# trying to get a firewall going

## sideburn-auto

hello, 

Ive been trying to understand iptables without much luck. So far, i'm thnking this is what needs to be done:

deny all outgoing and incoming traffic except stuff that is needed.  

Now the problem is, I dont know how to allow ping and dns etc to work after i've denied this.

I also need to enable other computers on the network to connect to the internet. 

what i really need is a doc for stupid people, this is doing my head in  :Smile: 

----------

## sideburn-auto

ok just found out dns uses port 53

----------

## craftyc

I think firestarter is what you want. It is available at http://firestarter.sourceforge.net

Hope this helps

----------

## Rylan

Check out the gentoo security guide, it has a script you can tweak.  It has a few worthless rules though.

To give you a jumpstart though, iptables is stateful meaning these rules: 

```
 /sbin/iptables -P INPUT   DROP 

/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
```

  will take care of letting traffic back in that you have requested, but nothing else.  

-P for "default policy for this table"

-A for "append this rule to this table"

INPUT for "all incoming packets"

To setup NAT for your other boxes something like this should work: 

```
 /sbin/iptables -t nat -A POSTROUTING -o $EXT_INTERFACE -j MASQUERADE 
```

  where $EXT_INTERFACE is eth0 or eth1 (whichever is connected to the external network).  

Also make sure ip forwarding is enabled by checking the value of /proc/sys/net/ipv4/ip_forward

```
echo "1" > /proc/sys/net/ipv4/ip_forward
```

 will turn it on.

And finally you want to make sure you can ssh into your box right?

```
 /sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT
```

  -A "appends" a rule to the bottom of the INPUT table, -p for "Protocol" (udp/tcp/icmp), --dport for "destination port" (22 is what sshd listens on), -j for "jump to this rule/target/table" (or something like that).

----------

## Cr0t

```
modprobe ip_conntrack_ftp

modprobe ip_conntrack_irc

modprobe ip_nat_ftp

modprobe ip_nat_irc

iptables -F

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -i eth0 -j ACCEPT

iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 

iptables -A INPUT -p tcp --syn --destination-port 21 -j ACCEPT

iptables -A INPUT -p tcp --syn --destination-port 22 -j ACCEPT

iptables -A INPUT -p tcp -s 192.168.2.0/255.255.255.0 -i eth0 --syn --destination-port 25 -j ACCEPT 

iptables -A INPUT -p tcp --syn --destination-port 80 -j ACCEPT

iptables -A INPUT -p tcp -s 192.168.2.0/255.255.255.0 -i eth0 --syn --destination-port 139 -j ACCEPT

iptables -A INPUT -p tcp --syn -j DROP
```

I guess this is easy to understand.... (my RuleZ)

----------

## sideburn-auto

thanks for the replies people, much apreciatted. 

i seem to have a working firewall now, although i'm not too sure if its all correct. I hope you dont mind me pasting it here ...

```
#!/bin/sh

IPTABLES=/sbin/iptables

EXTIP="`/sbin/ifconfig ppp0 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"

EXTIF="ppp0"

INTIF="eth0"

DNS1=213.120.62.99

DNS2=213.120.62.100

echo "1" > /proc/sys/net/ipv4/ip_forward

echo "1" > /proc/sys/net/ipv4/ip_dynaddr

# clear any existing rules

$IPTABLES -P INPUT ACCEPT

$IPTABLES -F INPUT  

$IPTABLES -P OUTPUT ACCEPT

$IPTABLES -F OUTPUT

$IPTABLES -P FORWARD DROP

$IPTABLES -F FORWARD  

$IPTABLES -t nat -F

# delete all user-specified chains

$IPTABLES -X

# reset all IPTABLES counters

$IPTABLES -Z

# set the default rules

$IPTABLES -P INPUT DROP

$IPTABLES -P OUTPUT DROP

$IPTABLES -P FORWARD ACCEPT

# Allow unlimited traffic on the loopback interface.

iptables -A INPUT  -i lo -j ACCEPT

iptables -A OUTPUT -o lo -j ACCEPT 

# allow everything from local network

iptables -A INPUT  -i e#

# enable nat

#

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

#

# dns

#

iptables -A INPUT  -i $EXTIF -p tcp --sport 53 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o $EXTIF -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A FORWARD -o $EXTIF -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT

# Allow UDP packets to DNS servers from client.

iptables -A INPUT  -i $EXTIF -p udp --sport 53 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o $EXTIF -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A FORWARD -o $EXTIF -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT

#

# www

#

iptables -A INPUT  -p tcp --sport http -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -p tcp --dport http -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A INPUT  -p tcp --sport https -m state --state ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp --dport https -m state --state NEW,ESTABLISHED -j ACCEPT

# allow irc traffic

iptables -A INPUT  -p tcp --sport 6667 -m state --state ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT

th0 -j ACCEPT#

# allow netbios traffic for internal network only

#

#netbios-ns      137/tcp                         # NETBIOS Name Service

#netbios-ns      137/udp

#netbios-dgm     138/tcp                         # NETBIOS Datagram Service

#netbios-dgm     138/udp

#netbios-ssn     139/tcp                         # NETBIOS session service

#netbios-ssn     139/udp

iptables -A INPUT  -i $INTIF -p tcp --sport 137:139 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o $INTIF -p tcp --dport 137:139 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A FORWARD -o $INTIF -p tcp --dport 137:139 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A INPUT  -i $INTIF -p udp --sport 135:139 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o $INTIF -p udp --dport 135:139 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A FORWARD -o $INTIF -p udp --dport 135:139 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A INPUT  -i $EXTIF -p tcp --sport 135:139 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o $EXTIF -p tcp --dport 135:139 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A FORWARD -o $EXTIF -p tcp --dport 135:139 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A INPUT  -i $EXTIF -p udp --sport 135:139 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o $EXTIF -p udp --dport 135:139 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A FORWARD -o $EXTIF -p udp --dport 135:139 -m state --state NEW,ESTABLISHED -j ACCEPT

#

# icmp - only allow incoming icmp packets if one was sent out

#

iptables -A INPUT  -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT  -p icmp -#

# ftp (audiogalaxy uses port 21 aswell)

#

iptables -A INPUT  -i $EXTIF -p tcp --sport 21 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o $EXTIF -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A INPUT  -i $EXTIF -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -o $EXTIF -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT

#

# audiogalaxy

#

iptables -A INPUT  -i $EXTIF -p tcp --sport 40000:65535 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o $EXTIF -p tcp --dport 40000:65535 -m state --state NEW,ESTABLISHED -j ACCEPT

m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

```

phew, been reading guides all day, i'll be glad when its finished =)

thanx again for the replies

----------

## klieber

 *sideburn-auto wrote:*   

> i seem to have a working firewall now, although i'm not too sure if its all correct. I hope you dont mind me pasting it here ...

 

Wow -- that's quite a mouthful... :Smile: 

Not sure if you realized this, but you can condense 90% of those rules into just one rule:

```
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT 
```

That rule will allow any outbound traffic that you initiate, from any port.   You can use that instead of establishing separate rules for audiogalaxy, icq, etc.  It will not allow any inbound traffic that does not originate from your network.  (though you can add separate rules for that if you need it)  So, this rule will allow outbound DNS queries, HTTP requests, FTP transfers, etc. all to work just fine. Unless there's a reason you want to disable certain outbound ports, this might be an easier, more manageable solution.

Also, looking through the rest of your script, it looks like there's a lot of unnecessary stuff in there.   For example, the following:

```
# clear any existing rules 

$IPTABLES -P INPUT ACCEPT 

$IPTABLES -F INPUT  

$IPTABLES -P OUTPUT ACCEPT 

$IPTABLES -F OUTPUT 

$IPTABLES -P FORWARD DROP 

$IPTABLES -F FORWARD  

$IPTABLES -t nat -F 
```

can be condensed into just:

```
# clear any existing rules 

$iptables --flush INPUT

$iptables --flush OUTPUT

$iptables --flush FORWARD
```

(not sure about the last one dealing with NAT, tho)

If you haven't seen this site already, it's a great resource for iptables firewall scripts.

--kurt

----------

## Trumpcard

Go to www.freshmeat.net and look up monmotha's firewall script. 

Its a really nice, easily configurable iptables firewall script...

----------

## Crg

 *sideburn-auto wrote:*   

> Also, looking through the rest of your script, it looks like there's a lot of unnecessary stuff in there.   For example, the following:
> 
> ```
> # clear any existing rules 
> 
> ...

 

That's not correct.  

The first script != the second second.

The first one is setting default policies, then flushing.

The second one just flushes the default chains.

----------

## klieber

 *Crg wrote:*   

> That's not correct. 

 

Yes it is, in fact, correct.  

Please look at the original script again a little more carefully.  Perhaps you missed it the first time around.  sideburn-auto declares the default policies twice.  

--kurt

----------

## Crg

 *klieber wrote:*   

> 
> 
> Yes it is, in fact, correct.  
> 
> Please look at the original script again a little more carefully.  Perhaps you missed it the first time around.  sideburn-auto declares the default policies twice.  
> ...

 

I didn't look very hard at the original script.  It was too early in the morning  :Smile: 

The flushing rules

```

$IPTABLES -F INPUT 

$IPTABLES -F OUTPUT

$IPTABLES -F FORWARD 

```

can be condensed to this

```

$IPTABLES -F

```

----------

## faithfull

 *craftyc wrote:*   

> I think firestarter is what you want. It is available at http://firestarter.sourceforge.net
> 
> Hope this helps

 

emerge net-misc/firestarter  :Idea: 

----------

## therobot

do you need gnome to run firestarter? I use fluxbox, and it fails when i try to compile it....

----------

## sulu

It doesn't compile on my system either. Maybe the ebuild does not check the gnome-version installed properly. And emerge -p  does not report any special dependencies.

gcc -DHAVE_CONFIG_H -I. -I. -I.. -I.. -I/usr/include -I/usr/include/gnome-1.0 -DNEED_GNOMESUPPORT_H -I/usr/lib/gnome-libs/include -I/usr/include/glib-1.2 -I/usr/lib/glib/include -I/usr/include/orbit-1.0 -I/usr/include/gtk-1.2 -I/usr/X11R6/include      -DG_LOG_DOMAIN=\"Firestarter\" -DGNOMELOCALEDIR=\""/usr/share/locale"\"      -I../intl -I../intl      -DFIRESTARTER_RULES_DIR=\"/etc\"        -I-I/usr/include/glib-1.2 -I/usr/lib/glib/include -I/usr/include/orbit-1.0    -march=i686 -O3 -pipe -Wall -Wunused  -c logread.c

firestarter.c:423: parse error before `*'

....

!!! ERROR: The ebuild did not complete successfully.

!!! Function src_compile, Line -85, Exitcode 2

!!! emake failed

A lot of other warnings and errors pop up.

It seems to me that the gnome-headers used at compiling dont match the source.code.

The headers are present in /usr/include/gnome* but they may refer to a different GNOME-Version.

Sulu

----------

## kkj

Got almost the same error  :Sad: 

make[3]: *** [firestarter.o] Error 1

make[3]: Leaving directory `/var/tmp/portage/firestarter-0.8.2/work/firestarter-0.8.2/src'

make[2]: *** [all-recursive] Error 1

make[2]: Leaving directory `/var/tmp/portage/firestarter-0.8.2/work/firestarter-0.8.2/src'

make[1]: *** [all-recursive] Error 1

make[1]: Leaving directory `/var/tmp/portage/firestarter-0.8.2/work/firestarter-0.8.2'

make: *** [all-recursive-am] Error 2

!!! ERROR: The ebuild did not complete successfully.

!!! Function src_compile, Line -131, Exitcode 2

!!! emake failed

!!! emerge aborting on  /usr/portage/net-misc/firestarter/firestarter-0.8.2.ebuild .

----------

