# Monmotha iptables script?

## FINITE

I was just wondering if I needed to add the dns addresses of my isp if they are assigned dynamically. Otherwise I didn't see anything else that might need to be changed for dhcp. Could be wrong, probably am, let me know if anything else needs to be changed for dhcp. 

I think the most important question is where do I put this file? Do I have to chmod +x it to make it executable or anything. Does it go in my /etc directory? After copying it to a text file I trid to click that file to open it and nothing happens, whats up with that? Did I run the script by clicking it? I named the file iptables-script does that matter? Probably forgetting several things here that I should be asking but as always any and all help is greatly appreciated. Thanks.

----------

## lx

I hacked my ADSL-modem to be firewall so no iptables for me, but I can remember that before the hack I needed to add my DNS (statis) IP (UDP) in the iptables. Maybe it's possible to use dynamic DNS (by using a script) but I don't know, thought smoothwall firewal provided dynamic DNS, but haven't use that package.

----------

## kerframil

Sorry, I don't use iptables for my firewall but I can tell you the necessary rule schematics for DNS and DHCP to work, if that helps. For DNS:

> Allow all outgoing UDP packets from this host to any host on port 53 (stateful)

If you are using NAT to share the internet connection between other computers then consider "this host" in the above rule to mean "any host on my subnet".

For DHCP to work, I believe you will need a rule like this:

> Allow all outoing UDP packets from this host to (any host|DHCP server) on port 67 (stateful)

For security purposes, you should probably set the above rule to allow only outgoing to your DHCP server's IP address (ask your ISP, or run a packet sniffer or check from the firewall log), rather than any host. If DHCP doesn't work then try making the above rule non-stateful then having an addidional rule like this:

> Allow all incoming UDP packets to this host from (any host|DHCP server) to my port 68 (non-stateful).

Provided these two rules are effectively in place, then everything should be fine.

I would recommend fwbuilder for people who are looking for an easier way to create rules without having to get messy with iptables command syntax.

----------

## Radar

 *FINITE wrote:*   

> 
> 
> I think the most important question is where do I put this file? Do I have to chmod +x it to make it executable or anything. Does it go in my /etc directory? After copying it to a text file I trid to click that file to open it and nothing happens, whats up with that? Did I run the script by clicking it? I named the file iptables-script does that matter? Probably forgetting several things here that I should be asking but as always any and all help is greatly appreciated. Thanks.

 

Here's what I did. I named my script rc.firewall-2.3.8-pre3 and chmod'd it as you said to make it executable. Move the file to /etc/init.d and do a /etc/init.d/rc.firewall-2.3.8-pre3 to make sure you can execute it. Then edit /etc/conf.d/local.start adding /etc/init.d/rc.firewall-2.3.8-pre3 to the end of the file.  Now motha firewall should run at startup.

----------

## therobot

I tried doing what you said, but it comes up with all these errors about /usr/local/sbin/iptables not existing.

I'm not really sure what that means, nor how to fix it....

does anybody have any suggestions?

thanks.

----------

## fbleagh

I think i see the problem

do a 'whereis iptables'

and you should see

iptables: /sbin/iptables /lib/iptables /usr/man/man8/iptables.8.gz /usr/share/man/man8/iptables.8.gz

that will show you where the iptables file is sitting

in this case /sbin/iptables

so jsut change the script to look for /sbin/iptables instead of /usr/local/sbin/iptables

 :Smile: 

have fun   :Smile: 

----------

## therobot

ok, that worked a bit, but i'm still having a little trouble getting this working. I compiled the iptable stuff into my kernel, but when i try to run this script, this is what i get:

```

bash-2.05a# /etc/init.d/firewall.first

/etc/init.d/firewall.first: !/bin/sh: No such file or directory

Loading iptables firewall:

Checking IP Forwarding...enabled.

Checking IP SynCookies...support not found, but that's OK.

Flush: INPUT OUTPUT1 FORWARD modprobe: Can't locate module ip_tables

iptables v1.2.6a: can't initialize iptables table `nat': Table does not exist (d

o you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

PREROUTING1 modprobe: Can't locate module ip_tables

iptables v1.2.6a: can't initialize iptables table `nat': Table does not exist (d

o you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

OUTPUT2 modprobe: Can't locate module ip_tables

iptables v1.2.6a: can't initialize iptables table `nat': Table does not exist (d

o you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

POSTROUTING modprobe: Can't locate module ip_tables

iptables v1.2.6a: can't initialize iptables table `mangle': Table does not exist

 (do you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

PREROUTING2 modprobe: Can't locate module ip_tables

iptables v1.2.6a: can't initialize iptables table `mangle': Table does not exist

 (do you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

OUTPUT3

Creating chains: INETIN INETOUT 

Default Policies: INPUT:ACCEPT OUTPUT:ACCEPT FORWARD:DROP 

Local Traffic Rules: 192.168.0.0/24:ACCEPT 192.168.1.0/24:ACCEPT 

Setting up NAT: modprobe: Can't locate module ip_tables

iptables v1.2.6a: can't initialize iptables table `nat': Table does not exist (d

o you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

192.168.0.0/24:MASQUERADE modprobe: Can't locate module ip_tables

iptables v1.2.6a: can't initialize iptables table `nat': Table does not exist (d

o you need to insmod?)

Perhaps iptables or your kernel needs to be upgraded.

192.168.1.0/24:MASQUERADE 

Setting up INET chains: INETIN INETOUT 

Flood Protection: iptables: No chain/target/match by that name

ICMP-PING 

Allowing ICMP in...done

Denying hosts: 

TCP Input Allow: iptables: No chain/target/match by that name

21 iptables: No chain/target/match by that name

22 iptables: No chain/target/match by that name

25 iptables: No chain/target/match by that name

80 iptables: No chain/target/match by that name

110 iptables: No chain/target/match by that name

443 iptables: No chain/target/match by that name

3333 iptables: No chain/target/match by that name

6667 

UDP Input Allow: 6112 6119 4000 

DNS Servers: 209.153.4.130 209.153.4.150 

Accounting for SSH...SSH1 

AUTH accepts: 207.69.200.132 216.32.132.250 206.132.27.156 209.81.232.66 207.45.

69.69 216.80.83.185 212.158.123.66 

Allowing established outbound connections back in...iptables: No chain/target/ma

tch by that name

done

Setting up INET Policies: iptables: No chain/target/match by that name

INETIN:REJECT INETOUT:ACCEPT 

Done loading the firewall!

```

sorry its so long, I just don't really know what to do...

thanks

----------

## sulu

Hmmm

Does your script starts with 

#!/bin/sh

or with

!/bin/sh

The latter would be wrong.

It seems that your Kernel misses ip_tables.

Try

/sbin/modprobe ip_tables

If it reports a error you have to go throu your Kernel-Setup

(/usr/src/linux/.config) and check that in the netfilter-section

#

#   IP: Netfilter Configuration

#

....

CONFIG_IP_NF_IPTABLES=m

....

ip_tables will be compiled as a  module (you also may compile into the kernel). After doing this most of the errors should not appear any more.

----------

## therobot

yep, earlier I went back through my module, and figured out that there was one thing that i missed, so i recompiled my module.... now, I get this upon running it.

```

bash-2.05a# /etc/init.d/firewall.first

Loading iptables firewall:

Checking IP Forwarding...enabled.

Checking IP SynCookies...support not found, but that's OK.

Flush: INPUT OUTPUT1 FORWARD PREROUTING1 OUTPUT2 POSTROUTING PREROUTING2 OUTPUT3

Creating chains: INETIN INETOUT 

Default Policies: INPUT:ACCEPT OUTPUT:ACCEPT FORWARD:DROP 

Local Traffic Rules: 192.168.0.0/24:ACCEPT 192.168.1.0/24:ACCEPT 

Setting up NAT: iptables: No chain/target/match by that name

192.168.0.0/24:MASQUERADE iptables: No chain/target/match by that name

192.168.1.0/24:MASQUERADE 

Setting up INET chains: INETIN INETOUT 

Flood Protection: iptables: No chain/target/match by that name

ICMP-PING 

Allowing ICMP in...done

Denying hosts: 

TCP Input Allow: iptables: No chain/target/match by that name

21 iptables: No chain/target/match by that name

22 iptables: No chain/target/match by that name

25 iptables: No chain/target/match by that name

80 iptables: No chain/target/match by that name

110 iptables: No chain/target/match by that name

443 iptables: No chain/target/match by that name

3333 iptables: No chain/target/match by that name

6667 

UDP Input Allow: 6112 6119 4000 

DNS Servers: 209.153.4.130 209.153.4.150 

Accounting for SSH...SSH1 

AUTH accepts: 207.69.200.132 216.32.132.250 206.132.27.156 209.81.232.66 207.45.69.69 216.80.83.185 212.158.123.66 

Allowing established outbound connections back in...iptables: No chain/target/match by that name

done

Setting up INET Policies: iptables: No chain/target/match by that name

INETIN:REJECT INETOUT:ACCEPT 

Done loading the firewall!

```

----------

## trolley

Why don't you post this to the Monmotha mailing list?  The author answers questions personally, so I'm sure he could help you resolve your problem.

----------

## sulu

Uhm.

Methinks yout script isn't set up correctly.

Maybe you have to fill some fields at top of the script.

This looks like incomplete commands

Please post e.g. the line in the script which lead to this error

192.168.0.0/24:MASQUERADE iptables: No chain/target/match by that name

----------

## therobot

```

echo -n "Setting up NAT: "                                                                                                          

for subnet in ${INTERNAL_LAN} ; do                                                                                                  

        ${IPTABLES} -t nat -A POSTROUTING -s ${subnet} -o ${INET_IFACE} -j MASQUERADE                                               

        echo -n "${subnet}:MASQUERADE "                                                                                             

done                                                                                                                                

echo                                    

```

```

echo -n "Flood Protection: "                                                                                                        

# Ping Floods (ICMP echo-request)                                                                                                   

${IPTABLES} -t filter -A INETIN -p icmp --icmp-type echo-request -m limit --limit 1/s -i ${INET_IFACE} -j ACCEPT                    

echo -n "ICMP-PING "                                                                                                                

echo   

```

```

echo -n "Denying hosts: "                                                                                                           

for host in ${DENY_ALL} ; do                                                                                                        

        ${IPTABLES} -t filter -A INETIN -s ${host} -j ${DROP}                                                                       

        echo -n "${host}:${DROP}"                                                                                                   

done                                                                                                                                

echo                                                                                                                                

                                                                                                                                    

#Start allowing stuff                                                                                                               

echo -n "TCP Input Allow: "                                                                                                         

for port in ${TCP_ALLOW} ; do                                                                                                       

        if [ "0$port" == "021" ]; then #Active FTP (thanks steff)                                                                   

           ${IPTABLES} -t filter -A INETIN -p tcp --sport 20 --dport 1024:65535 ! --syn -j ACCEPT                                   

        fi                                                                                                                          

        ${IPTABLES} -t filter -A INETIN -p tcp --dport ${port} ! --syn -j ACCEPT                                                    

        ${IPTABLES} -t filter -A INETIN -p tcp --dport ${port} --syn -m limit --limit 2/s -j ACCEPT                                 

        echo -n "${port} "                                                                                                          

done                                                                                                                                

echo                                                                                                                                

                                                                                                                                    

echo -n "UDP Input Allow: "                                                                                                         

for port in ${UDP_ALLOW} ; do                                                                                                       

           ${IPTABLES} -t filter -A INETIN -p udp --dport ${port} -j ACCEPT                                                         

        echo -n "${port} "                                                                                                          

done                                                                                                                                

echo                                                                                                                                

                                                                                                                                    

echo -n "DNS Servers: "                                                                                                             

for server in ${DNS} ; do                                                                                                           

        ${IPTABLES} -t filter -A INETIN -p udp -s ${server} --sport 53 -j ACCEPT                                                    

        echo -n "${server} "                                                                                                        

done                                                                                                                                

echo

#SSH Rulesets                                                                                                                       

if [ $USE_SSH1 = TRUE ]; then #SSH1                                                                                                 

        echo -n "Accounting for SSH..."                                                                                             

        ${IPTABLES} -t filter -A INETIN -p tcp --sport 22 --dport 513:1023 ! --syn -j ACCEPT                                        

        echo -n "SSH1 "                                                                                                             

fi                                                                                                                                  

if [ $USE_OPENSSH = TRUE ] ; then #OpenSSH                                                                                          

        if [ ! $USE_SSH1 = TRUE ] ; then #We need to echo "Accounting for SSH..."                                                   

                echo -n "Accounting for SSH..."                                                                                     

        fi                                                                                                                          

        ${IPTABLES} -t filter -A INETIN -p tcp --sport 22 --dport 1024:65535 ! --syn -j ACCEPT                                      

        echo -n "OpenSSH "                                                                                                          

fi                                                                                                                                  

echo

#AUTH(identd) host-based allows                                                                                                     

if [ "$AUTH_ALLOW" != "" ] ; then                                                                                                   

        echo -n "AUTH accepts: "                                                                                                    

        for host in ${AUTH_ALLOW} ; do                                                                                              

                ${IPTABLES} -t filter -A INETIN -p tcp -s ${host} --dport 113 -j ACCEPT                                             

                echo -n "${host} "                                                                                                  

        done                                                                                                                        

        echo                                                                                                                        

fi                                                                                                                                  

                                                                                                                                    

echo -n "Allowing established outbound connections back in..."                                                                      

${IPTABLES} -t filter -A INETIN -m state --state ESTABLISHED,RELATED -j ACCEPT                                                      

echo "done"                                                                                                                         

                                                                                                                                    

echo -n "Setting up INET Policies: "                                                                                                

# Drop if we cant find a valid inbound rule.                                                                                        

${IPTABLES} -t filter -A INETIN -j ${DROP}                                                                                          

echo -n "INETIN:${DROP} "                                                                                                           

#We can send what we want to the internet

${IPTABLES} -t filter -A INETOUT -j ACCEPT                                                                                          

echo -n "INETOUT:ACCEPT "                                                                                                           

echo                                                                                                                                

                                                                                                                                    

echo "Done loading the firewall!"

```

----------

