Re: iptables firewall script for linux



On Thu, 9 Nov 2006, in the Usenet newsgroup comp.security.firewalls, in article
<ej03mj$6ib$1@xxxxxxxxxxxxxxxxx>, John F wrote:

Had been using an ipchains firewall script, which you can see as
firewall.sh inside the tarball
www.forkosh.com/ipchains-firewall-1.7.3.tar.gz
(can't find it on web anymore),
but trying to run ipchains under the new kernel emitted message,
"ipchains: Incompatible with this kernel".

IPCHAINS is rather old. Most people have been using iptables since it was
introduced about six years ago. It's much more versatile.

So I'm looking for an iptables firewall bash script kind of like the
above. This is for a workstation, not server, so it should pretty
much deny everyone everything.

Why not start out by running 'netstat -tupan' and determining why any
port is shown as LISTENING. As it's not a server, the only thing that
should be open is port 113, and that ONLY if you have determined that
you need 'auth' or 'identd' to respond to queries from hosts you are
connecting to. This means /etc/inetd.conf probably has no line
uncommented (all should begin with a '#' character). Then look at your
startup scripts and see that no unwanted daemons are being started
there.

You _may_ want to allow SSH in - but at the very least you should tightly
restrict what addresses are allowed to connect. As port 22 is targeted by
skript kiddiez and worms, consider moving your daemon to a different port
number. Some would call it security by obscurity, but all it's doing is
avoiding nuisance from the totally clueless.

And it should also be plug-and-play foolproof (that would be me).
Google shows lots of relevant stuff, but I don't know enough to separate
the wheat from the chaff.

What's wrong with reading the HOWTOs? While some are a bit old, you
could start with:

708351 Nov 14 2005 IP-Masquerade-HOWTO
17605 Jul 21 2004 Masquerading-Simple-HOWTO
155096 Jan 23 2004 Security-HOWTO
278012 Jul 23 2002 Security-Quickstart-HOWTO

and Rusty Russell's (the guy responsible for the firewall code itself as
well as the tools like IPCHAINS and iptables that control it) fine
documentation at http://www.iptables.org/documentation/HOWTO/
Masquerading is almost certainly unwanted, but those two HOWTOs are
included for their basic firewall concepts. Your firewall should be no
more than about a half dozen lines - basically

/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD DROP
/sbin/iptables -F
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

The first three set defaults. The -F flushes any _other_ rules. The
next one allows traffic on the loopback interface, while the last allows
_responses_ to traffic you initiate. No big deal. See the HOWTOs mentioned
above, and the man page for any additional help.

Old guy

.



Relevant Pages

  • ipchains question
    ... The packets should go to 192.168.1.10, a server for that port ... in the private network behind the firewall. ... Now my configuration for ipchains looks like this: ...
    (comp.os.linux.development.system)
  • Re: Firewall software.
    ... Install a firewall. ... ipchains has been largely replaced by iptables. ... binary and name of the program along with the protocol and port allowed. ...
    (comp.os.linux.networking)
  • Re: Firewall software.
    ... Install a firewall. ... ipchains has been largely replaced by iptables. ... binary and name of the program along with the protocol and port allowed. ...
    (comp.os.linux.setup)
  • Re: A question that has been asked a 100 times before
    ... >>Open port scans were showing all ports as stealthed. ... > configuration too, which is why you should try to look at it), it's ... >>know very little about it and don't yet know how to set up a firewall. ... Did you look at the HOWTOs? ...
    (alt.computer.security)
  • Re: Firewall software.
    ... > enhancements to ipchains, ... tend to be scripts used to configure the firewall. ... > logs and see that the firewall blocked the request because port 7999 ... Ports tend to be open for outgoing on linux, ...
    (comp.os.linux.networking)