townx - Page - Comments

firewall

Guest — Thu, 08 May 2008 03:01:53 -0500

Hi,
Great script - I've used it as the starter for my setup.

ShieldsUP notes that your script shows ports 0 and 1 as closed rather than in stealth mode, and also doesn't drop ICMP packets - meaning that if the machines are directly attached to the internet via ppp, or with an ADSL modem with no firewall, then they can be discovered.

Also your script doesn't handle dialup connections.

The following changes mitigates against these:

drop everything else on ppp
iptables -A INPUT -i ppp+ -p udp -j DROP
iptables -A INPUT -i ppp+ -p tcp -m tcp --syn -j DROP
iptables -A INPUT -i ppp+ -p icmp -j DROP
Explcitly deal with port 0
iptables -A INPUT -j DROP -p tcp --sport 0
iptables -A INPUT -j DROP -p udp --sport 0
iptables -A INPUT -j DROP -p tcp --dport 0
iptables -A INPUT -j DROP -p udp --dport 0
Explcitly deal with port 1
iptables -A INPUT -j DROP -p tcp --sport 1
iptables -A INPUT -j DROP -p udp --sport 1
iptables -A INPUT -j DROP -p tcp --dport 1
iptables -A INPUT -j DROP -p udp --dport 1

regards

Colin

Thx ;)

Prakash — Wed, 30 Apr 2008 18:18:12 -0500

thanks!though iptables -A INPUT -p tcp -s 0/0 --dport 80 -j ACCEPT is needed!

Well, we've only got a

elliot — Thu, 17 Apr 2008 18:15:49 -0500

Well, we've only got a rabbit, and she's in a hutch. So no furniture issues.

Off the furniture?

Pet Websites — Tue, 25 Mar 2008 15:52:13 -0500

That's assuming that you still have furniture. Most of the time they just tear it up with their claws. I still can't live without them :)

What, the ports became

elliot — Sun, 18 Nov 2007 18:07:54 -0600

What, the ports became unavailable? Or the services stopped running? When you stopped the firewall? If you set it up as above, stopping the firewall shouldn't touch other services, and should definitely not block them.

shit

alex rose — Sun, 18 Nov 2007 11:09:12 -0600

when i typed /etc/init.d/firewall stop ssh, apache gone away .. :(
why ?

Thanks for that, Roy. I've

elliot — Tue, 02 Oct 2007 13:20:28 -0500

Thanks for that, Roy. I've used some of the GUIs before, but the simple ones can't cope with the scenario outlined in the article. While fwbuilder probably could, I like the simplicity of my script, and have used it succesfully without touching it for about 3 years. I'm very happy with it.

Great, glad it was helpful.

elliot — Tue, 02 Oct 2007 13:19:19 -0500

Great, glad it was helpful.

short and sweet, works as

Reid — Mon, 01 Oct 2007 22:57:55 -0500

short and sweet, works as advertised! happy customer here.

iptables

Guest — Fri, 14 Sep 2007 15:20:42 -0500

One of the most impressive tools for building iptables firewalls is fwbuilder at www.fwbuilder.org.
This fantastic GUI app writes the iptables for you in a way that is easy to read.

Really good for heavy weight firewalling.

Roy.

thanks!

FG — Thu, 13 Sep 2007 19:55:03 -0500

man... for the longest time i couldn't get display scaling to work... copy and paste worked fine because i knew vmware-tools had to be running... but "vmware-user" was the magik utility that needs to be running for the scaling to work. Thanks man!

Thanks Michael. Glad to be

elliot — Thu, 06 Sep 2007 09:30:35 -0500

Thanks Michael. Glad to be of service.

So simple!

Michael — Sun, 26 Aug 2007 21:42:07 -0500

I've fooled with iptables off and on for a few years now. Never quite getting all the pieces right. Thanks for bringing it back down to Earth with a simple as pie approach to setting the rules and integrating with start up. It was good to learn a thing or two about update-rc.d. That was an interesting tool I hadn't seen before.

One note: Add your input accept rules (like port 80 for HTTP BEFORE you drop everything else). Took me a couple minutes to figure that one out, but otherwise, all else was smooth sailing.

--Michael

Very helpful. Thanks for

Guest — Thu, 21 Jun 2007 00:05:29 -0500

Very helpful. Thanks for posting.

In which case, my apologies.

elliot — Tue, 29 May 2007 07:31:43 -0500

In which case, my apologies. I wasn't intending to upset animal lovers. Just put animals in their place :) I'll let the free advertising stand.