# Iptables script generator ?

## d2_racing

Hi everyone, I would like to know if this script is good enough so that I can take a look and try to understand how iptables works ?

http://easyfwgen.morizot.net/gen/

----------

## d2_racing

I would like to know also, if it's a good pratice to actually allow almost anything that come out of the lan to wlan ?

There only a couple of rules that block, but if you are inside the network, the client side can establish almost any connection, but from the internet, none can enter the network.

I tought the ports from the firewall should be close but they seems to be wide open but the protection come from the established,related connection from the client side. Is this the right way to do it ? Everything is open and we close some ports, instead of everything is close and we open some ports ?

----------

## Hu

Security is about tradeoffs, and this is no exception.  Allowing nearly unrestricted access for LAN side systems is fine if you expect it will never be abused.  For a home network with no wireless, this is probably fine.  For a small business network, it may not be appropriate.  Consider what would happen if some user brings an infected Windows laptop to work and plugs into the corporate network.  You now have a malicious client on the LAN side.  The extent of trouble it can cause varies based on how much trust you place in systems on the LAN side of the network.

On the other hand, designing a strict firewall that treats everyone as untrusted and potentially malicious is more secure, but could be a real nuisance later if you need to add new legitimate systems to the LAN, or offer substantial new services.

The decision comes down to whether you place more value on tight network security or on easy network usability.  When considering the costs and benefits, remember also that a malicious system on the LAN might start spamming or engaging in other practices that could waste your WAN bandwidth or make your ISP unhappy.

----------

## d2_racing

In fact, but I will use it for my home router, so I can trust myself (lan part )  :Razz: 

And about the actual script, I need to change a couple of things about how to launch iptables and that kind of stuff, but for the rest, the rules seems to be good  :Razz: 

Thanks !

----------

## depontius

I believe that long ago, I used this same script generator for my firewall rules.  I just tried it out, and the output looks familar.

It's recently broken by changes in iptables.

If it's the one I'm thinking of, it uses one of the prerouting tables to do address spoof filtering.  With a recent change to iptables, they don't want such things done there, any more.  Not a strong break, since it still runs and sets things up, but the anticipated filtering is not being done.  I just tried to verify this, and found that on my first run the generated script died right as it began the "mangle" rules, which is where I wanted to be looking.  I've fiddled a little more, but now the generator is mad at me, and won't get off the front page, any more.  I may look later, but please be warned.  Watch your messages carefully as you load the generated iptables script.

----------

## d2_racing

And if you find a nice tweak for that, then post the iptables rules that you use.

----------

## depontius

I've yet to do the iptables tweak.  This is a secondary firewall, behind a better-than-NAT hardware appliance.  So I've been less diligent that perhaps I should be, but then not wanting to exercise the extreme diligence I believe is prudent is why I bought the appliance in the first place.

But when I do work the tweak, I'll post it here.

I suspect that the reason they did the spoof detection in the prerouting is because that way it can be done once for both INPUT and FORWARD paths.  The simplest fix is to just duplicate the rules into both places.  All I need is a round tuit.

----------

## d2_racing

Ok thanks, I'm gonna check when you reply to this thread.

----------

