# What if I don't install IPTABLES ?

## Darkriser

I suppose, the "right" way for installing a secure box is enabling the iptables support in kernel (before compilation) and then emerging the iptables package (plus some kind of firewall, if required). is that right?

ok, but what happens if I don't include iptables in my system at all? there will be no packet filtering for outgoing nor incoming packets? all traffic will be allowed? wouldn't this be "a little bit" unsecure? if so, why iptables aren't mentioned in the installation handbook at all?

thanx for your clarification....

(and yes, i'm new to gentoo....but already love it  :Rolling Eyes:  )

----------

## Beefrum

For a 'ricer' attitude; Install IPTables otherwise forget about having problems scince no services would do the trick anyhow. 

  The only thing I would wonder about are the buffer sizes of the TCP/IP stack in the kernel and there ability to keep packets flowing from and to the occasional client sessions you would initiate. Otherwise a rocksolid kernel will care not.  :Cool: 

Ah, I almost forgot about one of the greatest advantages. No log files to scour through, makes one's mind more stable and would fill up hardisks that would stall ALL system activities   :Laughing: 

----------

## Darkriser

thanx for your answer.....but...would you translate it to a more n00b-ish language so that i can understand more than those little smiley's?   :Rolling Eyes: 

anyway, thanx again...

Marcel

----------

## Beefrum

Just to clarify something. IPTables and configuration is firewall.

If it isn't installed and actvated in the kernel, it wouldn't interfere with anything and cannot be a problem itsself.

Be awarned though! It is uterly uncommon for a system to not have it installed and judging by the followup,

it will be installed as a default anyhow  :Exclamation: 

----------

## nixnut

Moved from Installing Gentoo to Networking & Security.

Networking stuff, so moved here.

----------

## lxg

Darkriser:

Iptables is a set of rules, how to handle network traffic. Among these can be: Blocking of certain ports and/or IPs, protection from flooding, protection from other malicious attacts that happen on TCP/UDP/IP level.

In order to use iptables, it must be supported in the kernel. Then -- theoretically -- you can use the program iptables (the so-called "userland" part) in order to set up your specific rules. But that is a real pain in the you-know-where. There are lots of fine frontends for iptables -- On command line: firehol; on Gnome/Gtk: firestarter; on KDE: guarddog. Those will help you to set up a "firewall". Note that this sort of firewall is not the stuff they sell at Symatec et al.

edit: changed Wikipedia link

----------

## dashnu

 *Darkriser wrote:*   

> I suppose, the "right" way for installing a secure box is enabling the iptables support in kernel (before compilation) and then emerging the iptables package (plus some kind of firewall, if required). is that right?

 

Almost, Include kernel support, emerge iptables, Create a rule-set. 

 *Quote:*   

> ok, but what happens if I don't include iptables in my system at all? there will be no packet filtering for outgoing nor incoming packets? all traffic will be allowed?

 

Yes.

 *Quote:*   

> wouldn't this be "a little bit" unsecure? if so, why iptables aren't mentioned in the installation handbook at all?

 

That depends really. Is this box you are working on pluged directly into the net? If so I would set up iptables.. If you are home behind a 'decent' NAT/router you probably dont need iptables. 

Iptables is not part of installation. It is more of a Admin task and is documented in that section.

 *Quote:*   

> thanx for your clarification....
> 
> (and yes, i'm new to gentoo....but already love it  )

 

Have fun.

----------

## Enlight

Why would you want iptables if you have no service listening on the network?

----------

## Paapaa

 *Enlight wrote:*   

> Why would you want iptables if you have no service listening on the network?

 

I agree. In normal desktop systems a firewall is used because:

1. You have to close ports which your OS or apps are listening eventhough you don't want them to. A Windows issue.

2. You have to close ports to prevent apps from making unwanted connections. Mainly a Windows issue.

So just make sure you only listen to ports you have to. There is no need to close a port that nothing is listening to. There should be no need to firewall at all in most normal Linux desktop cases. Correct me if I'm totally wrong here.

----------

## Darkriser

thanx to all of you, guys....these things are much more clear to me, now....  :Razz: 

Marcel

----------

## Jerem

 *Quote:*   

> 
> 
> So just make sure you only listen to ports you have to. There is no need to close a port that nothing is listening to. There should be no need to firewall at all in most normal Linux desktop cases. Correct me if I'm totally wrong here.

 

I totally agree.

----------

## htranou

That's the illusion of security of being "stealthy". Security vendors (McAfee & co) tell you that your computer is more secure if it is stealthy. That means someone knocks on a closed port, your computer shouldn't answer anything.

That's the difference of using the DROP rule instead of REJECT in iptables.

Now, to know if being stealth is really more secure than showing closed ports...

----------

## dalek

I'm by no means a expert on this but I run iptables on mine.  I started so that I could share my net connection with other machines but then got some help with other things.  This is what I use and I have had no problems so far:

```
root@smoker / # iptables -L

Chain INPUT (policy ACCEPT)

target     prot opt source               destination

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http

ACCEPT     udp  --  192.168.100.0/24     anywhere            udp dpt:netbios-ns

ACCEPT     tcp  --  192.168.100.0/24     anywhere            tcp dpt:netbios-ns

ACCEPT     tcp  --  192.168.100.0/24     anywhere            tcp dpt:netbios-ssn

ACCEPT     udp  --  192.168.100.0/24     anywhere            udp dpt:netbios-ssn

ACCEPT     tcp  --  192.168.100.0/24     anywhere            tcp dpt:netbios-dgm

ACCEPT     udp  --  192.168.100.0/24     anywhere            udp dpt:netbios-dgm

ACCEPT     tcp  --  192.168.100.0/24     anywhere            tcp dpt:microsoft-ds

ACCEPT     udp  --  192.168.100.0/24     anywhere            udp dpt:microsoft-ds

DROP       all  --  anywhere             anywhere            state INVALID,NEW

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination

DROP       all  --  anywhere             anywhere            state INVALID,NEW

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

root@smoker / #    
```

I surf of course, send/receive email and have a samba server for my fiance to back up her windoze too.  When I set up the samba server I got help here to open the correct ports for it.  It must work really well cause windoze was blind as a bat until I opened those ports.  I could see windoze though.    :Laughing: 

I also later found out that if you install webmin, you can configure iptables in it to.  I never used it but it is there.  Just look for firewall under the Networking button.  Oh, point a browser to https://localhost:10000/ for webmin.

Hope some of this will help.

 :Very Happy:   :Very Happy:   :Very Happy:   :Very Happy:   :Very Happy: 

Oh, anybody see anything wrong with that??

----------

