public inbox for gentoo-user@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-user] workstation iptables
@ 2015-10-06 19:14 James
  2015-10-07  5:46 ` Mick
                   ` (2 more replies)
  0 siblings, 3 replies; 6+ messages in thread
From: James @ 2015-10-06 19:14 UTC (permalink / raw
  To: gentoo-user

Hello,

I just ran across this page:

http://gentoo-en.vfose.ru/wiki/Iptables/Iptables_and_stateful_firewalls#State_basics

It has a basic firewall using iptables. 
Not bad for a generic firewall on a openrc workstation.
What is the best way to auto lauch this sort of firewall.sh ? 

Any improvements in this basic workstation firewall
everything out, nothing in?
A simple rule for ssh in only from the local lan
(use 192.168.100.100 for example rule(s).


...................................
firewall.sh
...................................
#!/bin/bash
# A basic stateful firewall for a workstation or laptop that isn't running any
# network services like a web server, SMTP server, ftp server, etc.

if [ "$1" = "start" ]
then
	echo "Starting firewall..."
	iptables -P INPUT DROP
	iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
elif [ "$1" = "stop" ]
then
	echo "Stopping firewall..."
	iptables -F INPUT
	iptables -P INPUT ACCEPT
fi
............................

just launched manually as a script.


Any good tools to quickly test this firewall from another local workstation?


wwr,
James



^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [gentoo-user] workstation iptables
  2015-10-06 19:14 [gentoo-user] workstation iptables James
@ 2015-10-07  5:46 ` Mick
  2015-10-07 13:23   ` [gentoo-user] " James
  2015-10-07 18:20 ` [gentoo-user] " Tom H
  2015-10-07 18:22 ` Alon Bar-Lev
  2 siblings, 1 reply; 6+ messages in thread
From: Mick @ 2015-10-07  5:46 UTC (permalink / raw
  To: gentoo-user

[-- Attachment #1: Type: Text/Plain, Size: 1187 bytes --]

On Tuesday 06 Oct 2015 20:14:59 James wrote:
> Hello,
> 
> I just ran across this page:
> 
> http://gentoo-en.vfose.ru/wiki/Iptables/Iptables_and_stateful_firewalls#Sta
> te_basics
> 
> It has a basic firewall using iptables.
> Not bad for a generic firewall on a openrc workstation.
> What is the best way to auto lauch this sort of firewall.sh ?

Start iptables, run the script, stop iptables with '/etc/init.d/iptables stop' 
which will save your rules to /var/lib/iptables/rules-save, or run 'iptables-
save /var/lib/iptables/rules-save'.  Add any sysctl changes to 
/etc/sysctl.conf, so that they are permanent.  Re-run the script if you want 
to change things in it.

 
> Any improvements in this basic workstation firewall
> everything out, nothing in?

Yes, but such improvements are suggested in subsequent scripts on the same 
page, e.g. ICMP handling, selective logging, etc.  If all you want is "a basic 
firewall using iptables" for the IPv4 workspace, then what you have will do 
the job.


> Any good tools to quickly test this firewall from another local
> workstation?

nmap -A -T4 -P0 -vvv -p1-65535 XXX.XX.XXX.XX

-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 473 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* [gentoo-user] Re: workstation iptables
  2015-10-07  5:46 ` Mick
@ 2015-10-07 13:23   ` James
  2015-10-07 20:41     ` Mick
  0 siblings, 1 reply; 6+ messages in thread
From: James @ 2015-10-07 13:23 UTC (permalink / raw
  To: gentoo-user

Mick <michaelkintzios <at> gmail.com> writes:


> > http://gentoo-en.vfose.ru
> > /wiki/IptablesIptables_and_stateful_firewalls#State_basics

> Start iptables, run the script, stop iptables with '/etc/init.d/iptables >
stop' which will save your rules to /var/lib/iptables/rules-save, 


after starting  iptables, I ran /etc/firewall.sh (the previously published 
script) and the stop with the syntax above::

cat /var/lib/iptables/rules-save 
# Generated by iptables-save v1.4.21 on Wed Oct  7 09:13:59 2015
*mangle
:PREROUTING ACCEPT [16022765:14170972269]
:INPUT ACCEPT [16022479:14170935323]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [19311825:1508198446]
:POSTROUTING ACCEPT [19311825:1508198446]
COMMIT
# Completed on Wed Oct  7 09:13:59 2015
# Generated by iptables-save v1.4.21 on Wed Oct  7 09:13:59 2015
*filter
:INPUT DROP [471:17192]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [722751:44404539]
[740388:740719942] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Wed Oct  7 09:13:59 2015


was the ouput. 


> or
> run 'iptables-save /var/lib/iptables/rules-save'.  Add any sysctl changes
> to /etc/sysctl.conf, so that they are permanent.  Re-run the script if 
> you want to change things in it.


sysctl is not set up. I did find this page on that::
https://wiki.gentoo.org/wiki/Procfs

Any suggestions on setting up sysctl for iptables and other future
usage?



> > Any improvements in this basic workstation firewall
> > everything out, nothing in?

> Yes, but such improvements are suggested in subsequent scripts on the 
> same page, e.g. ICMP handling, selective logging, etc.  If all you want
> is "a basic firewall using iptables" for the IPv4 workspace, then what 
> you have will do the job.

I'll test out these mods and give the scripts an added sequential character 
in the name so there can be different ones for easy deployment.

The idea is to keep it as simple as possible, test out scripts and ideas
and put something easy to set up on the gentoo wiki, for all to enjoy.


> > Any good tools to quickly test this firewall from another local
> > workstation?

> nmap -A -T4 -P0 -vvv -p1-65535 XXX.XX.XXX.XX

Worked flawlessly. Very precise syntax (thanks). Here are the highlights::

Not shown: 65534 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 5.9p1-hpn13v11lpk (protocol 2.0)


Not bad for a quick workstation firewall(s). After I get sysctl setup,
I'll test a few other verssions and post again. Then wikify these
for community consumption.

Thanks

James





^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [gentoo-user] workstation iptables
  2015-10-06 19:14 [gentoo-user] workstation iptables James
  2015-10-07  5:46 ` Mick
@ 2015-10-07 18:20 ` Tom H
  2015-10-07 18:22 ` Alon Bar-Lev
  2 siblings, 0 replies; 6+ messages in thread
From: Tom H @ 2015-10-07 18:20 UTC (permalink / raw
  To: Gentoo User

On Tue, Oct 6, 2015 at 3:14 PM, James <wireless@tampabay.rr.com> wrote:
>
> #!/bin/bash
> # A basic stateful firewall for a workstation or laptop that isn't running any
> # network services like a web server, SMTP server, ftp server, etc.
>
> if [ "$1" = "start" ]
> then
>         echo "Starting firewall..."
>         iptables -P INPUT DROP
>         iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> elif [ "$1" = "stop" ]
> then
>         echo "Stopping firewall..."
>         iptables -F INPUT
>         iptables -P INPUT ACCEPT
> fi

Since you're starting from scratch, you might want to replace "-m
state --state" by "-m conntrack --ctstate" because the former's
deprecated and is now an alias to the latter.


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [gentoo-user] workstation iptables
  2015-10-06 19:14 [gentoo-user] workstation iptables James
  2015-10-07  5:46 ` Mick
  2015-10-07 18:20 ` [gentoo-user] " Tom H
@ 2015-10-07 18:22 ` Alon Bar-Lev
  2 siblings, 0 replies; 6+ messages in thread
From: Alon Bar-Lev @ 2015-10-07 18:22 UTC (permalink / raw
  To: gentoo-user

On 6 October 2015 at 22:14, James <wireless@tampabay.rr.com> wrote:
>
> Hello,
>
> I just ran across this page:
>
> http://gentoo-en.vfose.ru/wiki/Iptables/Iptables_and_stateful_firewalls#State_basics
>
> It has a basic firewall using iptables.
> Not bad for a generic firewall on a openrc workstation.
> What is the best way to auto lauch this sort of firewall.sh ?
>
> Any improvements in this basic workstation firewall
> everything out, nothing in?
> A simple rule for ssh in only from the local lan
> (use 192.168.100.100 for example rule(s).
>
>

Hi,

I suggest you look into firehol package.
It creates iptables rules out of human readable policy.

Regards,
Alon

> ...................................
> firewall.sh
> ...................................
> #!/bin/bash
> # A basic stateful firewall for a workstation or laptop that isn't running any
> # network services like a web server, SMTP server, ftp server, etc.
>
> if [ "$1" = "start" ]
> then
>         echo "Starting firewall..."
>         iptables -P INPUT DROP
>         iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> elif [ "$1" = "stop" ]
> then
>         echo "Stopping firewall..."
>         iptables -F INPUT
>         iptables -P INPUT ACCEPT
> fi
> ............................
>
> just launched manually as a script.
>
>
> Any good tools to quickly test this firewall from another local workstation?
>
>
> wwr,
> James
>
>


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [gentoo-user] Re: workstation iptables
  2015-10-07 13:23   ` [gentoo-user] " James
@ 2015-10-07 20:41     ` Mick
  0 siblings, 0 replies; 6+ messages in thread
From: Mick @ 2015-10-07 20:41 UTC (permalink / raw
  To: gentoo-user

[-- Attachment #1: Type: Text/Plain, Size: 4889 bytes --]

On Wednesday 07 Oct 2015 14:23:39 James wrote:
> Mick <michaelkintzios <at> gmail.com> writes:
> > > http://gentoo-en.vfose.ru
> > > /wiki/IptablesIptables_and_stateful_firewalls#State_basics
> > 
> > Start iptables, run the script, stop iptables with '/etc/init.d/iptables
> > >
> 
> stop' which will save your rules to /var/lib/iptables/rules-save,
> 
> 
> after starting  iptables, I ran /etc/firewall.sh (the previously published
> script) and the stop with the syntax above::
> 
> cat /var/lib/iptables/rules-save
> # Generated by iptables-save v1.4.21 on Wed Oct  7 09:13:59 2015
> *mangle
> 
> :PREROUTING ACCEPT [16022765:14170972269]
> :INPUT ACCEPT [16022479:14170935323]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [19311825:1508198446]
> :POSTROUTING ACCEPT [19311825:1508198446]
> 
> COMMIT
> # Completed on Wed Oct  7 09:13:59 2015
> # Generated by iptables-save v1.4.21 on Wed Oct  7 09:13:59 2015
> *filter
> 
> :INPUT DROP [471:17192]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [722751:44404539]
> 
> [740388:740719942] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> COMMIT
> # Completed on Wed Oct  7 09:13:59 2015
> 
> 
> was the ouput.

Are you sure that restarting iptables did not produce errors on the CLI?  The 
script you are using is somewhat old and the iptables syntax has changed since 
then.  

Have a look here:

 https://wiki.gentoo.org/wiki/Iptables


Your single rule line above should therefore look like this:

 -A INPUT -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

but before this rule you should specify a default policy for your INPUT and 
other chains - ideally one to DROP all packets coming in and allow all going 
out; e.g.

 -P INPUT DROP
 -P FORWARD DROP
 -P OUTPUT ACCEPT

Also, to accept any INPUT packets on interfaces other than eth0, you would 
precede these lines with:

 -A INPUT ! -i eth0 -j ACCEPT


More details on syntax can be found in 'man iptables-extensions'.  You will 
need to modify your script accordingly for this new syntax.  To see if you are 
getting syntax errors run each rule on the CLI first, e.g.

 /sbin/iptables -A INPUT -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j 
ACCEPT

and check that it takes with:

 /sbin/iptables -L -v -n

NOTE: The order in which you add iptables rules on the CLI is the order in 
which they will end up listed in /var/lib/iptables/rules-save.


BTW, I recall a thread posted for a firewall script within the last couple of 
years, but can't recall exactly who was the contributor.  Have a quick search 
in Gmane to see if you can find it.


> sysctl is not set up. I did find this page on that::
> https://wiki.gentoo.org/wiki/Procfs
> 
> Any suggestions on setting up sysctl for iptables and other future
> usage?

According to the URL you posted above you should use /etc/sysctl.d/local.conf, 
rather than the legacy /etc/sysctl.conf which I suggested.  Apologies for a 
bum steer.  Use your previous URL for stateful firewalls to see what sysctl 
settings you need to add here.


> > nmap -A -T4 -P0 -vvv -p1-65535 XXX.XX.XXX.XX
> 
> Worked flawlessly. Very precise syntax (thanks). Here are the highlights::
> 
> Not shown: 65534 closed ports

Not good.  Unless you have set up a default policy to REJECT packets, this 
shows ports that are not firewalled, but happen to be closed (no service is 
running there).  If you had a DROP policy/rule for INPUT packets it should say 
"65534 filtered ports".


> PORT   STATE SERVICE VERSION
> 22/tcp open  ssh     OpenSSH 5.9p1-hpn13v11lpk (protocol 2.0)

Not good.  Unless you have also defined a rule for allowing connections to 
port 22, this shows an open port, to which a service (ssh) is currently 
listening for incoming connections.

If you want to only allow ssh connections from some local address 
192.168.1.27, you can try adding a rule for it like this:

-A INPUT -s 192.168.1.27/32 -i eth0 -p tcp -m conntrack --ctstate NEW -m mac 
--mac-source 67:35:AC:34:89:48 -m conntrack --ctorigdstport 22 -j ACCEPT


> Not bad for a quick workstation firewall(s). After I get sysctl setup,
> I'll test a few other verssions and post again. Then wikify these
> for community consumption.

Your script needs more work.  Look first at the iptables URL I posted above, 
which has the modern syntax.  Also, either define a default INPUT chain policy 
to DROP or REJECT packets, or end your script with rules to drop all other 
packets, not already accepted by previous rules:

-A INPUT -i eth0 -j DROP

PS.  Instead of running some script, you can always specify your rules in your 
/var/lib/iptables/rules-save and also back it up.  Then use this file to 
change settings as you see fit and reload/start the firewall for the settings 
to take.

-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 473 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2015-10-07 20:42 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-10-06 19:14 [gentoo-user] workstation iptables James
2015-10-07  5:46 ` Mick
2015-10-07 13:23   ` [gentoo-user] " James
2015-10-07 20:41     ` Mick
2015-10-07 18:20 ` [gentoo-user] " Tom H
2015-10-07 18:22 ` Alon Bar-Lev

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox