Can you help newbie set up firewall? [FXx]

Mr Green · 2004-01-27 13:32:25

Hi

I am looking to set up a firewall and wanted to know how to start..?

Mr Green :mrgreen:

dreas · 2004-01-27 13:52:00

I've been told NARC does a pretty good job while being pretty simple.

NARC is a free firewalling package for Netfilter/Iptables released under the BSD license.
NARC attempts to simplify the setup of a firewall (stateful packet filter) via the iptables tools. NARC is a bash shellscript that generates (hopefully) sensible and secure rules for Netfilter based on a simple configuration file.
Even though this isn't a howto, you're welcome to look at the code and take examples from it. You're welcome to modify it and incorporate it in your code. If you notice that something can be improved, by all means send the changes in, but know that it's not a requirement.

Mr Green · 2004-01-27 14:13:01

Hi

Narc looks interesting but its not in package list........

I see Snort is in package list anyone know how to set it up?

Mr Green

:mrgreen:

Mork II · 2004-01-27 14:43:24

http://www.netfilter.org/ is a good place to look. man iptables is also useful.

What do you need to do with your firewall? Protect a desktop machine? A server? Forward traffic to you network?

The script below is as simple as it gets, it is for a single desktop machine and allows all outgoing traffic and incoming answers to that traffic (it is rendered useless if you get a trojan though). It is a good start if you have no firewall at all but you might want to extend it with logging capabilities, blocking unused outgoing ports etc.

1. Paste the following to a file called firewall

#!/bin/sh
#
# /etc/rc.d/firewall: start/stop firewall
#

if [ "$1" = "start" ]; then
        /usr/sbin/iptables -F
        /usr/sbin/iptables -P OUTPUT ACCEPT
        /usr/sbin/iptables -P FORWARD DROP
        /usr/sbin/iptables -P INPUT DROP
        /usr/sbin/iptables -A INPUT -i eth0 -m state 
        --state ESTABLISHED,RELATED -j ACCEPT
elif [ "$1" = "stop" ]; then
        killall -q /usr/sbin/iptables
else
        echo "usage: $0 start|stop"
fi

#End of file

2. mv firewall /etc/rc.d/firewall
3. chown root /etc/rc.d/firewall
4. chmod 755 /etc/rc.d/firewall
5.Add firewall to your /etc/rc.conf, prefarbly before your network starts up:

DAEMONS=(syslogd klogd firewall network crond)

Snort is not a firewall per se. It is an intrusion detection system. That doesn't mean it's not useful though.

If you prefer a gui firewall configurator you can try firestarter.

Mr Green · 2004-01-27 15:35:28

Hi Mork II

Thank you for your help 8) I connect to net via a router so its just to protect my Desktop .

Iptables makes my brain hurt....

your script will help me make a start....its not so much incoming as outgoing :?

I will let you know how I get on

Mr Green :mrgreen:

P.S. I may give firestarter a look

@leX · 2004-04-11 16:23:23

It's my simple solution for desktops.
1) Start your browser end make securety test in http://scan.sygatetech.com/ and https://grc.com/x/ne.dll?bh0bkyd2
2) If iptables not installed

pacman -Sy iptables

else go to #3
3) Under root or su go to /etc/iptables

cd /etc/iptables/

4) copy simple_firewall.rules to iptables.rules

cp simple_firewall.rules iptables.rules

Note: IMXO file simple_firewall.rules contain basic predefined firewall rules
5) Add iptables to rc.config to DAEMONS section

DAEMONS = (SOMETHING iptables !SOMETHING)

6) Reboot your linux box.
7) Start your browser end make securety test in http://scan.sygatetech.com/ and https://grc.com/x/ne.dll?bh0bkyd2 .
8) See the differents.

mladen · 2004-04-12 04:32:10

These advices above are healthy.

Just to clarify things: Netfilter/iptables is the default firewalling mechanism for kernels 2.4 and above. Included in Arch is the latest version, just pacman it. Also (I think in extra's) included is Firestarter firewalling app with graphical seting and monitoring of packets (as an gui for iptables). This one will probably sufice nicely for most of the users - unless there is some weird machine configuration with multiple nic's etc...). For FAQ on Firestarter go to http://firestarter.sourceforge.net/ or, even, join the mail list.

If you prefer cli, then read Rusty Russel's iptables HOWTO and use his script at the end of it (http://www.netfilter.org/documentation/ … -HOWTO.txt). Then adjust to your needs.

In any case - use the firewall! 8)

Mr Green · 2004-04-12 09:07:34

I'm Using Guarddog at the moment....seems to be Ok.

I cannot play UT2004 online anymore... :cry:

When I get round to it I want to set up firewall in router....

Mr Green

@leX · 2004-05-01 16:45:13

How I can enable input/output traffic for p2p clients (eDonkey network)?
I have ADSL connection PPPoE (ppp0)(External ADSL modem) true eth0. No router, no NAT.
Current configuration:
/etc/conf.d/iptables

# Configuration for iptables rules
IPTABLES=/usr/sbin/iptables
IPTABLES_CONF=/etc/iptables/iptables.rules
IPTABLES_FORWARD=1 # enable IP forwarding?

/etc/iptables/iptables.rules

# this drops all tcp connections not in established or related state
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j DROP
COMMIT

cactus · 2004-05-28 00:13:37

@leX wrote:

5) Add iptables to rc.config to DAEMONS section
DAEMONS = (SOMETHING iptables !SOMETHING)

Just make sure that you put iptables in the list BEFORE you start your network...
the time of difference may seem insignificant, but if something does get in between network start and firewall start...well..

kpiche · 2004-05-28 02:21:32

For eDonkey you need to allow new outgoing and incoming connections on port 4662. Is this a firewall? If not then you don't need to forward packets.

@leX · 2004-05-29 21:49:18

kpiche wrote:

For eDonkey you need to allow new outgoing and incoming connections on port 4662.

I need
TCP port 4661 to connect to the server.
TCP port 4662 to connect to other clients.
UDP port 4665 to send messages to servers other then the one you are connected to.
How can I do it?

tpowa · 2004-06-01 06:45:59

kmyfirewall is in staging repo
it's also a good frontend for iptables

nkw · 2004-06-07 03:59:06

how to make a rule that let all the traffice pass? I just need a router...

fideli · 2004-07-08 20:42:44

Mr Green wrote:

I'm Using Guarddog at the moment....seems to be Ok.

did you make a PKGBUILD for it? i'm interested in using guarddog as well.

@leX · 2005-02-24 20:39:47

@leX wrote:

How I can enable input/output traffic for p2p clients (eDonkey network)?
I have ADSL connection PPPoE (ppp0)(External ADSL modem) true eth0. No router, no NAT.
Current configuration:
/etc/conf.d/iptables
# Configuration for iptables rules
IPTABLES=/usr/sbin/iptables
IPTABLES_CONF=/etc/iptables/iptables.rules
IPTABLES_FORWARD=1 # enable IP forwarding?
/etc/iptables/iptables.rules
# this drops all tcp connections not in established or related state
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j DROP
COMMIT

--------------------------------------------------------------------------------------
SOLUTION

# this drops all tcp con]nections not in established or related state
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
#aMule Rules
-A INPUT -i ppp0 -p tcp --dport 4662 -j ACCEPT
-A INPUT -i ppp0 -p udp --dport 4672 -j ACCEPT
#------------
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j DROP
COMMIT

Arch Linux

#1 2004-01-27 13:32:25

Can you help newbie set up firewall? [FXx]

#2 2004-01-27 13:52:00

Re: Can you help newbie set up firewall? [FXx]

#3 2004-01-27 14:13:01

Re: Can you help newbie set up firewall? [FXx]

#4 2004-01-27 14:43:24

Re: Can you help newbie set up firewall? [FXx]

#5 2004-01-27 15:35:28

Re: Can you help newbie set up firewall? [FXx]

#6 2004-04-11 16:23:23

Re: Can you help newbie set up firewall? [FXx]

#7 2004-04-12 04:32:10

Re: Can you help newbie set up firewall? [FXx]

#8 2004-04-12 09:07:34

Re: Can you help newbie set up firewall? [FXx]

#9 2004-05-01 16:45:13

Re: Can you help newbie set up firewall? [FXx]

#10 2004-05-28 00:13:37

Re: Can you help newbie set up firewall? [FXx]

#11 2004-05-28 02:21:32

Re: Can you help newbie set up firewall? [FXx]

#12 2004-05-29 21:49:18

Re: Can you help newbie set up firewall? [FXx]

#13 2004-06-01 06:45:59

Re: Can you help newbie set up firewall? [FXx]

#14 2004-06-07 03:59:06

Re: Can you help newbie set up firewall? [FXx]

#15 2004-07-08 20:42:44

Re: Can you help newbie set up firewall? [FXx]

#16 2005-02-24 20:39:47

Re: Can you help newbie set up firewall? [FXx]

Board footer