# IPtables files to get up a quick firewall HOW TO

## penguinlnx

Here are a couple of iptables/firewall scripts I was given by jtshaw. His website seems temporarily unreachable so I have posted them here, along with his notes.  iptables is not automatically included in many installations.  Don't forget to either emerge iptables from a commandline, or select it from the Porthole/Portage GUI and emerge it.  *from console wrote:*   

> # emerge iptables <enter>

 Normally iptables is automatically placed in /sbin.  if you change this, update jts-firewall accordingly as well.

To get these files simply grab the text off the screen and paste into your text editor, then save each as a file with the appropriate name. (Don't add the .txt extension to the file.) Put jts-firewall in your /sbin directory. Make sure you make it executable by root. Right-click on the file and select 'properties'.  Then click on the permissions tab. and allow 'execute'. Do this for both files. Edit the jts-firewall script as needed. I have a bunch of rules commented out for allowing connections on different ports so you can see examples of how things are done.

 *jts-firewall wrote:*   

> #!/bin/sh
> 
> #IPTABLES=/sbin/iptables is where  iptables files are normally placed. Change as needed:
> 
> IPTABLES=/sbin/iptables
> ...

 Put firewall-init in your /etc/init.d  folder, again Make sure you make it executable by root. Right-click on the file and select 'properties'.  Then click on the permissions tab. and allow 'execute'. Do this for both files.  Adding firewall-init to your initscripts will get your firewall up and running on each boot.  To do this, drop into a commandline and execute the following line:

 *Quote:*   

> #  rc-update add firewall-init default  <enter> 

   *firewall-init wrote:*   

> #!/sbin/runscript
> 
> # Copyright 1999-2004 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2         
> 
> # $Header: /var/cvsroot/gentoo-x86/app-admin/bastille/files/bastille-2.1.1-firewall.init,v 1.2 2004/07/14 21:09:15 agriffis Exp $
> ...

 To make sure your firewall is working and your computer is in 'stealth' mode, you can go to one of the test sites, like GRC.COM and see if your ports are properly closed.

Switching Linux from Master to Slave

  GRUB boot Repair

 Hardware Fixes

CUPS Printer InstallLast edited by penguinlnx on Sun May 01, 2005 11:10 am; edited 5 times in total

----------

## wjholden

Thanks!  Put this in your signiture or something; iptables is a bitch to work with so this will save myself among others lots of time.  If jtshaw reads this thank you!

----------

## penguinlnx

No Sweat!  I was so pleased when JtShaw showed me how to do a firewall in 5 minutes, that I just had to post and share this.

I have put a link to it in my signature as you suggested...but I don't know how to give it a title...

----------

## wjholden

Just put tags around it like this: [url=http://whatever]name[/url]

----------

## penguinlnx

I hope an Admin looks at this, and can make it into a sticky!

----------

## Digital Storm

Thanks!  :Very Happy: 

I've been wandering back and forth between iptables gui setups but they all seem confusing to me...After reading this simple script it looks great and should be easy to tailor to my needs...

It makes iptables easier to understand as well, all the other scripts are great but I find them long and complicated...

----------

## niuck

I generally try to avoid posting my problems to the forum and try to solve it myself. But this time im stuck. I just cant figure out how to modify the script to fit my network. :Sad: 

The network looks like this;                                                       

(Internet(Static-ip)--Gentoo-Router--Switch--Gentoo-box (rsync, ircd)

The gentoo-router is connected directly to the internet with static ip. The router has dhcpd and dnsmasq installed. Behind the router i have another gentoobox  that i want to run different services on. ircd, rsync-server etc. I also have i wireless AP connected in the switch that one client is connected to. 

In my router eth0 is the LAN and eth1 WAN (Internet)

Im really new to this and i have tried to read the manuals etc. But apparently my brain can't take it all in.  :Very Happy: 

Help is _very_ appreciated. Thanks.Last edited by niuck on Sat Feb 17, 2007 11:32 pm; edited 1 time in total

----------

## someguy

nice

----------

## zooz_pxp

I've tried to iptables for so long and this is the only thread that got me up and running. thanks. really.

----------

## MrUlterior

That script is too simplistic. It sets no default DROP policy on INPUT, OUTPUT & FORWARD and it completely doesn't handle OUTPUT & FORWARD not to mention masquerading, S/DNAT etc ...

Note:

 *Quote:*   

> 
> 
> 21.6.1 Firewalls Can Be Dangerous
> 
> We started the chapter by pointing out that a firewall is not a panacea. We will conclude the chapter by making the point again: firewalls can be a big help in ensuring the security of your network; however, a misconfigured firewall, or a firewall with poor per-host controls, may actually be worse than no firewall at all. With no firewall in place, you will at least be more concerned about host security and monitoring. Unfortunately, at many sites, management may be lulled into believing that their systems are secure after they have paid for the installation of a significant firewall - especially if they are only exposed to the advertising hype of the vendor and consultants.
> ...

 

 *Quote:*   

> While stateful inspection firewalls are the most secure, they are also rather complex and the most likely to be misconfigured. Whichever firewall type you choose, keep in mind that a misconfigured firewall can in some ways be worse than no firewall at all, because it lends the dangerous impression of security while providing little or none.
> 
> -Robert G. Ferrell

 

My advice is that if you're not prepared to read the iptables man page that contains everything you need to know and implement a PROPER firewall, then rather use an out-of-the-box solution like guarddog, firestarter, shorewall etc. Using something like the script in the OP leads to dellusions of security, it is about as efficient as the default FW in winxp sp2

----------

