TRUSTED -i eth0 -p udp -m udp --sport 80 -j ACCEPT iptables -A TRUSTED -i eth0 -p tcp -m tcp --sport 80 -j ACCEPT # End message echo " [End iptables rules setting]"
I am using the default ports for both the http and ssh daemons.
Any thoughts, Frodon? And thanks again
EDIT: apt-get update didn't work, either! But did when I disabled the firewall. That's weird, it works fine on THIS computer and I have the same script, but without the changes you see here.
Here's the output of iptables -L:
Code:Chain FIREWALL (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere state INVALID,NEW ACCEPT all -- anywhere anywhere TRUSTED all -- anywhere anywhere DROP all -- anywhere anywhere Chain INPUT (policy ACCEPT) target prot opt source destination FIREWALL all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination DROP all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain TRUSTED (1 references) target prot opt source destination ACCEPT udp -- anywhere anywhere udp spt:https ACCEPT tcp -- anywhere anywhere tcp spt:https ACCEPT udp -- anywhere anywhere udp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT udp -- anywhere anywhere udp spt:ssh ACCEPT tcp -- anywhere anywhere tcp spt:ssh ACCEPT udp -- anywhere anywhere udp dpt:5349 ACCEPT udp -- anywhere anywhere udp dpt:5351 ACCEPT tcp -- anywhere anywhere tcp dpt:5348 ACCEPT tcp -- anywhere anywhere tcp spt:ircd ACCEPT tcp -- anywhere anywhere tcp spt:auth ACCEPT tcp -- anywhere anywhere tcp dpts:6881:6889 ACCEPT udp -- anywhere anywhere udp dpt:www ACCEPT tcp -- anywhere anywhere tcp dpt:www ACCEPT udp -- anywhere anywhere udp spt:www ACCEPT tcp -- anywhere anywhere tcp spt:www
Last edited by adamonline; January 29th, 2007 at 12:22 AM. Reason: Added more info.
I don't know if I can help you too greatly since I'm not familiar with DC. It sounds to me though that your internet packets have to go through your roommate's firewall before they even get to your firewall. So (I THINK) you could open all ports on your firewall and still not get anything that can't get through his. He can open the ports that you need to receive on _his_ firewall, and in theory, you could then access those ports. If he doesn't want to leave that port open on his computer, he can set it so the port gets forwarded to your computer. If he's using Windows, I don't know how that could be done. If he's using Linux, well, I'll do the best I can with my limited understanding:
If he's using Linux AND this script, he would have to change the line that blocks port forwarding from iptables -A FORWARD -j DROP to iptables -A FORWARD -j ACCEPT and add a block like this in the area just before "# End message":
This assumes his eth0 faces the internet, and his eth1 faces your computer. It's a gross method, as it probably opens more ports on more protocols than needed, but it might work. I believe that it will only allow the packets to go through that port that are en route to your machine, due to the "-o eth1", so he should still be secured on that port. As an added boost to his security, he can specify that only things en-route to your ip are accepted on those protocols and ports, by adding the parameter -d your.ip.addy.here. If he's just using Linux without this script, he should replace all the TRUSTED in the above code block with FORWARD and enter the lines one by one at the command line.Code:# Allow DC # These will allow all traffic to your computer on the specified port iptables -A TRUSTED -i eth0 -o eth1 -p udp -m udp -sport <port#> -j ACCEPT iptables -A TRUSTED -i eth0 -o eth1 -p tcp -m tcp -sport <port#> -j ACCEPT iptables -A TRUSTED -i eth0 -o eth1 -p udp -m tcp -dport <port#> -j ACCEPT iptables -A TRUSTED -i eth0 -o eth1 -p tcp -m tcp -dport <port#> -j ACCEPT
Again, I would like to stress that I know just enough to be dangerous and can't even get my own problem fixed But I've been doing a helluva lot of research on iptables and that is the best advice I can give; hopefully it will make a good starting point and if anything's incorrect there somebody can chime in.
If possible, you can try disabling his firewall for a short period and seeing if you can then receive packets on the port you need. If so, then you know his firewall is stopping the packets from even reaching your firewall
As for why your internet connection stops and you have to restart... Well, that sounds unrelated to this script. It could be a bug in Linux DC; something that doesn't handle closed ports well. I don't know, that's the part I can't help with
This guide was very helpful. I got everything up and running in just a few minutes and it works very well.
Thanks so much for writing this!
I would use gksudo for graphical editors:
I know it likely won't harm anything to use sudo, but it's just in the interest of being consistent: terminal commands use sudo; graphical programs use gksudo.Code:gksudo gedit /etc/firewall.bash