Re: iptables downloaded, set-up info

Subject: Re: iptables downloaded, set-up info
From: ke Svensson (aakesve@algonet.se)
Date: Mon Mar 04 2002 - 21:18:38 MST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Next message: John Boyarsky: "YDL 2.1 Updates-How?"
• Previous message: Ben Stanley: "Re: Open Firmware, "blessing" partitions & restarting"
• In reply to: Ralph Wiggums: "iptables downloaded, set-up info"
• Next in thread: Neil Jolly: "Re: iptables downloaded, set-up info"
• Reply: ke Svensson: "Re: iptables downloaded, set-up info"

Hi Ralph!

Iptables-1.2.5 should be fairly easy to install. Take a look inside the
INSTALL file after you've unpacked the tar ball it says:

1) Next, make the package.
        % make KERNEL_DIR=<<where-your-kernel-is>>

2) Finally, you need to to install the shared libraries, and the binary:
        # make install KERNEL_DIR=<<where-your-kernel-is>>

I used '/boot' for the above and it worked. I didn't go for the experimental
'patch-o-matic' things which needed a kernel compile.

You must also make sure that the old ipchains isn't active because you
can't have both ipchains and iptables active at the same time. Try
'chkconfig --del ipchains'

Then try this:
 Load the NAT module (this pulls in all the others).
       'modprobe iptable_nat' // this can be put into your
'/etc/rc.d/rc.local'

Check the modules by 'lsmod' it could look something like this:
Module Size Used by
....
iptable_filter 2080 0 (autoclean) (unused)
ipt_REJECT 3760 0 (unused)
ipt_MASQUERADE 2368 1
iptable_nat 24480 0 [ipt_MASQUERADE]
ip_conntrack 25648 1 [ipt_MASQUERADE iptable_nat]
ip_tables 16272 6 [iptable_filter ipt_REJECT ipt_MASQUERADE
iptable_nat]
....

For permanent iptables service try 'chkconfig --level 235 iptables on'.
'235' are the runlevels.

Then your all set for doing firewalling/gatewaying and some routing as well.
I think it's great! (check the modules though, I'm not sure of their
dependencies)

Here's a simple example (unfortuneately I don't remember where i got it):
iptables:

"Deny a specific host: iptables -I INPUT -s XXX.XXX.XXX.XXX j DROP
Block ports by adding the following firewall rules:
x Allow loopback access. This rule must come before the rules denying port
access!!
iptables -A INPUT -i lo -p all j ACCEPT - This rule is essential if you want
your own computer to be able \~
to access itself throught the loopback interface
iptables -A OUTPUT -o lo -p all j ACCEPT

iptables -A INPUT -p tcp -s o/o -d o/o --dport ~o4g j DROP - Block NFS
iptables -A INPUT -p udp -s o/o -d o/o --dport ~o4g j DROP - Block NFS
iptables -A INPUT -p tcp -s o/o -d o/o --dport 6000:6009 j DROP - Block
X-Windows

iptables -A INPUT -p tcp -s o/o -d o/o --dport 7100 j DROP - Block
X-Windows font server
iptables -A INPUT -p tcp -s o/o -d o/o --dport 515 j DROP - Block
printer port
iptables -A INPUT -p udp -s o/o -d o/o --dport 515 j DROP - Block
printer port
iptables -A INPUT -p tcp -s o/o -d o/o --dport 1l1 j DROP - Block Sun
rpc/NFS
iptables -A INPUT -p udp -s o/o -d o/o --dport 1l1 j DROP - Block Sun
rpc/NFS
iptables -A INPUT -p all -s localhost -i etho j DROP - Deny outside
packets from internet which claim to be
from your loopback interface.

These rules may be executed on their own to protect your system while
attached to the internet or they may be appended to the end of the iptables
gateway NAT scripts above."

The way I do it is to have a script called 'firewall' in '/sbin' where I put
all iptables rules and then I call upon it from '/etc/rc.d/rc.local'

There's an excellent tutorial by Oskar Andreasson; try this at Google
"iptables oskar andreasson" or just 'iptables firewall'

Regards,

Ake Svensson

>
> Greetings, i am just trying to get a good firewall set-up. I do not need to
> offer any online services, i read email and surf, so i need outoing access but
> no incomming.(i also upload files via ftp and ssh to another server) My
> distro is Yellow Dog Linux kernel 2.4.10-12a. i have downloaded
> iptables-1.2.5, from http://netfilter.samba.org/downloads.html#1.2.5 and read
> the README INSTALL file, which for my limited knowledge is not especially
> helpful.
>
> I understand that my kernel has been compiled to run iptables (it has the
> nesessary modules) so i just need the package, which i just downloaded.
>
> can anyone guide me through how to do this? (i.e install iptables and get a
> basic set-up)?
>
> thank you for your time.
>
> _____________________________________________________________
> Get your spam-free, Linux email now --> http://www.LinuxWaves.com
> Join Linux discussions --> http://Community.LinuxWaves.com
>
> _____________________________________________________________
> You deserve a better email address! Get personalized email @yourname
> or @yourcompany from Everyone.net --> http://www.everyone.net?tag
>

• Next message: John Boyarsky: "YDL 2.1 Updates-How?"
• Previous message: Ben Stanley: "Re: Open Firmware, "blessing" partitions & restarting"
• In reply to: Ralph Wiggums: "iptables downloaded, set-up info"
• Next in thread: Neil Jolly: "Re: iptables downloaded, set-up info"
• Reply: ke Svensson: "Re: iptables downloaded, set-up info"

This archive was generated by hypermail 2a24 : Mon Mar 04 2002 - 22:36:46 MST