# [SOLVED] Can you check these rules?

## OtonVM

I hope someone will be able to clarify this mistery for me... As a complete noob in iptables and firewall rules i emerged Kmyfirewall to configure my protections. I like it very much because it does not try to make you feel like an idiot in ither way; it allowes you a lot of control over the rules without popping out every sec. or asking a degree in programming languages. Anyway, I followed the initial wizard reading the comments and all and then started to define the rules manually. Thats what i have now:

```

gentoo otonvm # iptables -L

Chain INPUT (policy DROP)

target     prot opt source               destination

ACCEPT     icmp --  anywhere             anywhere            icmp echo-request limit: avg 5/min burst 5

ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED

ACCEPT     all  --  anywhere             localhost

ACCEPT     tcp  --  anywhere             anywhere            tcp spt:49154 dpt:49154

ACCEPT     udp  --  anywhere             anywhere            udp spt:49155 dpt:49155

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:4662

ACCEPT     udp  --  anywhere             anywhere            udp dpt:4672

ACCEPT     udp  --  anywhere             anywhere            udp dpt:4665

ACCEPT     tcp  --  anywhere             anywhere            tcp spt:6891 dpt:6891

ACCEPT     tcp  --  anywhere             anywhere            tcp spt:https dpt:https

ACCEPT     tcp  --  anywhere             anywhere            tcp spt:ftp dpt:ftp

ACCEPT     tcp  --  anywhere             anywhere            tcp spt:ftp-data dpt:ftp-data

ACCEPT     tcp  --  anywhere             anywhere            tcp spt:pop3 dpt:pop3

ACCEPT     tcp  --  anywhere             anywhere            tcp spt:smtp dpt:smtp

LOG        all  --  anywhere             anywhere            limit: avg 1/sec burst 5 LOG level warning prefix `KMF: '

Chain FORWARD (policy DROP)

target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

```

As you can see, I have a direct connection to the net (pppoe) with no router or anything and I use it for browsing, amule and bittorrent (port 49154). The mistery is this: when I put the input chain policy to DROP, I can connect to edk2 servers, kad (but needs some time), but amule gets very slow. Same goes with torrents: it connects but downloads are slow and Ktorrent stays stalled for a long time (and Azureus shows a blue smiley). When i set it to ACCEPT, I can't connect to and edk2 server, but kad goes up immidiatly, torrents connect fast and download fast (Azureus goes green), but i can't check my Gmail account and connect to any https pages (like themes for firefox). 

I checked my net with Shields Up: on DROP all ports are Stealth (green), on ACCEPT all are Closed (blue), exept those on wich some program is running (if i use KTorrent at the time, the 49154 port is open).

It may be that I'm lazy but it gets me puzzled too. WTF?? How can I optimize my firewall?

Tnx in advance for any answer...Last edited by OtonVM on Tue Mar 21, 2006 8:50 pm; edited 1 time in total

----------

## Keiko

Hia,

I configured iptables manually, for the first time, but my script is fairly in-depth, anyway i think i'm experiencing a similar problem.

When i'm using bittorrent, it can take forever to connect and to have a download begin, and when it does, it seems far slower then it should be, usually around the 10k mark, so far i've left it, not wanting to accept my config could be screwing my downloads, but its a pain having to for any reasnably sized downloads to download at such high speeds. Bittorrent always displays the NAT'd error now too, even though its setup with forwarding and works... its a pain.

Keiko.

----------

## playahater

Well .. concerning p2p .. hmm .. i did this ..

Amule .. port 4662 opened

Gnutella .. port 6346 opened

Bittorent .. port 6881 opened

even though bittorrent "thinks it needs" ports from 6881 to 6889 .. i have allowed only one and it is working .. 

btw i have allowed udp only for bittorrent

p2p is flying ..    :Laughing: 

----------

## Keiko

Hia, Perhaps that was my boob, i opened up a port range, and an additional anounce port, but i belive i only did tcp.

I reckon a suitable course of action for me, would then be to setup forwarding for udp as well, for the same ports, and if it improoves, see if i can drop tcp.

Thanks, Keiko.

----------

## OtonVM

Hmmm, yeah, thats basically what I did too... amule ports r open and bt too... But are they?   :Question:  I mean, what is right; ACCEPT or what? Oh, and I almost forgot: what is the diffrence between source and destination in tcp/udp ports?

----------

## Gentree

http://iptables-tutorial.frozentux.net/iptables-tutorial.html#TCPMATCHES  :Wink: 

----------

## OtonVM

Wow, nice one! I tried some googling of course, but this document is great. As soon as I finish my exams, i'll read it thorugh. Stays in my bookmarks for now. 

Tnx!

----------

## OtonVM

Some time ago I posted for help, because my firewall caused me problems. I was given a link that helped a lot. Now everything works and i want to post my settings. 

Old post: https://forums.gentoo.org/viewtopic-t-444868.html

I switched to Shorewall, because I got wiser by all the problems; wich is great, but shoutdn't be so. Linux get's WAY to complicated for a mediocre computer user upon entering such details.

Anyway, thats what I "edited" (tnx to this forum for giving me advices -- much copy-paste going on here):

/etc/shorewall/interfaces:

```

###############################################################################

#ZONE   INTERFACE   BROADCAST   OPTIONS

#

net      ppp0           -

#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

```

/etc/shorewall/policy:

```

###############################################################################

#SOURCE      DEST      POLICY      LOG      LIMIT:BURST

#                  LEVEL

$FW             net             ACCEPT

net             all             DROP            info 

#

# THE FOLLOWING POLICY MUST BE LAST

#

all      all      REJECT      info

```

/etc/shorewall/rules (this is the interesting part   :Wink: ):

```

#############################################################################################################

#ACTION   SOURCE      DEST      PROTO   DEST   SOURCE      ORIGINAL   RATE      USER/

#                  PORT   PORT(S)      DEST      LIMIT      GROUP

#SECTION ESTABLISHED

#SECTION RELATED

ACCEPT   fw             net             tcp     80 #http

ACCEPT   fw             net             udp     80 #http

ACCEPT   fw             net             tcp     443 #https

ACCEPT   fw             net             udp     443 #https

ACCEPT   fw             net             tcp     21 #ftp

ACCEPT   fw             net             tcp     53 #DNS

ACCEPT   fw             net             udp     53 #DNS

ACCEPT   fw             net             tcp     110 #unsecure Pop3

ACCEPT   fw             net             tcp     995 #Secure Pop3

ACCEPT   fw             net             tcp     873 #rsync

ACCEPT   fw             net             tcp     25 #unsecure SMTP

ACCEPT   fw             net             tcp     465 #SMTP over SSL

#######-----------------------P2P-------------------------------------------------

ACCEPT    fw      net      tcp   49154 #bittorrent

ACCEPT    net      fw      tcp   49154 #bittorrent

ACCEPT    fw      net      udp   49154 #bittorrent

ACCEPT    net      fw      udp   49154 #bittorrent

ACCEPT    fw      net      udp   49155 #bittorrent

ACCEPT    net      fw      udp   49155 #bittorrent

ACCEPT    fw      net      tcp   49155 #bittorrent

ACCEPT    net      fw      tcp   49155 #bittorrent

ACCEPT   fw         net        tcp     6880:6999

ACCEPT   net        fw         tcp     6880:6999 

ACCEPT   fw             net             tcp     4661 #for amule

ACCEPT   net            fw              tcp     4661 #for amule

ACCEPT   fw             net             tcp     4662 #for amule

ACCEPT   net            fw              tcp     4662 #for amule

ACCEPT   fw             net             udp     4665 #for amule

ACCEPT   fw             net             udp     4672 #for amule

ACCEPT   fw             net             tcp     4711 #for amule

#######---------------------------------------------------------------------------

```

and

/etc/shorewall/zones:

```

###############################################################################

#ZONE   TYPE      OPTIONS      IN         OUT

#               OPTIONS         OPTIONS

fw   firewall

net   ipv4

```

I have no idea if this is the best solution possible, but at least it works. And learning from noob to this level is a great achivement, at least for me.

Byebye!

----------

## pjp

Merged previous to the linked thread.

----------

