iptables firewall script
Rick Rosinski
plug-discuss@lists.plug.phoenix.az.us
Wed, 11 Sep 2002 23:14:47 -0700
--------------Boundary-00=_NOAB0HS7IU97OBA4NXQ4
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 8bit
I guess the last time I sent this message, nobody could help. I am using a
Slackware 8.1 system with this firewall script. I am having trouble with
GNUTella and receiving information from FTP (I can connect to ftp hosts, but
I can't receive any data). I don't want to stop using the firewall, but I
don't understand much of how to secure my box from intrusion. The docs seem
somewhat cryptic.
I had recently acquired broad-band and I had implemented a simple firewall
from the iptables.sh script on the Security-Quickstart mini howto from
Linux.org. I did this after seeing that some web sites, like
www.askjeeves.com and www.purelyrics.com state (as a banner) that I am
broadcasting an ip address. After implementing the script, those banners
have disappeared. But, now I cannot use LimeWire or QTella to connect to
GNUTella. I need some help in editing the script to allow access to
GNUTella. I have included the script in an attachment.
Thanks in advance.
--------------Boundary-00=_NOAB0HS7IU97OBA4NXQ4
Content-Type: application/x-shellscript;
name="iptables.sh"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="iptables.sh"
#!/bin/sh
#
# iptables.sh
#
# An example of a simple iptables configuration.
#
# This script allows ALL outbound traffic, and denies
# ALL inbound connection attempts from the Internet interface only.
#
###################################################################
# Begin variable declarations and user configuration options ######
#
IPTABLES=/usr/sbin/iptables
# Local Interfaces
# This is the WAN interface that is our link to the outside world.
# For pppd and pppoe users.
# WAN_IFACE="ppp0"
WAN_IFACE="eth0"
#
## end user configuration options #################################
###################################################################
# Any and all addresses from anywhere.
ANYWHERE="0/0"
# This module may need to be loaded:
#modprobe ip_conntrack_ftp
# Start building chains and rules #################################
#
# Let's start clean and flush all chains to an empty state.
$IPTABLES -F
# Set the default policies of the built-in chains. If no match for any
# of the rules below, these will be the defaults that IPTABLES uses.
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P INPUT DROP
# Accept localhost/loopback traffic.
$IPTABLES -A INPUT -i lo -j ACCEPT
## ICMP (ping)
#
# ICMP rules, allow the bare essential types of ICMP only. Ping
# request is blocked, ie we won't respond to someone else's pings,
# but can still ping out.
$IPTABLES -A INPUT -p icmp --icmp-type echo-reply \
-s $ANYWHERE -i $WAN_IFACE -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type destination-unreachable \
-s $ANYWHERE -i $WAN_IFACE -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type time-exceeded \
-s $ANYWHERE -i $WAN_IFACE -j ACCEPT
###################################################################
# Set the catchall, default rule to DENY, and log it all. All other
# traffic not allowed by the rules above, winds up here, where it is
# blocked and logged. This is the default policy for this chain
# anyway, so we are just adding the logging ability here with '-j
# LOG'. Outgoing traffic is allowed as the default policy for the
# 'output' chain. There are no restrictions on that.
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -i ! $WAN_IFACE -j ACCEPT
$IPTABLES -A INPUT -j LOG -m limit --limit 30/minute --log-prefix "Dropping: "
echo "Iptables firewall is up `date`."
##-- eof iptables.sh
--------------Boundary-00=_NOAB0HS7IU97OBA4NXQ4--