# spi firewall vs iptables?

## queen

I have a linksys router wrt54gc with spi firewall enabled. I get direct ip for internet from the isp and I get internal ip from the router by dhcp. 

My problem is that for ftp (for instance belnet or other) I get full speed ~190kb/s but for linuxdcpp I get very low speeds (1 kb/s or less and sometimes 10kb/s max) and problems to connect to hubs and lots of disconnections. I forward the ports normally in the router and I appear there as active. Slow speeds I get also on emule. 

The spi firewall makes the troubles? 

I tried to avoid iptables because it's hard to configure although I already have CONFIG_PACKET=y in the kernel but I don't have installed iptables at all. This can cause a problem as well?

Will I have improvement in the speed if i install iptables? 

I didn't dare to disable spi in the router and check.  Lets say 30min without spi is dangerous?

Thanks for the help

Queen

----------

## sternklang

The manual for linuxdcpp indicates: *Quote:*   

> For optimal use, you will need to run DC++ in active mode. If you are not behind a firewall (or NAT), tick the first box ("Active").
> 
> If you are behind a firewall (or router with NAT), tick the second box ("Firewall with manual port forward"). On your firewall, forward a port (for example, 4444) to you machine running ldcpp. For "External WAN/IP", fill in your IP as it appears to the outside world. For the ports, fill in the port number that your firewall forwards.
> 
> If you are behind a firewall and you can't get a port forwarded to your machine, use passive mode: tick "Firewall (passive, last resort)". You will not be able to download from some other DC++ users. 

 

I don't use dc++ but I do use bittorrent - if you don't open up ports for users to connect to you, you don't get good download speeds in bittorrent. It's possible that is your problem as well. Your router should have a web interface allowing you to forward a port to your computer for dc++. You may also need to set a static DHCP mapping on the router so your PC always gets the same IP address for the port forwarding to work.

----------

## queen

 *sternklang wrote:*   

> The manual for linuxdcpp indicates: *Quote:*   For optimal use, you will need to run DC++ in active mode. If you are not behind a firewall (or NAT), tick the first box ("Active").
> 
> If you are behind a firewall (or router with NAT), tick the second box ("Firewall with manual port forward"). On your firewall, forward a port (for example, 4444) to you machine running ldcpp. For "External WAN/IP", fill in your IP as it appears to the outside world. For the ports, fill in the port number that your firewall forwards.
> 
> If you are behind a firewall and you can't get a port forwarded to your machine, use passive mode: tick "Firewall (passive, last resort)". You will not be able to download from some other DC++ users.  
> ...

 

I forward the correct ports for emule, torrent. 

On dc++ I tried both ACTIVE or Firewall with manual port forward and I selected some port for dc++ in the router and the same put in the client.  In dc++ I got slow speeds both in active or firewall with port forward

I control the router, so I can set whatever I want. I will try to arrange static dhcp although 

```
dhcpcd eth2
```

 always gives me 192.168.1.100.

Here are my forwarded ports for emule and torrents: 

6881-6882 tcp (torrent)

8726-8726 tcp (donkey)

8730-8730 udp (donkey-udp)

16687-16687 udp (kad)

for dc++ 20000 tcp,udp and set in dc++ as well.

----------

## sternklang

I have a WRT54GL and have no slowdowns from the router, with both the firewall on the router (which is iptables) and iptables on my Gentoo system active. I know that aside from the GL model, Linksys has been moving away from Linux on their routers to economize on flash memory and reduce costs. 

You could emerge and enable iptables on your Gentoo box and turn off the firewall on the router to see if there is any difference in performance. I would trust iptables (which is what the older Linksys routers and the WRT54GL use) before I would trust the firewall on whatever proprietary OS they use for their newer routers. If you are not familiar with iptables, this wiki article might help.

----------

## queen

 *sternklang wrote:*   

> I have a WRT54GL and have no slowdowns from the router, with both the firewall on the router (which is iptables) and iptables on my Gentoo system active. I know that aside from the GL model, Linksys has been moving away from Linux on their routers to economize on flash memory and reduce costs. 
> 
> You could emerge and enable iptables on your Gentoo box and turn off the firewall on the router to see if there is any difference in performance. I would trust iptables (which is what the older Linksys routers and the WRT54GL use) before I would trust the firewall on whatever proprietary OS they use for their newer routers. If you are not familiar with iptables, this wiki article might help.

 

Thanks for the link. Why you use 2 firewalls? 

You think that my wrt54gc is considered new and doesn't have iptables on it? I even tried yesterday to use assign static dhcp but it appeared even worse. I got connection timeout when tried to fetch files from users in the hubs.

----------

## sternklang

There are occasionally Windows laptops in the house, so there's a firewall on the router to protect everybody and a firewall on my system to protect me from them in case they're already infected with malware.   :Wink: 

I don't know if the router is your problem. Are you able to ssh into it (user root with your admin password)? That would be possible with a Linux-based Linksys router, though you might have to enable it on one of the administration pages.

If the GC uses a lower-end processor than the G/GS/GL models, it might have problems routing the many connections in a P2P swarm. Google might answer that question. 

Another possibility is that your ISP is bandwidth-throttling P2P traffic. Some ISPs do this based on well-known ports but others just look for a large number of upload/download connections to identify P2P traffic and throttle whichever ports those connections are on. This might explain why ftp works fine, that is a single connection which would not be affected by such throttling.

----------

## queen

 *sternklang wrote:*   

> 
> 
> I don't know if the router is your problem. Are you able to ssh into it (user root with your admin password)? That would be possible with a Linux-based Linksys router, though you might have to enable it on one of the administration pages.

 

Never tried to ssh the router. If I try 

```
ssh admin@192.168.1.100 

The authenticity of host '192.168.1.100 (192.168.1.100)' can't be established.

RSA key fingerprint is 73:22:33:44:8a:c5:46:37:b1:17:bd:91:ab:77:b2:3a.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '192.168.1.100' (RSA) to the list of known hosts.

Password:
```

Now I changed the default passwd when I got the router. If I type the passwd I get again the passwwd prompt. 

and if I try 

```

ssh admin@192.168.1.1 it is stucked
```

Usually I enter web interface with 192.168.1.1

 *Quote:*   

> 
> 
> If the GC uses a lower-end processor than the G/GS/GL models, it might have *Quote:*    problems routing  the many connections in a P2P swarm. Google might answer that question. 

 

I"ll check that. 

 *Quote:*   

> 
> 
> Another possibility is that your ISP is bandwidth-throttling P2P traffic. Some ISPs do this based on well-known ports but others just look for a large number of upload/download connections to identify P2P traffic and throttle whichever ports those connections are on. This might explain why ftp works fine, that is a single connection which would not be affected by such throttling.

 

They claim they don't block ports (and they seem reliable), but how can I check them? I used once nmap of the router both tcp and udp on the whole range of ports and didn't find any ports blocked except those asked. I checked it at my brother router and he has the same isp I have. 

For dc++ I chose something arbitrary. emule, kad, torrents I can change to other ports?

----------

## sternklang

The username is root for ssh on Linksys routers, not admin. ssh must use the same IP address as your web interface, 192.168.1.1. I am not familiar with that router model, so I don't know where you would enable it -- and if it is not a Linux-based router ssh would probably not be available...so if there is no setting to enable ssh and it doesn't respond to an ssh connection, it probably doesn't use Linux.

The ISP doesn't have to block ports, they can cap bandwidth so you only get a fraction of your normal bandwidth. If your brother is able to use P2P software using the same ISP and doesn't see the speed problems you do, then it may not be the ISP causing the problem. But ISPs might not start throttling bandwidth until there has been a lot of P2P usage, so if your brother doesn't do this much and you do then bandwidth caps may still be a possibility.

I would suggest installing iptables on your system and trying the connections without the router to see if the router is the problem.

I have used Azureus, Deluge (my current favorite), Bittornado and the original Bittorrent client, all of them have configuration settings to control which ports are in use. I don't know what software you use but this is a very common feature of P2P software and I'm sure you could find such a setting no matter what software you use.

----------

## queen

 *sternklang wrote:*   

> The username is root for ssh on Linksys routers, not admin. ssh must use the same IP address as your web interface, 192.168.1.1. I am not familiar with that router model, so I don't know where you would enable it -- and if it is not a Linux-based router ssh would probably not be available...so if there is no setting to enable ssh and it doesn't respond to an ssh connection, it probably doesn't use Linux.

 

OK, i tried ssh root@192.168.1.1 and it was stucked. I also checked linksys web site and in gpl code center I don't see wrt54gc. Yet, on some web site someone mentioned it's linux router. I will contact linksys to check more exactly. wikipedia link shows that wrt54gc is linux based. And they give details about the hardware  *Quote:*   

> Version 2.0 is shipping in, amongst other countries, the United Kingdom. This unit has a non-detachable external antenna.
> 
> The internal hardware is based on a Marvell ARM914 ("Libertas") reference design which is probably identical to the SerComm IP806SM, Xterasys XR-2407G, Abocom ARM914, Hawking HWGR54 Revision M, and the Airlink 101 AR315W. By appropriately changing the value of the firmware byte 0x26, the WRT54GC can be cross-flashed with firmware based on the same reference platform.
> 
> There are reports that a sister platform of the WRT54GC (the AR315W) has been hacked to run Linux.[4]

 

I couldn't find some ssh enabling except in port fwd section, but that's different. 

When I visited linksys web site I also found that there is new firmware and installed it. I also saw in a forum that there was a bug with port forward above 32000 (because they used signed instead of unsigned values) and they fixed it with the new firmware.  I saw a link with problems of routing on this model and p2p. But I am not sure how large this problem exist. 

 *Quote:*   

> 
> 
> The ISP doesn't have to block ports, they can cap bandwidth so you only get a fraction of your normal bandwidth. If your brother is able to use P2P software using the same ISP and doesn't see the speed problems you do, then it may not be the ISP causing the problem. But ISPs might not start throttling bandwidth until there has been a lot of P2P usage, so if your brother doesn't do this much and you do then bandwidth caps may still be a possibility.

 

He uses less than me. 

 *Quote:*   

> 
> 
> I would suggest installing iptables on your system and trying the connections without the router to see if the router is the problem.

 

I guess it's about time. Tried to avoid it but seems that I don't have a choice.

 *Quote:*   

> 
> 
> I have used Azureus, Deluge (my current favorite), Bittornado and the original Bittorrent client, all of them have configuration settings to control which ports are in use. I don't know what software you use but this is a very common feature of P2P software and I'm sure you could find such a setting no matter what software you use.

 

I use mldonkey and sancho as gui. There is a plugin for firefox and torrents. Haven't tried it. I used bittornado as well. But had to play for optimal dl and ul.

My question about torrents, emule is if i can change the ports and accordingly in iptables. If the isp throttles I don't want to use the standard port which they already know. 

In dc++ I tend to change ports, yet lately it didn't help either. 

In the wiki link you sent they write quite in details, but I am not sure up to which phase I should continue. Can  I skip all the firewall hardening?  Which scripts from firewall hardening and on are essential and which not?

Thanks for all the help.

----------

## sternklang

Once you have iptables installed, here's a shell script you can run as root which will set up decent defaults - incoming packets will be dropped unless they match one of the following rules. Then run "/etc/init.d/iptables restart" and these settings will be saved. Please modify to include the ports you actually use.

```
#!/bin/sh

# Set location of iptables

IPTABLES=/sbin/iptables

# Define interfaces

PUBLIC_IF="eth0"

# Flush current rules

$IPTABLES -t nat -F

$IPTABLES -t filter -F

$IPTABLES -t mangle -F

# Delete custom chains

$IPTABLES -t nat -X

$IPTABLES -t filter -X

$IPTABLES -t mangle -X

# Set default policies

$IPTABLES -t filter -P INPUT DROP

$IPTABLES -t filter -P FORWARD DROP

$IPTABLES -t filter -P OUTPUT ACCEPT

$IPTABLES -t nat -P PREROUTING ACCEPT

$IPTABLES -t nat -P OUTPUT ACCEPT

$IPTABLES -t nat -P POSTROUTING ACCEPT

$IPTABLES -t mangle -P PREROUTING ACCEPT

$IPTABLES -t mangle -P INPUT ACCEPT

$IPTABLES -t mangle -P FORWARD ACCEPT

$IPTABLES -t mangle -P OUTPUT ACCEPT

$IPTABLES -t mangle -P POSTROUTING ACCEPT

# Allow traffic from trusted interfaces

$IPTABLES -A INPUT -i lo -j ACCEPT

# Allow traffic from established connections

$IPTABLES -A INPUT -i $PUBLIC_IF -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow typical ICMP responses

$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT

$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT

$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT

$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT

$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT

$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

# Allow BitTorrent traffic -- avoid ISP blocking defaults

$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp -m tcp -m multiport --ports 53309:53317 --syn -j ACCEPT

$IPTABLES -A INPUT -i $PUBLIC_IF -p udp -m udp -m multiport --ports 53309:53317 -j ACCEPT

# Allow BitTorrent tracker capability

$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp -m tcp --dport 6969 --syn -j ACCEPT

$IPTABLES -A INPUT -i $PUBLIC_IF -p udp -m udp --dport 6969 -j ACCEPT

# Allow SSH

$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp -m tcp --dport 22 --syn -j ACCEPT
```

----------

## queen

Thanks. I will configure the kernel and install today. But,  as I see, the script allows ping (ICMP). I would like to be able to ping the router from the laptop, but I don't want to be pinged from outside. How can I do that? 

The other ICMP are necessary? 

Can I put 2 interfaces (wifi, ethernet)? I mainly use wifi (eth2)

This script replaces the already existing /sbin/iptables ?

 *sternklang wrote:*   

> Once you have iptables installed, here's a shell script you can run as root which will set up decent defaults - incoming packets will be dropped unless they match one of the following rules. Then run "/etc/init.d/iptables restart" and these settings will be saved. Please modify to include the ports you actually use.
> 
> ```
> #!/bin/sh
> 
> ...

 

----------

## queen

I installed iptables. Followed the wiki with the kernel configuration. Had to add some more options in the kernel because it refused to work. 

I put the script you published here in /etc/init.d/iptables with small changes. I hope this is the correct place. Or should I have put it in /sbin/iptables? At this point I am a little bit confused.

I added iptables to default. 

The problem is that when I do 

```
iptables -L

Chain INPUT (policy ACCEPT)

target     prot opt source               destination

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

```

And it should show the script you gave me. 

The second problem is 

```
/etc/init.d/iptables restart

#: bad interpreter: No such file or directory
```

```
/etc/init.d/iptables save

#: bad interpreter: No such file or directory
```

```
/etc/init.d/iptables stop

#: bad interpreter: No such file or directory
```

```
 ls -l /etc/init.d/iptables

-rwxr-xr-x 1 root root 2433 Sep 25 00:49 /etc/init.d/iptables
```

I even changed in the script #!/bin/bash and I still get the same error.

Do you know what is wrong?

----------

## sternklang

This script is not a substitute for the iptables initscript. When you start iptables and execute this script, it will load a default set of rules. Restart the iptables service after that and it will save those rules. It is not an initscript!

The script sets up a default deny policy, meaning that all traffic on eth0 is denied unless there is a rule allowing a specific type of traffic. That is what the remaining rules do. You can leave the policies alone.

You have to set up rules allowing traffic for each interface - create a duplicate set of rules for your wifi adapter for every rule mentioning PUBLIC_IF. You can do what I did, create a variable for it (PUBLIC_IF2 for instance) and use that in the duplicate rules.

If you don't want your machine to be pingable, delete the section "Allow typical ICMP responses" before running this script. 

The "Allow BitTorrent traffic" section should be customized - replace the range 53390:53317 (which I use) with the range you use. There is one line for tcp and one for udp connections. The "Bittorrent tracker" section is only if you run a tracker off your home system, you can delete it if you do not plan on doing so.

You will need similar sections for each of your P2P ports or port ranges. Use the "--dport xxx" syntax for a single destination port, and the "-m multiport --ports xxx:yyy" syntax for ranges of ports.

You will have to restore the original iptables initscript, of course!

Let me know if you have any other questions.

----------

## queen

 *sternklang wrote:*   

> This script is not a substitute for the iptables initscript. When you start iptables and execute this script, it will load a default set of rules. Restart the iptables service after that and it will save those rules. It is not an initscript!

 

OK, now I understand my mistake. 

 *Quote:*   

> 
> 
> You have to set up rules allowing traffic for each interface - create a duplicate set of rules for your wifi adapter for every rule mentioning PUBLIC_IF. You can do what I did, create a variable for it (PUBLIC_IF2 for instance) and use that in the duplicate rules.

 

Decided to leave only one interface, eth2 (wifi) which I use most of the time.  and instead of lo I changed to eth2. because lo is eth0 related. Have I done it correct?

Added my own rules for dc++, msn, emule, kad.  Will show you below the corrected script. 

 *Quote:*   

> 
> 
> If you don't want your machine to be pingable, delete the section "Allow typical ICMP responses" before running this script. 

 

 *Quote:*   

> 
> 
> The "Allow BitTorrent traffic" section should be customized - replace the range 53390:53317 (which I use) with the range you use. There is one line for tcp and one for udp connections. The "Bittorrent tracker" section is only if you run a tracker off your home system, you can delete it if you do not plan on doing so.

 

This one I left as it is, because I will check different programs and see how it works. I abandoned torrents long time ago when I saw which speed I get. 

 *Quote:*   

> 
> 
> You will need similar sections for each of your P2P ports or port ranges. Use the "--dport xxx" syntax for a single destination port, and the "-m multiport --ports xxx:yyy" syntax for ranges of ports.

 

Done.

 *Quote:*   

> 
> 
> You will have to restore the original iptables initscript, of course!

 

The /sbin/iptables* remained the same. The only thing I needed to restore is /etc/init.d/iptables. I removed the wrong script from /etc/init.d/iptables unmerged iptables and emerged back. 

I continued with some more instructions in the wiki page (which unfortunatelly I didn't do in the first place).

Now it appears to be working. 

```
 * Loading iptables state and starting firewall ...                                                                [ ok ]

 * Saving iptables state ...                                                                                       [ ok ]

 * Stopping firewall ...                                                                                           [ ok ]

 * Loading iptables state and starting firewall ...  
```

Not sure how the script should start with /bin/sh or /bin/bash

Here is the corrected script:

```

# Set location of iptables

IPTABLES=/sbin/iptables

# Define interfaces

PUBLIC_IF="eth2"

# Flush current rules

$IPTABLES -t nat -F

$IPTABLES -t filter -F

$IPTABLES -t mangle -F

# Delete custom chains

$IPTABLES -t nat -X

$IPTABLES -t filter -X

$IPTABLES -t mangle -X

# Set default policies

$IPTABLES -t filter -P INPUT DROP

$IPTABLES -t filter -P FORWARD DROP

$IPTABLES -t filter -P OUTPUT ACCEPT

$IPTABLES -t nat -P PREROUTING ACCEPT

$IPTABLES -t nat -P OUTPUT ACCEPT

$IPTABLES -t nat -P POSTROUTING ACCEPT

$IPTABLES -t nat -P POSTROUTING ACCEPT

$IPTABLES -t mangle -P PREROUTING ACCEPT

$IPTABLES -t mangle -P INPUT ACCEPT

$IPTABLES -t mangle -P FORWARD ACCEPT

$IPTABLES -t mangle -P OUTPUT ACCEPT

$IPTABLES -t mangle -P POSTROUTING ACCEPT

# Allow traffic from trusted interfaces

$IPTABLES -A INPUT -i eth2 -j ACCEPT

# Allow traffic from established connections

$IPTABLES -A INPUT -i $PUBLIC_IF -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow BitTorrent traffic -- avoid ISP blocking defaults

$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp -m tcp -m multiport --ports 53309:53317 --syn -j ACCEPT

$IPTABLES -A INPUT -i $PUBLIC_IF -p udp -m udp -m multiport --ports 53309:53317 -j ACCEPT

# Allow BitTorrent tracker capability

$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp -m tcp --dport 6969 --syn -j ACCEPT

$IPTABLES -A INPUT -i $PUBLIC_IF -p udp -m udp --dport 6969 -j ACCEPT

# Allow SSH

$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp -m tcp --dport 22 --syn -j ACCEPT

# Allow linuxdc

$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp -m tcp --dport 29800 -j ACCEPT

$IPTABLES -A INPUT -i $PUBLIC_IF -p udp -m udp --dport 29800 -j ACCEPT

# Allow Donkey capability

$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp -m tcp --dport 8726 -j ACCEPT

$IPTABLES -A INPUT -i $PUBLIC_IF -p udp -m udp --dport 8730 -j ACCEPT

# Allow Kad in emule capability

$IPTABLES -A INPUT -i $PUBLIC_IF -p udp -m udp --dport 16687 -j ACCEPT

# Allow Msn capability to get files

$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp -m tcp --dport 6891 -j ACCEPT

$IPTABLES -A INPUT -i $PUBLIC_IF -p udp -m udp --dport 6891 -j ACCEPT

```

But something still is wrong:

```
iptables -L

Chain INPUT (policy ACCEPT)

target     prot opt source               destination

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

```

I put the script you gave me in /etc

----------

## gsoe

To get it working you should save the script e.g. as /sbin/myfirewall, change ownership to root:root and permissions so only root can execute it. Then as root you run the script with

```
myfirewall
```

After that if you do

```
/etc/init.d/iptables restart
```

the rules will be saved so they will take effect everytime you power on your computer.

Now, for the script to work, you should keep the first line

```
#!/bin/sh 
```

and you have to watch out for the following:

```
# Allow traffic from trusted interfaces

$IPTABLES -A INPUT -i eth2 -j ACCEPT 
```

This will open up your eth2 for any connections, so if eth2 is the interface you connect to the outside world you should set it back to

```
# Allow traffic from trusted interfaces

$IPTABLES -A INPUT -i lo -j ACCEPT 
```

which is needed for your machine to function properly.

If you use eth1 for outside connections and eth2 is only connected inside, you can use

```
# Allow traffic from trusted interfaces

$IPTABLES -A INPUT -i eth2 -j ACCEPT

$IPTABLES -A OUTPUT -i eth2 -j ACCEPT

```

but then you should define

```
PUBLIC_IF="eth1"
```

and change all other occurencies of eth2 to eth1, and you should still keep the "lo" rule.

----------

## queen

 *gsoe wrote:*   

> To get it working you should save the script e.g. as /sbin/myfirewall, change ownership to root:root and permissions so only root can execute it. Then as root you run the script with
> 
> ```
> myfirewall
> ```
> ...

 

I did 

```
/sbin/myfirewall 
```

Then I do  

```

carin ~ # /etc/init.d/iptables restart

 * Saving iptables state ...                                                                                       [ ok ]

 * Stopping firewall ...                                                                                           [ ok ]

 * Loading iptables state and starting firewall ...                                                                [ ok ]

carin ~ # /sbin/myfirewall

iptables: No chain/target/match by that name

carin ~ # iptables -L

Chain INPUT (policy DROP)

target     prot opt source               destination

ACCEPT     all  --  anywhere             anywhere

ACCEPT     tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN multiport ports 53309:53317

ACCEPT     udp  --  anywhere             anywhere            udp multiport ports 53309:53317

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:6969 flags:FIN,SYN,RST,ACK/SYN

ACCEPT     udp  --  anywhere             anywhere            udp dpt:6969

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh flags:FIN,SYN,RST,ACK/SYN

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:29800

ACCEPT     udp  --  anywhere             anywhere            udp dpt:29800

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:8726

ACCEPT     udp  --  anywhere             anywhere            udp dpt:8730

ACCEPT     udp  --  anywhere             anywhere            udp dpt:16687

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:6891

ACCEPT     udp  --  anywhere             anywhere            udp dpt:6891

Chain FORWARD (policy DROP)

target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

carin ~ # ping google.com

```

As you can see I was disconnected from internet. Couldn't ping google anymore. After I stopped the firewall I connected. 

 *Quote:*   

> 
> 
> This will open up your eth2 for any connections, so if eth2 is the interface you connect to the outside world you should set it back to eth2. 
> 
> # Allow traffic from trusted interfaces
> ...

 

I am not sure about eth2 if it's considered as connection to outside world. I connect with eth2 to the router and get ip 192.168.1.100. I have a fixed ip from the isp on which I connect to the internet. This external ip changes once in few months.  eth1 is the non wifi card and I rarely use it. 

So, what should I do in this case?

The next thing that is not clear to me is from the wiki page. It's written there  *Quote:*   

> 1. Save your current firewall rules iptables-save > /etc/iptables.bak
> 
> 2. Open /etc/iptables.bak in your favorite text editor
> 
> 3. Add the following rule(s) in appropriate order (according to your existing rules). 

 

Now I figured that I should have put the rules from the script you gave me. I adjusted some of the things according to the script you gave me.  But it complained about -t flag when I tried 

```
 iptables-restore  /etc/iptables.bak

iptables-restore v1.3.8: Line 8 seems to have a -t table option.

Error occurred at line: 8

```

After that I deleted everything related to -t and obviously got another error. My question is how /etc/iptables.bak should look like. Now it looks like this:

```
# Generated by iptables-save v1.3.8 on Tue Sep 25 19:53:03 2007

*nat

:PREROUTING ACCEPT [139:43476]

:POSTROUTING ACCEPT [159:9354]

:OUTPUT ACCEPT [159:9354]

COMMIT

# Completed on Tue Sep 25 19:53:03 2007

# Generated by iptables-save v1.3.8 on Tue Sep 25 19:53:03 2007

*mangle

:PREROUTING ACCEPT [721:119781]

:INPUT ACCEPT [591:77063]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [745:107188]

:POSTROUTING ACCEPT [745:107188]

COMMIT

# Completed on Tue Sep 25 19:53:03 2007

# Generated by iptables-save v1.3.8 on Tue Sep 25 19:53:03 2007

*filter

:INPUT ACCEPT [591:77063]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [745:107188]

COMMIT

# Completed on Tue Sep 25 19:53:03 2007

```

Obviously it doesn't work because when I use myfirewall, I can't ping. 

I corrected to lo as you suggested. Now I need to know if the eth2 is correct. 

Hope you excuse me for so many questions.  I"ll know in the end iptables.

----------

## gsoe

The following  *Quote:*   

> carin ~ # /sbin/myfirewall
> 
> iptables: No chain/target/match by that name 

 indicates that you haven't loaded the necessary modules. Make sure that you load (or have compiled in your kernel) the following modules:

```
x_tables ip_tables iptable-filter xt_tcpudp

nf_conntrack nf_conntrack_ipv4 xt_state xt_multiport
```

You can also comment out all lines in the script that have something with "-t nat" and "-t mangle" as they are not used. If you don't you should load modules "iptable-nat" and "iptable-mangle"

The reason you were "disconnected" from the internet was that you missed the connection tracking capabilities of iptables, so that the response to your ping didn't get back to you. When you've loaded the modules i mentioned, you should get the following line in the response to "iptables -L"

```
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
```

That will ensure that responses to any connection initiated by you will be allowed to pass.

As for /etc/iptables.bak mine looks like this when i have run the script without the nat and mangle tables:

```
# Generated by iptables-save v1.3.8 on Wed Sep 26 04:49:12 2007

*filter

:INPUT DROP [4:926]

:FORWARD DROP [0:0]

:OUTPUT ACCEPT [188:22559]

-A INPUT -i lo -j ACCEPT

-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT

-A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT

-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT

-A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT

-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT

-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m multiport --ports 53309:53317 -j ACCEPT

-A INPUT -i eth0 -p udp -m udp -m multiport --ports 53309:53317 -j ACCEPT

-A INPUT -i eth0 -p tcp -m tcp --dport 6969 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT

-A INPUT -i eth0 -p udp -m udp --dport 6969 -j ACCEPT

-A INPUT -i eth0 -p tcp -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT

COMMIT

# Completed on Wed Sep 26 04:49:12 2007
```

but you don't really have to use that file. Just use the iptables initscript after you run /sbin/myfirewall :

```
iptables -L
```

 to check that your active rules are allright, then

```
/etc/init.d/iptables save
```

to save the active ruleset. Now you can add iptables to default runlevel to make it start at boot, and you can load and unload the rules with

```
/etc/init.d/iptables start

/etc/init.d/iptables stop
```

eth2 is allright, but if you want to use your eth1, you'll have to expand the ruleset accordingly.

I hope this clarifies things a little, i'll check the thread again in a day or two...

----------

## queen

 *Quote:*   

> [quote="gsoe"]The following  *Quote:*   carin ~ # /sbin/myfirewall
> 
> iptables: No chain/target/match by that name  indicates that you haven't loaded the necessary modules. Make sure that you load (or have compiled in your kernel) the following modules:
> 
> ```
> ...

 

I deleted everything related to -t nat, -t mangle. 

As for ip_tables iptable-filter xt_tcpudp nf_conntrack nf_conntrack_ipv4 xt_state xt_multiport,  I have almost all of them built in the kernel, but I can't find  xt_tcpudp in my kernel. I use kernel 2.6.19-r5. Do you think I should upgrade to another kernel? I even searched in the kernel maybe it's in other part and it can't find it.  Which kernel do you have? 

All these modules, you have them compiled as built in or as modules? 

 *Quote:*   

> 
> 
> The reason you were "disconnected" from the internet was that you missed the connection tracking capabilities of iptables, so that the response to your ping didn't get back to you. When you've loaded the modules i mentioned, you should get the following line in the response to "iptables -L"
> 
> ```
> ...

 

I added this line to the script. Got this error:

```
iptables: No chain/target/match by that name

 
```

```
  iptables -L

Chain INPUT (policy DROP)

target     prot opt source               destination

ACCEPT     all  --  anywhere             anywhere

ACCEPT     tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN multiport ports 53309:53317

ACCEPT     udp  --  anywhere             anywhere            udp multiport ports 53309:53317

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:6969 flags:FIN,SYN,RST,ACK/SYN

ACCEPT     udp  --  anywhere             anywhere            udp dpt:6969

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh flags:FIN,SYN,RST,ACK/SYN

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:29800

ACCEPT     udp  --  anywhere             anywhere            udp dpt:29800

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:8726

ACCEPT     udp  --  anywhere             anywhere            udp dpt:8730

ACCEPT     udp  --  anywhere             anywhere            udp dpt:16687

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:6891

ACCEPT     udp  --  anywhere             anywhere            udp dpt:6891

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:1863

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:aol

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:5223

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:rsync

ACCEPT     udp  --  anywhere             anywhere            udp dpt:rsync

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https flags:FIN,SYN,RST,ACK/SYN

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http flags:FIN,SYN,RST,ACK/SYN

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:2111

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp

Chain FORWARD (policy DROP)

target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination
```

As for /etc/iptables.bak mine looks like this when i have run the script without the nat and mangle tables:

```
# Generated by iptables-save v1.3.8 on Wed Sep 26 04:49:12 2007

*filter

:INPUT DROP [4:926]

:FORWARD DROP [0:0]

:OUTPUT ACCEPT [188:22559]

-A INPUT -i lo -j ACCEPT

-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT

-A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT

-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT

-A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT

-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT

-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m multiport --ports 53309:53317 -j ACCEPT

-A INPUT -i eth0 -p udp -m udp -m multiport --ports 53309:53317 -j ACCEPT

-A INPUT -i eth0 -p tcp -m tcp --dport 6969 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT

-A INPUT -i eth0 -p udp -m udp --dport 6969 -j ACCEPT

-A INPUT -i eth0 -p tcp -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT

COMMIT

# Completed on Wed Sep 26 04:49:12 2007
```

BUT I was immediately disconnected from the internet. I saw it immediately on gmail. The script is already added to default run level so I only had to start again the firewall. 

BTW, I added few more rules on the script, like http, https, ftp, icq, rsync. Do I need to add http, https, etc? Rsync probably yes. 

Here is the edited script

```

#!/bin/sh

# Set location of iptables

IPTABLES=/sbin/iptables

# Define interfaces

PUBLIC_IF="eth2"

# Flush current rules

#$IPTABLES -t nat -F

$IPTABLES -t filter -F

#$IPTABLES -t mangle -F

# Delete custom chains

#$IPTABLES -t nat -X

$IPTABLES -t filter -X

#$IPTABLES -t mangle -X

# Set default policies

$IPTABLES -t filter -P INPUT DROP

$IPTABLES -t filter -P FORWARD DROP

$IPTABLES -t filter -P OUTPUT ACCEPT

#$IPTABLES -t nat -P PREROUTING ACCEPT

#$IPTABLES -t nat -P OUTPUT ACCEPT

#$IPTABLES -t nat -P POSTROUTING ACCEPT

#$IPTABLES -t mangle -P PREROUTING ACCEPT

#$IPTABLES -t mangle -P INPUT ACCEPT

#$IPTABLES -t mangle -P FORWARD ACCEPT

#$IPTABLES -t mangle -P OUTPUT ACCEPT

#$IPTABLES -t mangle -P POSTROUTING ACCEPT

# Allow traffic from trusted interfaces

$IPTABLES -A INPUT -i lo -j ACCEPT

# Allow traffic from established connections

$IPTABLES -A INPUT -i $PUBLIC_IF -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow BitTorrent traffic -- avoid ISP blocking defaults

$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp -m tcp -m multiport --ports 53309:53317 --syn -j ACCEPT

$IPTABLES -A INPUT -i $PUBLIC_IF -p udp -m udp -m multiport --ports 53309:53317 -j ACCEPT

# Allow BitTorrent tracker capability

$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp -m tcp --dport 6969 --syn -j ACCEPT

$IPTABLES -A INPUT -i $PUBLIC_IF -p udp -m udp --dport 6969 -j ACCEPT

# Allow SSH

$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp -m tcp --dport 22 --syn -j ACCEPT

# Allow linuxdc

$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp -m tcp --dport 29800 -j ACCEPT

$IPTABLES -A INPUT -i $PUBLIC_IF -p udp -m udp --dport 29800 -j ACCEPT

# Allow Donkey capability

$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp -m tcp --dport 8726 -j ACCEPT

$IPTABLES -A INPUT -i $PUBLIC_IF -p udp -m udp --dport 8730 -j ACCEPT

# Allow Kad in emule capability

$IPTABLES -A INPUT -i $PUBLIC_IF -p udp -m udp --dport 16687 -j ACCEPT

# Allow Msn capability to get files

$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp -m tcp --dport 6891 -j ACCEPT

$IPTABLES -A INPUT -i $PUBLIC_IF -p udp -m udp --dport 6891 -j ACCEPT

# Allow Msn

$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp -m tcp --dport 1863 -j ACCEPT

# Allow ICQ

$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp -m tcp --dport 5190 -j ACCEPT

# Allow GTALK

$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp -m tcp --dport 5223 -j ACCEPT

# Allow rsync

$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp -m tcp --dport 873 -j ACCEPT

$IPTABLES -A INPUT -i $PUBLIC_IF -p udp -m udp --dport 873 -j ACCEPT

# Allow https

$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp -m tcp --dport 443 --syn -j ACCEPT

# Allow http

$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp -m tcp --dport 80 --syn -j ACCEPT

# Allow ftp

$IPTABLES -A INPUT -i $PUBLIC_IF -p tcp -m tcp --dport 21 -j ACCEPT

```

The /etc/iptables.bak looks now like this:

```

# Generated by iptables-save v1.3.8 on Tue Sep 25 19:53:03 2007

*filter

:INPUT ACCEPT [591:77063]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [745:107188]

COMMIT

# Completed on Tue Sep 25 19:53:03 2007

-A INPUT -i lo -j ACCEPT

-A INPUT -i eth2  -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -i eth2 -p tcp -m tcp -m multiport --ports 53309:53317 --syn -j ACCEPT

-A INPUT -i eth2 -p udp -m udp -m multiport --ports 53309:53317 -j ACCEPT

-A INPUT -i eth2 -p tcp -m tcp --dport 6969 --syn -j ACCEPT

-A INPUT -i eth2 -p udp -m udp --dport 6969 -j ACCEPT

-A INPUT -i eth2 -p tcp -m tcp --dport 22 --syn -j ACCEPT

-A INPUT -i eth2 -p tcp -m tcp --dport 29800 -j ACCEPT

-A INPUT -i eth2 -p udp -m udp --dport 29800 -j ACCEPT

-A INPUT -i eth2 -p tcp -m tcp --dport 8726 -j ACCEPT

-A INPUT -i eth2 -p udp -m udp --dport 8730 -j ACCEPT

-A INPUT -i eth2 -p udp -m udp --dport 16687 -j ACCEPT

 -A INPUT -i eth2  -p tcp -m tcp --dport 6891 -j ACCEPT

 -A INPUT -i eth2 -p udp -m udp --dport 6891 -j ACCEPT

 -A INPUT -i eth2 -p tcp -m tcp --dport 1863 -j ACCEPT

 -A INPUT -i eth2 -p tcp -m tcp --dport 5190 -j ACCEPT

 -A INPUT -i eth2 -p tcp -m tcp --dport 5223 -j ACCEPT

 -A INPUT -i eth2 -p tcp -m tcp --dport 873 -j ACCEPT

 -A INPUT -i eth2 -p udp -m udp --dport 873 -j ACCEPT

 -A INPUT -i eth2 -p tcp -m tcp --dport 443 --syn -j ACCEPT

 -A INPUT -i eth2 -p tcp -m tcp --dport 80 --syn -j ACCEPT

 -A INPUT -i eth2 -p tcp -m tcp --dport 21 -j ACCEPT

COMMIT

# Completed on Tue Sep 25 19:53:03 2007

```

----------

