From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 1101A13888F for ; Wed, 7 Oct 2015 13:43:29 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id E1CF7E081D; Wed, 7 Oct 2015 13:43:20 +0000 (UTC) Received: from plane.gmane.org (plane.gmane.org [80.91.229.3]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id C2AC8E07FE for ; Wed, 7 Oct 2015 13:43:19 +0000 (UTC) Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1ZjovL-0000co-42 for gentoo-user@lists.gentoo.org; Wed, 07 Oct 2015 15:38:27 +0200 Received: from static-71-122-242-106.tampfl.fios.verizon.net ([71.122.242.106]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Wed, 07 Oct 2015 15:38:27 +0200 Received: from wireless by static-71-122-242-106.tampfl.fios.verizon.net with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Wed, 07 Oct 2015 15:38:27 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: gentoo-user@lists.gentoo.org From: James Subject: [gentoo-user] Re: workstation iptables Date: Wed, 7 Oct 2015 13:23:39 +0000 (UTC) Message-ID: References: <201510070646.15772.michaelkintzios@gmail.com> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: sea.gmane.org User-Agent: Loom/3.14 (http://gmane.org/) X-Loom-IP: 71.122.242.106 (Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0 SeaMonkey/2.35) X-Archives-Salt: c33a72f7-9b70-437a-bbac-ed1db351d667 X-Archives-Hash: f2100beff8a9dd7f382fcc64ecbbfbc0 Mick gmail.com> writes: > > http://gentoo-en.vfose.ru > > /wiki/IptablesIptables_and_stateful_firewalls#State_basics > Start iptables, run the script, stop iptables with '/etc/init.d/iptables > stop' which will save your rules to /var/lib/iptables/rules-save, after starting iptables, I ran /etc/firewall.sh (the previously published script) and the stop with the syntax above:: cat /var/lib/iptables/rules-save # Generated by iptables-save v1.4.21 on Wed Oct 7 09:13:59 2015 *mangle :PREROUTING ACCEPT [16022765:14170972269] :INPUT ACCEPT [16022479:14170935323] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [19311825:1508198446] :POSTROUTING ACCEPT [19311825:1508198446] COMMIT # Completed on Wed Oct 7 09:13:59 2015 # Generated by iptables-save v1.4.21 on Wed Oct 7 09:13:59 2015 *filter :INPUT DROP [471:17192] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [722751:44404539] [740388:740719942] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT COMMIT # Completed on Wed Oct 7 09:13:59 2015 was the ouput. > or > run 'iptables-save /var/lib/iptables/rules-save'. Add any sysctl changes > to /etc/sysctl.conf, so that they are permanent. Re-run the script if > you want to change things in it. sysctl is not set up. I did find this page on that:: https://wiki.gentoo.org/wiki/Procfs Any suggestions on setting up sysctl for iptables and other future usage? > > Any improvements in this basic workstation firewall > > everything out, nothing in? > Yes, but such improvements are suggested in subsequent scripts on the > same page, e.g. ICMP handling, selective logging, etc. If all you want > is "a basic firewall using iptables" for the IPv4 workspace, then what > you have will do the job. I'll test out these mods and give the scripts an added sequential character in the name so there can be different ones for easy deployment. The idea is to keep it as simple as possible, test out scripts and ideas and put something easy to set up on the gentoo wiki, for all to enjoy. > > Any good tools to quickly test this firewall from another local > > workstation? > nmap -A -T4 -P0 -vvv -p1-65535 XXX.XX.XXX.XX Worked flawlessly. Very precise syntax (thanks). Here are the highlights:: Not shown: 65534 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.9p1-hpn13v11lpk (protocol 2.0) Not bad for a quick workstation firewall(s). After I get sysctl setup, I'll test a few other verssions and post again. Then wikify these for community consumption. Thanks James