site Search:


Home Reviews Tools Forums FAQs Find Service ISP News Maps About  
 
    All Forums Hot Topics Gallery






how-to block ads

  
Forums >

OS and Software > All Things Unix > How to initialise iptables in Gentoo

Search Topic:
 Uniqs:
1737		 Share Topic
Posting?
Post a:
Post a:
Links: ·Forum FAQ ·Attitude Adjustment ·Linux docs ·DistroWatch ·OPLM ·FreeBSD Handbook
AuthorAll Replies


guycad$
In Search Of Free Speech
Premium
join:2002-05-02
Pompton Lakes, NJ

How to initialise iptables in Gentoo

OK, you've compiled your kernel with netfilter options and you've emerged iptables and you're wondering that to do now.

First thing you need to do now is make some decisions regarding iptables rules.

The script below is the script I use to initialize iptables for the first time. I call it initiptables. You can call it whatever you want. This script is courtesy of mbcx8nlp. I've modified it to fit my circumstances.


#!/bin/sh

## some constants - should work as is for most people
IPT="/sbin/iptables"
RESERVD="10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 127.0.0.0/8 169.254.0.0/16"

## Edit these constants
## Replace 1.1.1.1 with your ISP's DHCP server's address (if needed)
## In my example I don't use DHCP to get my Internet IP address.
## My internet IP address is assigned as part of my ppp0 connection.
## Replace 2.2.2.2 with the network address or
## host name of the Network Time Server that you use.
## Most admins running NTP servers prefer that you use the server's host name.
DHCP="1.1.1.1"
NTP="2.2.2.2"
WAN="ppp0"
LAN="eth0"

## Set sane kernel params (i've no doubt missed some useful one's)

## turn on IP forwading if using this machine as a NAT/router
# echo 1 > /proc/sys/net/ipv4/ip_forward

## don't want src routed stuff or icmp redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

## do want reverse path filtering
echo 1 > /proc/sys/net/ipv4/conf/$WAN/rp_filter

## Flush rules
$IPT -F
$IPT -X

## permit loopback
$IPT -A INPUT -i lo -j ACCEPT

## permit local network
$IPT -A INPUT -i $LAN -j ACCEPT

## Don't want stuff from these addresses
for FOO in $RESERVD; do
  $IPT -A INPUT -i $WAN -s $FOO -j DROP
done

## Don't want invalid / malformed stuff
$IPT -A INPUT -m unclean -j DROP

## Example's for unsolicited inbound (uncomment if you need)

## DHCP
# $IPT -A INPUT -i $WAN -p udp -s $DHCP --sport 67 --dport 68 -j ACCEPT

## NTP
$IPT -A INPUT -i $WAN -p udp -s $NTP --sport 123 -j ACCEPT

## SSH (allows SSH to firewall, from anywhere on the WAN)
$IPT -A INPUT -i $WAN -p tcp --dport 22 -j ACCEPT

## Web server
# $IPT -A INPUT -i $WAN -p tcp --dport 80 -j ACCEPT

## Handle return / related traffic
$IPT -A INPUT -i $WAN -m state --state ESTABLISHED,RELATED -j ACCEPT

## drop everything else arriving on WAN i/f
$IPT -A INPUT -i $WAN -j DROP

## list the iptables rules as confirmation
$IPT -L -v


The output from iptables after running this script is:


iptables -L -v
Chain INPUT (policy ACCEPT 4716 packets, 3504K bytes)
pkts bytes target prot opt in     out  source        destination
  2   100 ACCEPT  all  --  lo     any  anywhere       anywhere
 10  2572 ACCEPT  all  --  eth0   any  anywhere       anywhere
  0     0 DROP    all  --  ppp0   any  10.0.0.0/8     anywhere
  0     0 DROP    all  --  ppp0   any  172.16.0.0/12  anywhere
  0     0 DROP    all  --  ppp0   any  192.168.0.0/16 anywhere
  0     0 DROP    all  --  ppp0   any  loopback/8     anywhere
  0     0 DROP    all  --  ppp0   any  169.254.0.0/16 anywhere
  0     0 DROP    all  --  any    any  anywhere       anywhere  unclean
  0     0 ACCEPT  udp  --  ppp0   any  2.2.2.2        anywhere  udp spt:ntp
  0     0 ACCEPT  tcp  --  ppp0   any  anywhere       anywhere  tcp dpt:ssh
156  159K ACCEPT  all  --  ppp0   any  anywhere       anywhere  state RELATED,ESTABLISHED
  4   234 DROP    all  --  ppp0   any  anywhere       anywhere

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 5881 packets, 410K bytes)
 pkts bytes target     prot opt in     out     source               destination


This script is a simple and effective firewall. It's designed for a standalone system connected to the Internet through an ADSL modem. I've chosen to allow Secure Socket Logins (SSL) and Network Time Protocol (NTP). Feel free to crib this script and use it where ever. BTW - this script works either for ADSL modems directly connected to your PC's NIC or to your lan hub/switch. In my case, I have a 100Mb 8-port switch which my ADSL modem connects to. My ISP permits up to 3 simultaneous logins. YMMV

To interpret the output of this script:

I allow unlimited access from my local host.

I allow unlimited access from my local network.

I drop all Internet packets (through ppp0) which have been spoofed to appear as if they come from internal IP addresses.

I drop all partial (malformed) packets.

I allow ntp packets through ppp0
I allow secure login packets ppp0
I allow all packets through ppp0 which are a result of connections I've established.
I drop all other packets through ppp0

To initialize your iptables for the first time in Gentoo:
(as root)

1) Check that directory /var/lib/iptables exists. If not, create it. (This is one that the Gentoo team seems to have missed :D )

2) # /etc/init.d/iptables start
You'll get a message saying to create iptables rules.

3) Run your initiptables script (or equivalent).
# /root/initiptables
If you included the command 'iptables -L -v' in your initiptables script, you should receive output similar to above.

4) # /etc/init.d/iptables stop

5) confirm that the file /var/lib/iptables/rules-save exists.
If it's not there, review the instructions again for something you may have missed.
The rules-save file should look something like this:


# Generated by iptables-save v1.2.7a on Sun Oct 13 20:23:02 2002
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [2:329]
:OUTPUT ACCEPT [2:329]
COMMIT
# Completed on Sun Oct 13 20:23:02 2002
# Generated by iptables-save v1.2.7a on Sun Oct 13 20:23:02 2002
*filter
:INPUT ACCEPT [19:2438]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [50:3286]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -s 10.0.0.0/255.0.0.0 -i ppp0 -j DROP
-A INPUT -s 172.16.0.0/255.240.0.0 -i ppp0 -j DROP
-A INPUT -s 192.168.0.0/255.255.0.0 -i ppp0 -j DROP
-A INPUT -s 127.0.0.0/255.0.0.0 -i ppp0 -j DROP
-A INPUT -s 169.254.0.0/255.255.0.0 -i ppp0 -j DROP
-A INPUT -m unclean -j DROP
-A INPUT -s 2.2.2.2 -i ppp0 -p udp -m udp --sport 123 -j ACCEPT
-A INPUT -i ppp0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i ppp0 -j DROP
COMMIT
# Completed on Sun Oct 13 20:23:02 2002


6) # rc-update add iptables default

You're now done. Your iptable rules will be automatically loaded on every reboot. Any time you want to change your iptables rule-set, just update your initiptables script (or equivalent) and run it. The next time you shutdown, your new rule-set will be saved and automatically loaded on reboot.

Have fun!

:)

Edit 1 - to delete two unused and unneeded lines.

Edit 2 - to add some comments and comment out an unneeded line.

Note: I left 2.2.2.2 in the script and results for clarity. There is no NTP server at 2.2.2.2. :)

Edit 3 - Comments were wrong and needed changing.

--
My Pictures.
People who describe M$ software as 'mediocre' don't know the half of it.
WinDoze Free 2003

[text was edited by author 2002-10-13 23:27:51]

[text was edited by author 2002-10-13 23:40:55]

[text was edited by author 2002-10-14 00:12:04]
to forum · permalink · 2002-10-13 21:24:55 ·
Forums > OS and Software > All Things Unix

Sunday, 03-Jun 19:23:41 Terms of Use & Privacy | feedback | contact | Hosting by nac.net - DSL,Hosting & Co-lo
over 12.5 years online © 1999-2012 dslreports.com.
Most commented news this week
Hot Topics