Linux IPTables

[SoWat]

OK, I'm sure this is an ever so useful tool, but it seems to be a pig to configure. I downloaded KNetfilter to try and make it easier, but I think it was harder!

What I want to do is shut off ports110 and 25 to incoming traffic (smtp and pop).

The Mandrake built in firewall (tinyfirewall I think) says it's going to do this but doesn't.

Reverend, tcdc, any advice/tips?

 

[old.Reverend Flatus]

Well, on the advice of Mr Cable, I got gShield. Does a good job except the default policy on the output chain is ACCEPT which isn't too clever. Get it from here.

 

[Testin da Cable]

...change the dp to DENY or REJECT and you're home free

 

[old.Reverend Flatus]

Originally posted by testin_da_cable
...change the dp to DENY or REJECT and you're home free

...and enable the services you actually want to allow through of course

 

[Testin da Cable]

...oh, yeah. forgot about that

 

[SoWat]

Great!

Ok, all ports are now showing closed. I read that they should report 'closed' rather than 'stealth', so I guess that'll do (using grc.com, any better ones out there?).

When running the script it complains about a syntax error, but it all seems to work. Should I be concerned about that (the error is in a file I haven't edited)?

Thanks again

 

[Testin da Cable]

Originally posted by SoWat
Great!

any better ones out there?

yeah there is:me

more by SoWat
When running the script it complains about a syntax error, but it all seems to work. Should I be concerned about that (the error is in a file I haven't edited)?

capture gShields output to a file [if you havn't already] and check to see where the error is
$./gShield.sh >log.log ought to do nicely*
*replace with the file you're actually running
view the log to check for the error, then find it in the script and correct [or post the error] hehe

 

[SoWat]

Eek, g'wan then (ip in PM)

While you're doing that, I'll try to figure out what I've done to stop Internet sharting working.

 

[Testin da Cable]

turn on:
echo "1" > /proc/sys/net/ipv4/ip_forward

turn off:
echo "0" > /proc/sys/net/ipv4/ip_forward



gShield does it for you tho

 

[SoWat]

Hmmn, except it doesn't.

I recall reading some posts about this though. Something to do with connection sharing not working after a reboot if you don't use tiny firewall.

I'll see if I can find the article.

cheers

 

[gremlin]

iptables is really sweet, and once you get the hang of it, not that hard to configure.

Here's a quick example script I knocked up, which you can modify for your own needs:

#########################################################################
## Create port check rules
#########################################################################
iptables -N check

## Allow global services (SSH, SMTP, DNS & HTTP)

iptables -A check -p udp --destination-port 53 -j ACCEPT
iptables -A check -p tcp -m multiport --destination-port 22,25,53,80 -m state --state NEW -j ACCEPT

#########################################################################
## Create chain which blocks new connections, except if coming from inside.
#########################################################################
iptables -N block
iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A block -m state --state NEW -i lo -j ACCEPT
iptables -A block -i eth0 -j check
iptables -A block -m limit --limit 1/s -j LOG

#########################################################################
## Jump to that chain from INPUT and FORWARD chains.
#########################################################################
iptables -P FORWARD DROP
iptables -P INPUT DROP
iptables -A INPUT -j block

This will essentially drop everything inbound except for those ports listed in the "global services" section. HTH.

 

[SoWat]

Lovely thanks, I'll add that to my little pile of docs.

I have another newb question though, here goes:

My system starts up with default firewall rules.
I run my current script to lock everything down
I then have to run the internet sharing wizard. Now everything is still locked down, but I have connection sharing too.

Sooo, my question is, can I start my current script automatically, and can I save the current state of iptables i.e after I've enabled the sharing?

Cheers

 

[SoWat]

Fook, Fook and Double FOOK!

Had the bright idea to reinstall Mandrake, and configure it step by step. Installed in expert mode (BIG mistake) and answered the questions correctly (I thought).

End result, LILO croaked. Ok says I, boot with the floppy, which I do. Edited lilo.conf and rebooted... success.

Well, not quite. I also managed to bugger up the MBR and now I have no Win2K (ntldr missing).

To add insult to injury, I can't connect with Linux either.

Guess it's going to be a long night with just me and the penguin

 

[Testin da Cable]

eep that sucks dudeh
you could try booting to linux and running lilo -P fix which may help [or not]

also make sure that the entry in lilo.conf that refers to your w2k partition really is pointing that way heh
example:

boot = /dev/hda
           delay = 40

root = /dev/hda1
          read-only
          image = /boot/lin246
          label = test1

          image = /boot/lin242
          label = ok_kern

other = /dev/hdb1
            label = win98
            table = /dev/hdb

pay attention to the entry 'other'. this points to my win98 install on '/dev/hdb1' ie the second harddisk, partition 1
a 'normal' partitioning setup goes a little like this: [4 partitions] /dev/hda1, /dev/hda5, /dev/hda6, /dev/hda7
be aware of the 'jump' from 1 to 5.
good luck!

 

[SoWat]

Well I'm back online with Linux, which is nice!

Posted my last message with my laptop and modem (shudder).

my lilo.conf looks like this:

boot=/dev/hda
map=/boot/map
install=/boot/boot.b
vga=normal
default=linux
keytable=/boot/uk.klt
lba32
prompt
timeout=50
message=/boot/message
menu-scheme=wb:bw:wb:bw
image=/boot/vmlinuz
 label=linux
 root=/dev/hde5
 append=" hdd=ide-scsi devfs=mount quiet"
 vga=788
 read-only
image=/boot/vmlinuz
 label=linux-nonfb
 root=/dev/hde5
 append=" hdd=ide-scsi devfs=mount"
 read-only
image=/boot/vmlinuz
 label=failsafe
 root=/dev/hde5
 append=" hdd=ide-scsi devfs=mount failsafe"
 read-only
other=/dev/hda1
 label=Win2K
 table=/dev/hda
 map-drive=0x80
    to=0x81
 map-drive=0x81
    to=0x80
other=/dev/fd0
 label=floppy
 unsafe

It boots to linux fine, and does seem to be pointing at the right Windows partition. Before I edited it, the top line said
boot=/dev/hde5
which is what I think buggered it (I have 4 HDs, 1xDVD and 1xCDR)..

Anyways, the Windows 2000 rescue dick does anything but. it runs through a disk check, and then says everything is repaired, which it ain't (it's now in 2 pieces in the bin).

There is a lilo backup in the boot directory (boot.0300), so I may use that if all else fails. Be interesting to see how much I can f*ck up using the dd command

Thanks for the help

 

[Testin da Cable]

if you're feeling vindictive, you could try typing rm -Rf * in the /
just make sure that mandrake hasn't mounted your windows dirs.
when I installed M, I found that it had defaulted to mounting my win98se partitions in /mnt/win_c and /mnt/win_d
so
if you feel like trying that command I mentioned above...type umount /mnt/win_c and umount /mnt/win_d first!

-TdC

 

[SoWat]

LOL, thanks, but no thanks.

Win2K is now repaired. Booting from the CD and choosing console recovery, then logging into windows and using the fixmbr command did it. I'll be using that from now on, and not the waste-of-space recovery disk.

Linux can still be booted, but by floppy only at the mo. I may try running LILO again, especially as I now know how to fix it.

The LILO backup was, as I soon discovered, the knackered one that I 'fixed'.

Anyway...bed:sleeping:

 

[gremlin]

I don't know if you've read this, but it might help:

WinNT + Linux multiboot HOWTO

The WinNT bits apply to Win2k and i've used that guide to get a dual-boot system running Win2k + Linux working using the Win2k boot loader to load whichever OS (which I actually prefer to LILO anyway).

 

[SoWat]

That was useful, thanks.

I now have Mandrake in my Win2K bootup menu, which is a lot easier. this means of course that, as long as I don't install LILO, I can install and uninstall to my hearts delight without knackering up my Windows install (assuming I install to the same partitions of course).

..now where's that Mandrake install disk?

 

[old.venturer01]

i was thinking of installing Linux.

so it looks like redhat or slackware or are other better , i need help please.

i have an old p166 that i will format and a switch and an nt server to hack ! . do i need 2 os's on the p166?

 

[Testin da Cable]

I'd say RedHat, as ole Slack seems to have been discontinued as of version 8.0 iirc.
RH has it's quirks tho, but every os does so nothing new there. Be aware that some of the more flashy stuff [aka the GUI] may run slow on a '166.