Simple Iptables (was Re: firestarter start failure?)
Peter Garrett
peter.garrett at optusnet.com.au
Tue Jun 24 08:05:48 UTC 2008
On Mon, 23 Jun 2008 20:33:30 -0700
NoOp <glgxg at sbcglobal.net> wrote:
> The problem with not having the GUI/Applet running, is that FS doesn't
> automatically wake up and tell you that it has just blocked a Samba
> request from on of your local machines etc, you need the GUI/Applet
> running for this. So the user blissfully goes on and can't figure out
> why Samba (for example) is not working; it's only after you turn on the
> GUI/Applett that you find out that Samba requests from your other
> machine were blocked by FS & all this time you've been blaming your
> Samba config files...
I know this isn't the "user friendly" GUI way, but doing a "tail
-f /var/log/syslog" for example will show firewall hits.
I used Firestarter for a couple of years, but then my network became
slightly more complex (only slightly - I added wireless and therefore
had two interfaces on my laptop, eth0 and eth1). Firestarter had a lot
of trouble with this...
I bit the bullet and read a bit about iptables. It turned out that a
very simple iptables script did everything needed, in conjunction with
making my router assign addresses by MAC. Essentially, for most home
users, it's just a matter of something on the lines of
iptables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
I have since added some refinements, but those three lines stop incoming
requests and allow outgoing, loopback and connections that I instigate.
If you have, for example, a trusted IP from which you want to connect
with ssh, you add a line like
iptables -A INPUT -m state --state NEW -s <IP number here> -p tcp
--dport 22 -j ACCEPT
(that's one line of course - ignore wrap)
For logging you can add at the bottom of the script:
iptables -A INPUT -m limit --limit 1/sec -j LOG --log-prefix "iptables
DENIED: " --log-level 7
.. and so on.
For the local network you can use either MAC or IP ranges to allow all
local LAN connections.
The script can be put anywhere you wish, and run either on connection
or at start-up depending on needs. It's a good idea to clear all
policies and chains at the *top* of the script before the lines I gave
above, as well. This makes sure that any "stale" rules are cleared
before the script runs.
iptables -F
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
I named the script "iptables.up" , but obviously you can call it
anything you prefer.
As far as I can see, the many lines that Firestarter generates are
largely unnecessary for most purposes, although the nice little GUI is
informative, admittedly.
I also have "turn the firewall off" script that looks like this:
#!/bin/bash
# This can live in /etc/iptables.down or /usr/local/bin if you prefer
#Do something sane when the interfaces come down
#just "iptables -F" won't remove the default INPUT DROP policy
#This script gets called as post-down in /etc/network/interfaces
#You can call it manually to turn the firewall off at any time, of course
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
#clear the tables rules so we don't get an endless
#accumulation each time iptables.up runs
iptables -F
Observant readers will notice that this does the same as the clearing
lines in the "up" script :) Belt and braces...
--
Peter Garrett <peter.garrett at optusnet.com.au>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20080624/24e59ec5/attachment.sig>
More information about the ubuntu-users
mailing list