# [long] Firewall configuration ?

## plafle

I use gentoo as an internet gateway.

I use iptable via Arno's script.

Everithing is OK.

But some people cannot acces my server.

They just can't ping me or access my web server.

These people have the same provider as me.

Then I have tested my connection on a Windows platform, and it makes my PC visible to these people (this is why I think my firewall is misconfigured).

Here is my iptables-firewall.conf file.

Can you gurus have a look at it and tell me if you see something wrong ?

```

####################################################################################

# You should put this config-file (iptables-firewall.conf) in for example in /etc/ #

# Make sure it's only root readable! -> "chmod 600" & "chown root" it!)            #

####################################################################################

# Configuration File for Arno's IPTABLES single & dual homed (ADSL) firewall script (rc.iptables)

# (C) Copyright 2001-2002 by Arno van Amersfoort

# Homepage              : http://rulhmpc57.leidenuniv.nl/projects/iptables-firewall/

# Freshmeat homepage    : http://freshmeat.net/projects/iptables-firewall/?topic_id=151

# This program is free software; you can redistribute it and/or

# modify it under the terms of the GNU General Public License

# as published by the Free Software Foundation; either version 2

# of the License, or (at your option) any later version.

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

# GNU General Public License for more details.

# You should have received a copy of the GNU General Public License

# along with this program; if not, write to the Free Software

# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.

####################################################################################

## Any suggestions, questions or comments are welcome at: arnova at xs4all dot nl ##

####################################################################################

############################################

# Required variables for correct operation #

############################################

IPTABLES="/sbin/iptables"       # Location of the IPTABLES binary

UNPRIV_PORTS="1024:65535"       # Unpriviliged ports to use for MASQ / FTP etc.

EXT_IF=eth0                     # The external interface that will be protected (and used as internet connection)

                                # This is probably ppp+ for ADSL (for non-tweaked Alcatel ADSL routers!)

                                # otherwise it should be "ethX" (ex. eth0)

DYNAMIC_IP=1                    # Enable this if your ISP dynamically assigns IP's through DHCP

##############################################

# These options should (only) be used when you have an ADSL modem which works via a PPP interface AND the       #

# network interface card (NIC) to which your modem is connected has an IP.                                      #

#                                                                                                               #

# You can check the above with 'ifconfig', if the interface does NOT have an IP then you should leave MODEM_IF  #

# remarked!                                                                                                     #

#############################################

#MODEM_IF=eth1                   # The interface your ADSL modem is connected to

MODEM_IP="10.0.0.138"           # The IP of your ADSL modem

MODEM_IF_IP="10.0.0.150"        # The IP of the local interface your ADSL modem is connected to

#####################################

# LAN & NAT (Masquerading) settings #

#####################################

INT_IF=eth1                     # Local interface (remark this if don't have a local network interface)

LOCAL_NET="192.168.0.0/24"      # Your local subnet which is connected to the internal interface (INT_IF), if used

NAT=1                           # Enable this if you want to perform NAT for your local network

                                # (ie, share your internet connection with your local subnet connected to INT_IF)

TCP_FORWARD="15367,14567,2502,389,522>192.168.0.77" # TCP port forwards, form is "PORT1,PORT2,...>DESTIP1 PORT3,PORT4,...>DESTIP2"

                                # ex. "20,21>192.168.0.10 22,7777,6346,2827>192.168.0.11"

UDP_FORWARD="15367,14567,22000,23000,23001,23002,23003,23004,23005,23006,23007,23008,23009>192.168.0.77" # UDP port forwards, form is "PORT1,PORT2,...>DESTIP1 PORT3,PORT4,...>DESTIP2"

                                # ex. "20,21>192.168.0.10 22>192.168.0.11"

IP_FORWARD=""                   # IP protocol forwards (non TCP/UDP) (useful for running your own internal VPN server for example)

                                # form is "PROTO1,PROTO2,...>DESTIP1 PROTO3,PROTO4,...>DESTIP2" ex. "47,48>192.168.0.10"

####################

# General settings #

####################

MANGLE_TOS=1                    # Enable this if you want TOS mangling (RFC)

SET_MSS=1                       # Set the maximum packet size via the Maximum Segment Size

RESOLV_IPS=0                    # Enable this to resolve names of DNS/TH IP's etc.

DHCP_BOOTP=0                    # Enable support for DHCP/BOOTP service

#########################################################################

# Logging options - All logging is rate limited to prevent log flooding #

#########################################################################

ICMP_FLOOD_LOG=1                # Enable logging for ICMP flooding

ICMP_DROP_LOG=1                 # Enable logging for ICMP-packets which are DROPPED

SCAN_LOG=1                      # Enable logging for various stealth scan-types

BAD_FLAGS_LOG=1                 # Enable logging for TCP-packets with bad flags

BLOCKED_HOST_LOG=1              # Enable logging for explicitly blocked hosts

CLOSED_PORT_LOG=1               # Enable logging for explicitly blocked ports

RESERVED_NET_LOG=1              # Enable logging of source IP's with reserved addresses

OPEN_CONNECT_LOG=0              # Enable logging of new connections to TCP/UDP ports open to the whole world

MISC_PACKET_LOG=1               # Enable logging of misc. (invalid) packets

CONNECT_LOG=1                   # Enable logging for dropped "normal" connection attempts

FRAG_LOG=1                      # Enable logging of fragmented packets

LOST_CONNECTION_LOG=0           # Enable logging of (probable) "lost connections". Keep disabled to reduce false log alarms

LOGLEVEL=debug                   # Current log-level ("info": default kernel syslog level)

                                # "debug": can be used to log to /var/log/firewall,

                                # but you have to configure syslogd accordingly

########################

# /proc based settings #

########################

SYN_PROT=1                      # Enable if you want synflood protection (through /proc/.../tcp_syncookies)

REDUCE_DOS_ABILITY=1            # Enable this to reduce the ability of others DOS'ing your machine

ECHO_IGNORE=0                   # Enable if you want to automatically ignore all ICMP echo requests (ipV4)

                                # this is very useful in stopping lame DoS-Attacks (aka ping -f's)

LOG_MARTIANS=0                  # Enable if you want to log packets with impossible addresses to the kernel log

ICMP_REDIRECT=0                 # Enable if you want to accept ICMP redirect messages

                                # Should be set to "0" in case of a router

HIGHER_CONNTRACK=0              # Enable if you want to handle a huge number of simultanteous connections (uses more memory)

LOOSE_UDP_PATCH=0               # You may need to enable this to get some internet games to work,

                                # but note that it's *less* secure

ECN=0                           # Enable ECN (Explicit Congestion Notification) TCP flag

                                # Disabled by default, as some routers are still not compatible with this

################################################

# Put in the following variable which subnets you want have full access via your internet connection(!)         #

# NOTE 1: Don't mistake this variable with the one used for local nets                                          #

# NOTE 2: When connected through a hardware router (cisco) you MUST enter its IP or subnet here!!               #

################################################

FULL_ACCESS_SUBNETS="192.168.0.77"

################################################

# Put in the following variable which DNS servers you use                                                       #

# Only required when you run your own DNS server (for example BIND)                                             #

################################################

DNS_SERVERS=""

# These are the root DNS-servers (uncomment lineS(!) below if you want to use them for BIND)

#ROOT_DNS_SERVERS="128.63.2.53    192.33.4.12  192.112.36.4 192.5.5.241  128.9.0.107 \

#                  198.41.0.10    193.0.14.129 198.32.64.12 202.12.27.33 192.36.148.17 \

#                  192.203.230.10 128.8.10.90  198.41.0.4"

################################################

# Put in the following variables which ports you want to leave open to the whole world                          #

################################################

OPEN_TCP="21 22 80"        # TCP port(s) the whole world is allowed to connect to

OPEN_UDP=""           # UDP port(s) the whole world is allowed to connect to

OPEN_IP=""              # IP protocol(s) (non TCP/UDP) the whole world is allowed to connect to (GRE for VPN for example)

OPEN_ICMP=1             # Enable ICMP reply for the whole world (not recommended)

###############################################

# Put in the following variables the tcp/udp ports you want to block for everyone. Also use these variables     #

# if you want to log connection attempts to these ports from everyone (also trusted & full access nets)         #

###############################################

CLOSED_TCP=""

CLOSED_UDP=""

###############################################

# Put in the following variables which ports you want to block for everyone but NOT logged.                     #

# This is very useful if you have constant probes on the same port(s) over and over again (code red worm)       #

# and don't want your logs flooded with it.                                                                     #

# You can also use this to disable logging for unprivileged ports (add 1024:65535).                             #

###############################################

CLOSED_TCP_NOLOG="23"

CLOSED_UDP_NOLOG="23"

###############################################

# Put in the following variables which hosts you want to allow for certain services                             #

# TCP/UDP port format (OPEN_HOST_TCP & OPEN_HOST_UDP) : host1,host2>port1,port2 host3,host4>port3,port4 ...     #

# IP protocol format (OPEN_HOST_IP)                   : host1,host2>proto1,proto2 host3,host4>proto4,proto4 ... #

###############################################

OPEN_HOST_TCP=""

OPEN_HOST_UDP=""

OPEN_HOST_IP=""

OPEN_HOST_ICMP=""

###############################################

# Put in the following variables which hosts you want to deny for certain services                              #

# TCP/UDP port format (DENY_HOST_TCP & DENY_HOST_UDP) : host1,host2>port1,port2 host3,host4>port3,port4 ...     #

###############################################

DENY_HOST_TCP=""

DENY_HOST_UDP=""

###############################################

# Put in the following variable which hosts you want to block (blackhole, dropping every packet from the host)  #

###############################################

BLOCK_HOSTS=""

# Location of the BLOCKED HOSTS file (if any):

##############################################

BLOCKED_HOSTS=/etc/iptables-blocked-hosts

# Location of the custom IPTABLES rules file (if any):

######################################################

CUSTOM_RULES=/etc/iptables-custom-rules

```

----------

## plafle

no idea ?

edit :

BLOCKED_HOSTS=/etc/iptables-blocked-hosts 

CUSTOM_RULES=/etc/iptables-custom-rules

These 2 files don't exist so they are not the cause of my problem.

What else should I check ?

----------

## plafle

no reply   :Crying or Very sad: 

OK let's try something :

If you have no idea on what to do post a reply with "No idea".

PLEASE talk to me   :Crying or Very sad:   :Crying or Very sad: 

----------

## Sesquipedalian

No idea what "Arno's script" is, but I can make a guess at what is going on here   :Smile: 

Since the IP address of your DSL modem is in a reserved address range (10.*.*.*), the only people who will be able to connect to you are those on the same private subnet.  However, your firewall is probably droping any incomming packets with a source address of 10.*.*.*, as this would be the default behavior of any good firewall.

Check the output of 'iptables -L INPUT -n' for something like

```
DROP   all  --  10.0.0.0/8           0.0.0.0/0
```

or

```
REJECT   all  --  10.0.0.0/8           0.0.0.0/0
```

to see if this is the case.

----------

## DawgG

hello!

1st of all, i'd never-ever copy&paste anyone's script when it configures sth as sensitive as a firewall. i don't know ur network-setup at home, but it looks like you might not need all that's done by this script.  i guess you want masquerading for ur internal net and allow (some) ports to be accessed from the internet (80, 443,...) there's a lot of how2s on that.

(yeah, that's kind of general advice..... i know)

but iptables is pretty easy to use.  if you tell me what u want i can suggest some lines (but a basic config really quite easy)

----------

