* [gentoo-user] workstation iptables
@ 2015-10-06 19:14 James
2015-10-07 5:46 ` Mick
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: James @ 2015-10-06 19:14 UTC (permalink / raw
To: gentoo-user
Hello,
I just ran across this page:
http://gentoo-en.vfose.ru/wiki/Iptables/Iptables_and_stateful_firewalls#State_basics
It has a basic firewall using iptables.
Not bad for a generic firewall on a openrc workstation.
What is the best way to auto lauch this sort of firewall.sh ?
Any improvements in this basic workstation firewall
everything out, nothing in?
A simple rule for ssh in only from the local lan
(use 192.168.100.100 for example rule(s).
...................................
firewall.sh
...................................
#!/bin/bash
# A basic stateful firewall for a workstation or laptop that isn't running any
# network services like a web server, SMTP server, ftp server, etc.
if [ "$1" = "start" ]
then
echo "Starting firewall..."
iptables -P INPUT DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
elif [ "$1" = "stop" ]
then
echo "Stopping firewall..."
iptables -F INPUT
iptables -P INPUT ACCEPT
fi
............................
just launched manually as a script.
Any good tools to quickly test this firewall from another local workstation?
wwr,
James
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [gentoo-user] workstation iptables
2015-10-06 19:14 [gentoo-user] workstation iptables James
@ 2015-10-07 5:46 ` Mick
2015-10-07 13:23 ` [gentoo-user] " James
2015-10-07 18:20 ` [gentoo-user] " Tom H
2015-10-07 18:22 ` Alon Bar-Lev
2 siblings, 1 reply; 6+ messages in thread
From: Mick @ 2015-10-07 5:46 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: Text/Plain, Size: 1187 bytes --]
On Tuesday 06 Oct 2015 20:14:59 James wrote:
> Hello,
>
> I just ran across this page:
>
> http://gentoo-en.vfose.ru/wiki/Iptables/Iptables_and_stateful_firewalls#Sta
> te_basics
>
> It has a basic firewall using iptables.
> Not bad for a generic firewall on a openrc workstation.
> What is the best way to auto lauch this sort of firewall.sh ?
Start iptables, run the script, stop iptables with '/etc/init.d/iptables stop'
which will save your rules to /var/lib/iptables/rules-save, or run 'iptables-
save /var/lib/iptables/rules-save'. Add any sysctl changes to
/etc/sysctl.conf, so that they are permanent. Re-run the script if you want
to change things in it.
> Any improvements in this basic workstation firewall
> everything out, nothing in?
Yes, but such improvements are suggested in subsequent scripts on the same
page, e.g. ICMP handling, selective logging, etc. If all you want is "a basic
firewall using iptables" for the IPv4 workspace, then what you have will do
the job.
> Any good tools to quickly test this firewall from another local
> workstation?
nmap -A -T4 -P0 -vvv -p1-65535 XXX.XX.XXX.XX
--
Regards,
Mick
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 473 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* [gentoo-user] Re: workstation iptables
2015-10-07 5:46 ` Mick
@ 2015-10-07 13:23 ` James
2015-10-07 20:41 ` Mick
0 siblings, 1 reply; 6+ messages in thread
From: James @ 2015-10-07 13:23 UTC (permalink / raw
To: gentoo-user
Mick <michaelkintzios <at> gmail.com> writes:
> > http://gentoo-en.vfose.ru
> > /wiki/IptablesIptables_and_stateful_firewalls#State_basics
> Start iptables, run the script, stop iptables with '/etc/init.d/iptables >
stop' which will save your rules to /var/lib/iptables/rules-save,
after starting iptables, I ran /etc/firewall.sh (the previously published
script) and the stop with the syntax above::
cat /var/lib/iptables/rules-save
# Generated by iptables-save v1.4.21 on Wed Oct 7 09:13:59 2015
*mangle
:PREROUTING ACCEPT [16022765:14170972269]
:INPUT ACCEPT [16022479:14170935323]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [19311825:1508198446]
:POSTROUTING ACCEPT [19311825:1508198446]
COMMIT
# Completed on Wed Oct 7 09:13:59 2015
# Generated by iptables-save v1.4.21 on Wed Oct 7 09:13:59 2015
*filter
:INPUT DROP [471:17192]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [722751:44404539]
[740388:740719942] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Wed Oct 7 09:13:59 2015
was the ouput.
> or
> run 'iptables-save /var/lib/iptables/rules-save'. Add any sysctl changes
> to /etc/sysctl.conf, so that they are permanent. Re-run the script if
> you want to change things in it.
sysctl is not set up. I did find this page on that::
https://wiki.gentoo.org/wiki/Procfs
Any suggestions on setting up sysctl for iptables and other future
usage?
> > Any improvements in this basic workstation firewall
> > everything out, nothing in?
> Yes, but such improvements are suggested in subsequent scripts on the
> same page, e.g. ICMP handling, selective logging, etc. If all you want
> is "a basic firewall using iptables" for the IPv4 workspace, then what
> you have will do the job.
I'll test out these mods and give the scripts an added sequential character
in the name so there can be different ones for easy deployment.
The idea is to keep it as simple as possible, test out scripts and ideas
and put something easy to set up on the gentoo wiki, for all to enjoy.
> > Any good tools to quickly test this firewall from another local
> > workstation?
> nmap -A -T4 -P0 -vvv -p1-65535 XXX.XX.XXX.XX
Worked flawlessly. Very precise syntax (thanks). Here are the highlights::
Not shown: 65534 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1-hpn13v11lpk (protocol 2.0)
Not bad for a quick workstation firewall(s). After I get sysctl setup,
I'll test a few other verssions and post again. Then wikify these
for community consumption.
Thanks
James
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [gentoo-user] workstation iptables
2015-10-06 19:14 [gentoo-user] workstation iptables James
2015-10-07 5:46 ` Mick
@ 2015-10-07 18:20 ` Tom H
2015-10-07 18:22 ` Alon Bar-Lev
2 siblings, 0 replies; 6+ messages in thread
From: Tom H @ 2015-10-07 18:20 UTC (permalink / raw
To: Gentoo User
On Tue, Oct 6, 2015 at 3:14 PM, James <wireless@tampabay.rr.com> wrote:
>
> #!/bin/bash
> # A basic stateful firewall for a workstation or laptop that isn't running any
> # network services like a web server, SMTP server, ftp server, etc.
>
> if [ "$1" = "start" ]
> then
> echo "Starting firewall..."
> iptables -P INPUT DROP
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> elif [ "$1" = "stop" ]
> then
> echo "Stopping firewall..."
> iptables -F INPUT
> iptables -P INPUT ACCEPT
> fi
Since you're starting from scratch, you might want to replace "-m
state --state" by "-m conntrack --ctstate" because the former's
deprecated and is now an alias to the latter.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [gentoo-user] workstation iptables
2015-10-06 19:14 [gentoo-user] workstation iptables James
2015-10-07 5:46 ` Mick
2015-10-07 18:20 ` [gentoo-user] " Tom H
@ 2015-10-07 18:22 ` Alon Bar-Lev
2 siblings, 0 replies; 6+ messages in thread
From: Alon Bar-Lev @ 2015-10-07 18:22 UTC (permalink / raw
To: gentoo-user
On 6 October 2015 at 22:14, James <wireless@tampabay.rr.com> wrote:
>
> Hello,
>
> I just ran across this page:
>
> http://gentoo-en.vfose.ru/wiki/Iptables/Iptables_and_stateful_firewalls#State_basics
>
> It has a basic firewall using iptables.
> Not bad for a generic firewall on a openrc workstation.
> What is the best way to auto lauch this sort of firewall.sh ?
>
> Any improvements in this basic workstation firewall
> everything out, nothing in?
> A simple rule for ssh in only from the local lan
> (use 192.168.100.100 for example rule(s).
>
>
Hi,
I suggest you look into firehol package.
It creates iptables rules out of human readable policy.
Regards,
Alon
> ...................................
> firewall.sh
> ...................................
> #!/bin/bash
> # A basic stateful firewall for a workstation or laptop that isn't running any
> # network services like a web server, SMTP server, ftp server, etc.
>
> if [ "$1" = "start" ]
> then
> echo "Starting firewall..."
> iptables -P INPUT DROP
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> elif [ "$1" = "stop" ]
> then
> echo "Stopping firewall..."
> iptables -F INPUT
> iptables -P INPUT ACCEPT
> fi
> ............................
>
> just launched manually as a script.
>
>
> Any good tools to quickly test this firewall from another local workstation?
>
>
> wwr,
> James
>
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [gentoo-user] Re: workstation iptables
2015-10-07 13:23 ` [gentoo-user] " James
@ 2015-10-07 20:41 ` Mick
0 siblings, 0 replies; 6+ messages in thread
From: Mick @ 2015-10-07 20:41 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: Text/Plain, Size: 4889 bytes --]
On Wednesday 07 Oct 2015 14:23:39 James wrote:
> Mick <michaelkintzios <at> gmail.com> writes:
> > > http://gentoo-en.vfose.ru
> > > /wiki/IptablesIptables_and_stateful_firewalls#State_basics
> >
> > Start iptables, run the script, stop iptables with '/etc/init.d/iptables
> > >
>
> stop' which will save your rules to /var/lib/iptables/rules-save,
>
>
> after starting iptables, I ran /etc/firewall.sh (the previously published
> script) and the stop with the syntax above::
>
> cat /var/lib/iptables/rules-save
> # Generated by iptables-save v1.4.21 on Wed Oct 7 09:13:59 2015
> *mangle
>
> :PREROUTING ACCEPT [16022765:14170972269]
> :INPUT ACCEPT [16022479:14170935323]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [19311825:1508198446]
> :POSTROUTING ACCEPT [19311825:1508198446]
>
> COMMIT
> # Completed on Wed Oct 7 09:13:59 2015
> # Generated by iptables-save v1.4.21 on Wed Oct 7 09:13:59 2015
> *filter
>
> :INPUT DROP [471:17192]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [722751:44404539]
>
> [740388:740719942] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> COMMIT
> # Completed on Wed Oct 7 09:13:59 2015
>
>
> was the ouput.
Are you sure that restarting iptables did not produce errors on the CLI? The
script you are using is somewhat old and the iptables syntax has changed since
then.
Have a look here:
https://wiki.gentoo.org/wiki/Iptables
Your single rule line above should therefore look like this:
-A INPUT -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
but before this rule you should specify a default policy for your INPUT and
other chains - ideally one to DROP all packets coming in and allow all going
out; e.g.
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
Also, to accept any INPUT packets on interfaces other than eth0, you would
precede these lines with:
-A INPUT ! -i eth0 -j ACCEPT
More details on syntax can be found in 'man iptables-extensions'. You will
need to modify your script accordingly for this new syntax. To see if you are
getting syntax errors run each rule on the CLI first, e.g.
/sbin/iptables -A INPUT -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j
ACCEPT
and check that it takes with:
/sbin/iptables -L -v -n
NOTE: The order in which you add iptables rules on the CLI is the order in
which they will end up listed in /var/lib/iptables/rules-save.
BTW, I recall a thread posted for a firewall script within the last couple of
years, but can't recall exactly who was the contributor. Have a quick search
in Gmane to see if you can find it.
> sysctl is not set up. I did find this page on that::
> https://wiki.gentoo.org/wiki/Procfs
>
> Any suggestions on setting up sysctl for iptables and other future
> usage?
According to the URL you posted above you should use /etc/sysctl.d/local.conf,
rather than the legacy /etc/sysctl.conf which I suggested. Apologies for a
bum steer. Use your previous URL for stateful firewalls to see what sysctl
settings you need to add here.
> > nmap -A -T4 -P0 -vvv -p1-65535 XXX.XX.XXX.XX
>
> Worked flawlessly. Very precise syntax (thanks). Here are the highlights::
>
> Not shown: 65534 closed ports
Not good. Unless you have set up a default policy to REJECT packets, this
shows ports that are not firewalled, but happen to be closed (no service is
running there). If you had a DROP policy/rule for INPUT packets it should say
"65534 filtered ports".
> PORT STATE SERVICE VERSION
> 22/tcp open ssh OpenSSH 5.9p1-hpn13v11lpk (protocol 2.0)
Not good. Unless you have also defined a rule for allowing connections to
port 22, this shows an open port, to which a service (ssh) is currently
listening for incoming connections.
If you want to only allow ssh connections from some local address
192.168.1.27, you can try adding a rule for it like this:
-A INPUT -s 192.168.1.27/32 -i eth0 -p tcp -m conntrack --ctstate NEW -m mac
--mac-source 67:35:AC:34:89:48 -m conntrack --ctorigdstport 22 -j ACCEPT
> Not bad for a quick workstation firewall(s). After I get sysctl setup,
> I'll test a few other verssions and post again. Then wikify these
> for community consumption.
Your script needs more work. Look first at the iptables URL I posted above,
which has the modern syntax. Also, either define a default INPUT chain policy
to DROP or REJECT packets, or end your script with rules to drop all other
packets, not already accepted by previous rules:
-A INPUT -i eth0 -j DROP
PS. Instead of running some script, you can always specify your rules in your
/var/lib/iptables/rules-save and also back it up. Then use this file to
change settings as you see fit and reload/start the firewall for the settings
to take.
--
Regards,
Mick
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 473 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2015-10-07 20:42 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-10-06 19:14 [gentoo-user] workstation iptables James
2015-10-07 5:46 ` Mick
2015-10-07 13:23 ` [gentoo-user] " James
2015-10-07 20:41 ` Mick
2015-10-07 18:20 ` [gentoo-user] " Tom H
2015-10-07 18:22 ` Alon Bar-Lev
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox