iptables

Discussion in 'Installation/Configuration' started by tommytomato, Jun 23, 2007.

  1. tommytomato

    tommytomato New Member

    Hi all

    I think i have iptables worked out, got one problem every time i reboot, I lose the iptables that i created.

    I saved the files and then ran iptables -L to see my home made fire wall, I log in via another PC on my network and I'm able to log in.

    How do you save it so it boots up at the start :confused:

    TT
     
    tommytomato, Jun 23, 2007
    #1
  2. falko

    falko Super Moderator Howtoforge Staff

    How do you start the iptables firewall? Did you install an iptables-based firewall package such as shorewall or Bastille, or did you make your own custom iptables firewall?
     
    falko, Jun 24, 2007
    #2
  3. tommytomato

    tommytomato New Member

    I made a custom one, well at lest i'm trying to ;)

    here it is

    Code:
    ~# cat /etc/firewall.bash
#!/bin/bash

# No spoofing
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
then
for filtre in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo 1 > $filtre
done
fi 

# No icmp
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

#load some modules you may need
modprobe ip_tables
modprobe ip_nat_ftp
modprobe ip_nat_irc
modprobe iptable_filter
modprobe iptable_nat 

# Remove all rules and chains
iptables -F
iptables -X

# first set the default behaviour => accept connections
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

# Create 2 chains, it allows to write a clean script
iptables -N FIREWALL
iptables -N TRUSTED

iptables -A INPUT -s 83.132.97.14 -j DROP
iptables -A INPUT -s 81.199.85.110 -j DROP
iptables -A INPUT -s 218.16.120.80 -j DROP 
iptables -A INPUT -s 210.59.228.94 -j DROP 
iptables -A INPUT -s 219.153.0.218 -j DROP 
iptables -A INPUT -s 63.93.95.121 -j DROP 
iptables -A INPUT -s 203.134.154.2 -j DROP 
iptables -A INPUT -s 67.52.65.10 -j DROP 
iptables -A INPUT -i lo -j ACCEPT 
iptables -A INPUT -s 127.0.0.0/255.0.0.0 -j DROP 
iptables -A INPUT -d 127.0.0.0/255.0.0.0 -j DROP
iptables -A INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT 
iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT 
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT 
iptables -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
    I want to be able to open up ports 25 and 110 on my router, but block all access from the outside apart from my localnetwork, can this be done ?

    I still want to be able to send and recive from the out side thou:scratch: I hope that makes sence :rolleyes:

    TT
     
    tommytomato, Jun 25, 2007
    #3
  4. falko

    falko Super Moderator Howtoforge Staff

    If you are on Debian/ubuntu, you can rename your iptables script to /etc/network/if-up.d/iptables:
    Code:
    mv /etc/firewall.bash /etc/network/if-up.d/iptables
    and make it executable:
    Code:
    chmod 755 /etc/network/if-up.d/iptables
    The script will then be started automatically whenever you boot the system.
     
    falko, Jun 25, 2007
    #4

Share This Page