| reply to guycad$
Re: Free IPTABLES SCRIPT! Get it here now!!! Well first I would like to say that I like what you are doing and this is something i do often myself with various programs "Write scripts to make it easier for the clueless or myself when i have been up for two days ;o)". So the only real comments I have are really request to make it more useful for everyone. Consider asking the user yes or no question in regard to each setting while showing the default (recommended). For example as someone above had mentioned some may want to filter all the LAN traffic this would be a nice option. There has been a script written to clear the tables to their default by the way. Options, Options, Options. That's all for me.
--
Be sociable. Speak to the person next to you in the unemployment line tomorrow. |
|
| reply to guycad$
O just one more little bitty thing. Could you please use tar next time. Zip is for wintendos. =o) LOL! I figure you tried to upload it plain and the server did it. F.Y.F.I. the server does support .tgz
--
Be sociable. Speak to the person next to you in the unemployment line tomorrow. |
|
| reply to guycad$
Also I noticed you have 169.254.0.0/16 as reserved in the RFC1918 Yet from what I can see it only reserves:
10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
»www.cis.ohio-state.edu/cgi-bin/r···918.html
The INT variable using /sbin/ should not be needed. Since the command iptables if under any *bin directory will be known system wide.
Then again it might be nice to check with the user.
Here is some more flushing code this should put it back like it was:
#
# reset the default policies in the filter table.
#
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
#
# reset the default policies in the nat table.
#
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
#
# reset the default policies in the mangle table.
#
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
#
# flush all the rules in the filter and nat tables.
#
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
#
# erase all chains that's not default in filter and nat table.
#
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X
The main thing as mentioned I see as a problem is the lack of questioning the user and instead assuming that some things should be ok for everyone.
--
Be sociable. Speak to the person next to you in the unemployment line tomorrow. |
|
| reply to guycad$
Ok, I have read documentation for Linux Security. So Im beginning to have an idea about iptables, but how do I enable the submitted script and disable it? |
|
 guycad$In Search Of Free SpeechPremium
join:2002-05-02
Pompton Lakes, NJ | What distro of Linux?
What is your network setup?
I'm heading for bed now, but I can give you a better answer tomorrow.
'Nite! |
|
| said by guycad$:
What distro of Linux?
What is your network setup?
Sorry, forgot to place that info... 
RedHat8, router with NAT and three machines (XP, 2K and RH8). The router has a firewall and the windows machines have firewall software, but the linux machine...hmm... dunno. When I boot linux it reads that the iptables are starting, but thats the only proof that I have that tells me something relating to a firewall is installed.
But how do I "install" the script and turn it off if I have problems with it? |
|
| Why don't you just try lokkit from the console. =o) Assuming of course you have gnome installed or you could use the gui version under gnome. That might help for now as it seems they still have some work to do on the script.
[text was edited by author 2002-10-28 03:47:21] |
|
|
|
| reply to guycad$
I might be interested in helping you make that script more interactive when you decide that the base is done and correct.
--
Be sociable. Speak to the person next to you in the unemployment line tomorrow. |
|
Nick8Premium
join:2001-03-17
UK | reply to dom6791
You can check what rules are active by issuing (as root):
iptables -L -n -v | less which would list the rules in the filter table. To look at other tables, e.g. the nat table use:
iptables -t nat -L -n -v | less To execute the script you'll need to do the following:
chmod 700 /path/to/init_iptables
/path/to/init_iptables Don't forget to edit it to suit your setup first..
To flush the rules:
iptables -F
iptables -X
iptables -t nat -F To have the rules loaded at boot you would typically place the script in /etc/init.d and use chkconfig to put symlinks in the relevant runlevels, e.g.
mv /path/to/init_iptables /etc/init.d
chkconfig --level 235 init_iptables on I think.. (I don't use RH). |
|
| While that will flush the rules it does not set them back like they where before you screwed with them but I posted that above. Someone had done it already. I think this script could be grand if you cared to make it interactive and it could be a lot more useful and powerful. i hope you will give it some thought. ;o) Otherwise i will have to do it myself and that almost always sucks. LOL!
--
Be sociable. Speak to the person next to you in the unemployment line tomorrow. |
|
Nick8Premium
join:2001-03-17
UK | said by callihn4:
While that will flush the rules it does not set them back like they where before you screwed with them
Er.. Yes it does..
said by callihn4:
I think this script could be grand if you cared to make it interactive and it could be a lot more useful and powerful.
Yes, it could, but we have already explained our goals earlier in the thread. Feel free to do what you like with it.. |
|
 typecastPremium
join:2002-10-23
Palo Alto, CA | reply to callihn4
said by callihn4:
Also I noticed you have 169.254.0.0/16 as reserved in the RFC1918 Yet from what I can see it only reserves:
10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
The 169.254.*.* is used for Windows APIPA (Automatic Private IP Addressing). Windows will assign each network interface an IP in this subnet when the media isn't present or if a DHCP lease request fails. It isn't part of RFC1918, but is still (or should be) a reserved network. |
|
| said by typecast:
said by callihn4:
Also I noticed you have 169.254.0.0/16 as reserved in the RFC1918 Yet from what I can see it only reserves:
10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
The 169.254.*.* is used for Windows APIPA (Automatic Private IP Addressing). Windows will assign each network interface an IP in this subnet when the media isn't present or if a DHCP lease request fails. It isn't part of RFC1918, but is still (or should be) a reserved network.
Well I don't mean to seem stupid but I have been up a while so what does that have to do with an iptables firewall?
--
Be sociable. Speak to the person next to you in the unemployment line tomorrow. |
|
Nick8Premium
join:2001-03-17
UK | You should never see traffic from reserved addresses on the 'net, if we do, we drop it.. |
|
| reply to Nick8
said by Nick8:
said by callihn4:
While that will flush the rules it does not set them back like they where before you screwed with them
Er.. Yes it does..
said by callihn4:
I think this script could be grand if you cared to make it interactive and it could be a lot more useful and powerful.
Yes, it could, but we have already explained our goals earlier in the thread. Feel free to do what you like with it..
Well thanks I just might do that when you get finished LOL!
--
Be sociable. Speak to the person next to you in the unemployment line tomorrow. |
|
| reply to guycad$
### Do want reverse path filtering (unless you use FreeS/WAN!)
echo 1 > /proc/sys/net/ipv4/conf/$WAN/rp_filter
May cause a problem if multi-homed and $WAN should be all? If not $ will not work with in there.
### Don't want to respond to ICMP echo broadcasts
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
But you just turned it off.
--
Be sociable. Speak to the person next to you in the unemployment line tomorrow. |
|
Nick8Premium
join:2001-03-17
UK | The reverse path filtering is extraneous really.. There are rules to drop private source addresses arriving on the WAN interface. Packets with spoofed source addresses arriving at the LAN interface are assumed to be intentional (e.g. nmap -D, etc), hence $WAN and not all. I'll remove it altogether - it doesn't do anything useful..
quote:
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
Duh.. Thanks.. Will change.. |
|
| Another note this one is killing me:
### Reserved.
# Create a new chain to handle reserved src addresses.
# So that we can log them as such..
#$IPT -N RESERVED
#if [ $LOG == 1 ]
#then
#$IPT -A RESERVED -j LOG --log-level $LOG_LVL --log-prefix "Reserved Source:"
#fi
### No point in sending an error reply / RST.
#$IPT -A RESERVED -j DROP
#for FOO in $RESERVD; do
#$IPT -A RESERVED -i $WAN -s $FOO -j RESERVED
#done
All that stuff kills my LAN.
Now the interesting part is:
# if WAN is an ethernet device with a private address, presume the subnet
# in which it resides is a LAN that should be permitted.
if [ `echo $WAN | grep 'eth'` ]
then
ADDR=`ifconfig $WAN | grep 'inet addr' | awk '{print $2}' | cut -d : -f 2`
MASK=`ifconfig $WAN | grep 'inet addr' | awk '{print $4}' | cut -d : -f 2`
NET="$ADDR/$MASK"
if [ `echo $ADDR | grep '^192\.^168\.\|^172\.16\.\|^10\.'` ]
then
$IPT -A INPUT -s $NET -j $watdo
fi
fi
This stuff isn't working although $NET="192.168.0.3/255.255.255.0 nothing is added with or without the RESERVED section commented out. Any ideals on that?
--
Be sociable. Speak to the person next to you in the unemployment line tomorrow. |
|
Nick8Premium
join:2001-03-17
UK | said by callihn4:
All that stuff kills my LAN.
That's probably because you are behind NAT and the grep of $ADDR for private network addresses is failing.. See below.
quote:
if [ `echo $ADDR | grep '^192\.^168\.\|^172\.16\.\|^10\.'` ]
then
$IPT -A INPUT -s $NET -j $watdo
fi
There should not be a ^ before 168. There isn't in the version I have here, was that a typo? If not, that's why things aren't working as they should - remove it. I take it you have added a $watdo chain (that's not in the original either). |
|
| said by Nick8:
said by callihn4:
All that stuff kills my LAN.
That's probably because you are behind NAT and the grep of $ADDR for private network addresses is failing.. See below.
quote:
if [ `echo $ADDR | grep '^192\.^168\.\|^172\.16\.\|^10\.'` ]
then
$IPT -A INPUT -s $NET -j $watdo
fi
There should not be a ^ before 168. There isn't in the version I have here, was that a typo? If not, that's why things aren't working as they should - remove it. I take it you have added a $watdo chain (that's not in the original either).
Yea watdo just equals ACCEPT or $RESP which equals DROP or REJECT
accwan=foo
while [ "$accwan" = "foo" ]
do
echo ""
echo "Do You Want To Accept All Traffic From The LAN? (Y/N)"
read accwan
case $accwan in
Y*) accwan=Y;;
y*) accwan=Y;;
N*) accwan=N;;
n*) accwan=N;;
*) accwan=foo
echo "===> Try again!";;
esac
done
if [ "$accwan" = "Y" ]; then
watdo="ACCEPT"
echo ""
echo "Iptables Will Accept All Traffic From The LAN."
fi
if [ "$accwan" = "N" ]; then
watdo="$RESP"
echo ""
echo "Iptables Will $watdo All Traffic From The LAN."
fi
Yes that was a typo sorry that was after I had put those back after making ten million changes trying to figure out why it wouldn't right the chain. Anyway it was one of those magicial Ctrl charecters. All better now .
How can these be saved and will that work in all distros that run iptables?
And the giant bourne question of the day:
Do they have anything like GOTO in bourne? I need to be able to go back to a section several times.
--
Be sociable. Speak to the person next to you in the unemployment line tomorrow.
[text was edited by author 2002-11-18 07:58:01] |
|
