You are not logged in.
Hi,
I followed http://wiki.archlinux.org/index.php/Sim … wall_HOWTO
to setup my firewall rules.
I use deluge torrent client.with 54876 as the target open port ,It is not opened unless I flush the rules.
with rule :
iptables -A open -i ppp0 -p tcp --dport 54876:54876 -j ACCEPT
iptables -A open -i ppp0 -p udp --dport 54876:54876 -j ACCEPTIsnt the dest port open?but it doesnot!
So,please help me open this port!if I flush the rules,the port can be opened by the application(deluge).
I have two chains made as per guide,
1.interfaces -for local ip
2.open -for iface ppp0 -internet
To make it easy for you guys,I am posting what I exactly did:-
# iptables -P INPUT ACCEPT
# iptables -P FORWARD ACCEPT
# iptables -P OUTPUT ACCEPT
# iptables -F
# iptables -X
# iptables -N open
# iptables -N interfaces
# iptables -A INPUT -p icmp -j ACCEPT
# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -A INPUT -j interfaces
# iptables -A INPUT -j open
# iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
# iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
# iptables -P INPUT DROP
# iptables -P FORWARD DROP
# iptables -P OUTPUT ACCEPT
# iptables -A interfaces -i lo -j ACCEPT
# iptables -A interfaces -i eth0 -j ACCEPT
# iptables -A open -p tcp --dport 22 -j ACCEPT
# iptables -A open -i ppp0 -p tcp --dport 80 -j ACCEPT
[b]# iptables -A open -i ppp0 -p tcp --dport 54876:54876 -j ACCEPT
# iptables -A open -i ppp0 -p udp --dport 54876:54876 -j ACCEPT[/b]
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT -f -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -I INPUT -i eth0 -s 10.0.0.0/8 -j DROP
iptables -I INPUT -i eth0 -s 172.16.0.0/12 -j DROP
iptables -I INPUT -i eth0 -s 192.168.0.0/16 -j DROP
iptables -I INPUT -i eth0 -s 127.0.0.0/8 -j DROP
iptables -A INPUT -p icmp --icmp-type echo-request -i eth0 -j DROP
iptables -I INPUT -p icmp --icmp-type redirect -j DROP
iptables -I INPUT -p icmp --icmp-type router-advertisement -j DROP
iptables -I INPUT -p icmp --icmp-type router-solicitation -j DROP
iptables -I INPUT -p icmp --icmp-type address-mask-request -j DROP
iptables -I INPUT -p icmp --icmp-type address-mask-reply -j DROP^this is what I setyo:rolleyes:
below is the o/p of iptables -L :
Chain INPUT (policy ACCEPT)
target prot opt source destination
LOG udp -- anywhere anywhere udp dpts:0:1023 LOG level warning
LOG tcp -- anywhere anywhere tcp dpts:0:1023 LOG level warning
DROP udp -- anywhere anywhere udp dpts:0:1023
DROP tcp -- anywhere anywhere tcp dpts:0:1023
LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
DROP icmp -- anywhere anywhere icmp echo-request
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain interfaces (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain open (0 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:54876
ACCEPT udp -- anywhere anywhere udp dpt:54876Offline
I have dynamic IP provided by my ISP.
Offline
Maybe you'll want to send your packets to then open chain after it came from the INPUT one (as you see there is 0 reference to this chain, since it's never called).
Add -a INPUT -j open
Blacklist blocking is not the best way to protect a computer, you should use whitelisting and drop all disallowed traffic.
Offline
Thanks!I will try now.but...whitelisting :roll: what's that?
Offline
You only allow what you want to use and drop all the rest.
This is the opposite of blacklisting where you drop what you don't want and allow everything else.
Offline
thanks for clarifiying.I am just learning some basic things about iptables .
Offline
Here is a little example of iptables configuration.
There are lots of tutorials of you want to know more.
################################### ROUTING ####################################
*mangle
:PREROUTING ACCEPT [335:155368]
:INPUT ACCEPT [335:155368]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [370:42229]
:POSTROUTING ACCEPT [370:42229]
COMMIT
*nat
:PREROUTING ACCEPT [17:3128]
:POSTROUTING ACCEPT [33:1993]
:OUTPUT ACCEPT [33:1993]
COMMIT
###############################################################################
################################### FIREWALL ##################################
##### Filtres #################################################################
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:check_tcp - [0:0]
:check_icmp - [0:0]
:eth0_est - [0:0]
:eth0_in - [0:0]
:eth0_out - [0:0]
:log_scan - [0:0]
:log_icmp - [0:0]
:log_in - [0:0]
:log_out - [0:0]
##### In
## BANLIST
-A INPUT -d 255.255.255.255 -j DROP
#######
-A INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -p tcp -m tcp -j check_tcp
-A INPUT -p icmp -j check_icmp
-A INPUT -j eth0_in
##### Out
-A OUTPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
-A OUTPUT -p icmp -j check_icmp
-A OUTPUT -j eth0_out
###############################################################################
##### Incoming check (antiscan) #########################################################
-A check_tcp -f -j log_scan
-A check_tcp -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j log_scan
-A check_tcp -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j log_scan
-A check_tcp -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j log_scan
-A check_tcp -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j log_scan
-A check_tcp -m state --state INVALID -j log_scan
-A check_icmp -s [your_ip] -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A check_icmp -d [your_ip] -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A check_icmp -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A check_icmp -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A check_icmp -p icmp -m icmp --icmp-type 3 -j ACCEPT
## Send everything else to log
-A check_icmp -j log_icmp
###############################################################################
##### Allow established connections ######################################################
-A eth0_est -m state --state ESTABLISHED -j ACCEPT
-A eth0_est -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m state --state RELATED -j ACCEPT
###############################################################################
##### Process incoming packets #########################################################
## Established connections
-A eth0_in -j eth0_est
## Place here what you want to accept, for example:
## HTTP
-A eth0_in -s 127.0.0.1 -p tcp -m tcp --dport 80 -j ACCEPT
-A eth0_in -p tcp -m tcp --dport 80 -j ACCEPT
## MySQL
-A eth0_in -s 127.0.0.1 -p tcp -m tcp --dport 3306 -j ACCEPT
## Send everything else to log
-A eth0_in -j log_in
###############################################################################
##### Process outgoing packets #########################################################
## Established connections
-A eth0_out -j eth0_est
## Local
-A eth0_out -d 127.0.0.1 -j ACCEPT
## DNS (replace it by yours if you don't want to use opendns)
-A eth0_out -d 208.67.220.220 -p udp -m udp --dport 53 -j ACCEPT
## Add here what you want to allow, for example:
## SSH
-A eth0_out -p tcp -m tcp --dport 22 -j ACCEPT
## HTTP
-A eth0_out -p tcp -m tcp --dport 80 -j ACCEPT
-A eth0_out -p tcp -m tcp --sport 80 -j ACCEPT
## FTP
-A eth0_out -p tcp -m tcp --dport 21 -j ACCEPT
## MySQL
-A eth0_out -p tcp -m tcp --dport 3306 -j ACCEPT
## WHOIS
-A eth0_out -p tcp -m tcp --dport 43 -j ACCEPT
## SVN
-A eth0_out -p tcp -m tcp --dport 3690 -j ACCEPT
## Send everything else to log
-A eth0_out -j log_out
###############################################################################
###############################################################################
#################################### LOGS #####################################
##### Portscan log ############################################################
-A log_scan -m limit --limit 5/min -j LOG --log-prefix "SCAN : " --log-level 6
-A log_scan -j DROP
###############################################################################
##### ICMP log ################################################################
-A log_icmp -m limit --limit 5/min -j LOG --log-prefix "ICMP : " --log-level 6
-A log_icmp -j DROP
###############################################################################
##### Incoming log #############################################################
-A log_in -m limit --limit 5/min -j LOG --log-prefix "_IN_ : " --log-level 6
-A log_in -j DROP
###############################################################################
##### Outgoing log #############################################################
-A log_out -m limit --limit 5/min -j LOG --log-prefix "_OUT_ : " --log-level 6
-A log_out -j DROP
###############################################################################
###############################################################################
COMMITLast edited by kezar (2008-05-01 13:46:30)
Offline
thanks.yes,for dynamic IP based ISP's some changes are needed?
Offline
Then you shouldn't block icmp requests or you won't be able to use them yourself. Configure the other rules to suit your needs, your ip is only used when you call it (and as it's dynamic you shouldn't).
Offline