HOWTO: Set a custom firewall (iptables) and Tips [Beginners edition]

[dolby]

i have copied the firewall from here.

edit: but got the same results when i used the one from USFC.

here is the exact script

[frodon]

I just tested again the script given in the guide and the result of the sygate site is all ports BLOCKED.

I wonder what would make the difference for you.

[dolby]

did u run the quick scan? what about the trojan ports? did they turn up as stealthed?

[frodon]

All ports BLOCKED with the quick scan and the example i gave.

When you do a "sudo ipables -L" do you see all the rules ?

[dolby]

as far as i can tell yes i do

[Roque]

This is the script I am running: it's the same you posted but with eth0 replaced with ppp0.

Code:

#!/bin/bash

# No spoofing
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
then
for filtre in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo 1 > $filtre
done
fi 

# No icmp
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

#load some modules you may need
modprobe ip_tables
modprobe ip_nat_ftp
modprobe ip_nat_irc
modprobe iptable_filter
modprobe iptable_nat 

# Remove all rules and chains
iptables -F
iptables -X

# first set the default behaviour => accept connections
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

# Create 2 chains, it allows to write a clean script
iptables -N FIREWALL
iptables -N TRUSTED

# Allow ESTABLISHED and RELATED incoming connection
iptables -A FIREWALL -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Send all package to the TRUSTED chain
iptables -A FIREWALL -j TRUSTED
# DROP all other packets
iptables -A FIREWALL -j DROP

# Send all INPUT packets to the FIREWALL chain
iptables -A INPUT -j FIREWALL
# DROP all forward packets, we don't share internet connection in this example
iptables -A FORWARD -j DROP

# Allow https
iptables -A TRUSTED -i ppp0 -p udp -m udp --sport 443 -j ACCEPT
iptables -A TRUSTED -i ppp0 -p tcp -m tcp --sport 443 -j ACCEPT

# Allow amule
iptables -A TRUSTED -i ppp0 -p udp -m udp --dport 5349 -j ACCEPT
iptables -A TRUSTED -i ppp0 -p udp -m udp --dport 5351 -j ACCEPT
iptables -A TRUSTED -i ppp0 -p tcp -m tcp --dport 5348 -j ACCEPT

# Allow IRC IDENT & DCC
iptables -A TRUSTED -i ppp0 -p tcp -m tcp --sport 6667 -j ACCEPT
iptables -A TRUSTED -i ppp0 -p tcp -m tcp --sport 113 -j ACCEPT

# Allow bittorrent
iptables -A TRUSTED -i ppp0 -p tcp -m tcp --dport 6881:6889 -j ACCEPT

# End message
echo " [End iptables rules setting]"

[frodon]

dolby & Roque, the only think IMO who could make the difference is the device you use as network controller, for me it's eth0. If you put something wrong there the rules may be apllied on a network controller which don't handle you internet connection.
If you want to be sure you can remove all the "-i eth0" options thus the rules will be applied on all the network controllers you have.

[Roque]

frodon,

Sorry for the delay. I did as you said and removed all -i eth0 entries, but sygate keeps reporting CLOSED instead of BLOCKED in the stealth test.

Confusing stuff.

[emretemp]

hi,
can we merge 2 different rulesets?

like this:

iptables -A TRUSTED -i eth0 -p tcp -m tcp -sport 22 -m tcp -s 10.11.1.87 -j ACCEPT


here is what i am trying to do:
1. if the source port is 22
2. and the source ip is 10.11.1.87

else will be dropped by the script.


thx in adv.

[frodon]

huh, that's a good question !

I never did that, however you should write it like that :

Code:

iptables -A TRUSTED -i eth0 -p tcp -m tcp -dport 22 -s 10.11.1.87 -j ACCEPT

Note that i changed sport to dport.