[ Date Index ][
Thread Index ]
[ <= Previous by date / thread ] [ Next by date / thread => ]
On Saturday 05 April 2003 1:55 pm, Jonathan Melhuish wrote: > The firestarter firewall software that I installed has proven to be a bit > of a pain in the arse! Every time I go online I have to: > > * Open a terminal > * Become root > * Start firestarter Putting the firestarter command in /etc/rc.local would achieve the same thing but without any intervention. > I'm sure this isn't supposed to happen, but rather than fix it, I would > prefer just to have a simple "block all" iptables firewall that starts upon > boot. Preumably not dial-up then - as you'd usually put a ppp firewall in /etc/ppp/ip-up.local and let it start whenever the connection is live and put a similar script in ip-down.local when the connection is dropped by pppd. This is my old file (pre-ISDN) and there will need to be some changes to it, in particular changing the reference to ppp0. (delete the entire line if you don't want to share the internet connection). Make it chmod 700 and chown root.root then call it from rc.local (or just add the whole thing to rc.local). #! /bin/bash # from p175 Linux Security Basics # ISBN 0672320916 # http://www.amazon.co.uk/exec/obidos/ASIN/0672320916/neilwilliaprogra for TABLE in filter nat mangle; do iptables -t $TABLE -F iptables -t $TABLE -X done echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT for DNS in $(grep ^n /etc/resolv.conf|awk '{print $2}'); do iptables -t filter -A INPUT -p udp -s $DNS --source-port domain -j ACCEPT done iptables -t filter -A INPUT -p tcp -s 192.168.0.0/24 -j ACCEPT iptables -t filter -A INPUT -p icmp -s 192.168.0.0/24 -j ACCEPT iptables -t filter -A INPUT -p udp -s 192.168.0.0/24 -j ACCEPT iptables -N logdeny iptables -t filter -A logdeny -j LOG --log-level "info" --log-prefix "iptab: " iptables -t filter -A logdeny -j DROP iptables -t filter -A INPUT -i ! lo -m state --state NEW,INVALID -j logdeny iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE Briefly, this clears all previous tables. Then it enables forwarding (which is usually reset at shutdown). Then it allows all connections that you establish from within the firewall and allows DNS services through by checking your /etc/resolv.conf (which must therefore contain valid DNS server IP details). The next 3 rules allow connections coming from the local intranet (make sure the IP range matches your LAN) and then it creates a new table called logdeny which records the dropped packets (next 2 rules). Any other packets that come from attempted new connections from outside the local area (! lo) are denied. The last line enables masquerade - allows other boxes on the same LAN to share this internet connection. (The above might not be 100% accurate but I'm sure others here will clarify!!) > > Which shouldn't be a problem, but I'm having troubles removing Firestarter! > Using "rpm -e firestarter" seems to delete all of the files, but then none > of my outgoing connections work! "iptables -F" makes no difference either. Firestarter probably added one or more tables of it's own and these aren't being cleared - hence the foreach in the above script, it loops through each active table and clears each one before dropping the additional tables. Just running the loop should be enough to reset the iptables. -- Neil Williams ============= http://www.codehelp.co.uk http://www.dclug.org.uk http://www.wewantbroadband.co.uk/
Attachment:
pgp00003.pgp
Description: signature