iptables firewall script

Rick Rosinski plug-discuss@lists.plug.phoenix.az.us
Wed, 11 Sep 2002 23:14:47 -0700


--------------Boundary-00=_NOAB0HS7IU97OBA4NXQ4
Content-Type: text/plain;
  charset="us-ascii"
Content-Transfer-Encoding: 8bit

I guess the last time I sent this message, nobody could help.  I am using a 
Slackware 8.1 system with this firewall script.  I am having trouble with 
GNUTella and receiving information from FTP (I can connect to ftp hosts, but 
I can't receive any data).  I don't want to stop using the firewall, but I 
don't understand much of how to secure my box from intrusion.  The docs seem 
somewhat cryptic.

I had recently acquired broad-band and I had implemented a simple firewall 
from the iptables.sh script on the Security-Quickstart mini howto from 
Linux.org.  I did this after seeing that some web sites, like 
www.askjeeves.com and www.purelyrics.com state (as a banner) that I am 
broadcasting an ip address.  After implementing the script, those banners 
have disappeared.  But, now I cannot use LimeWire or QTella to connect to 
GNUTella.  I need some help in editing the script to allow access to 
GNUTella.  I have included the script in an attachment.

Thanks in advance.



--------------Boundary-00=_NOAB0HS7IU97OBA4NXQ4
Content-Type: application/x-shellscript;
  name="iptables.sh"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="iptables.sh"

#!/bin/sh
                #
                # iptables.sh
                #
                # An example of a simple iptables configuration. 
                #
                # This script allows ALL outbound traffic, and denies 
                # ALL inbound connection attempts from the Internet interface only.
                #
                ###################################################################
                # Begin variable declarations and user configuration options ######
                #
                IPTABLES=/usr/sbin/iptables
                # Local Interfaces
                # This is the WAN interface that is our link to the outside world.
                # For pppd and pppoe users.
                # WAN_IFACE="ppp0"
                WAN_IFACE="eth0"
                #

                ## end user configuration options #################################
                ###################################################################

                # Any and all addresses from anywhere.
                ANYWHERE="0/0"

                # This module may need to be loaded:
                #modprobe ip_conntrack_ftp

                # Start building chains and rules #################################
                #
                # Let's start clean and flush all chains to an empty state.
                $IPTABLES -F  

                # Set the default policies of the built-in chains. If no match for any 
                # of the rules below, these will be the defaults that IPTABLES uses.
                $IPTABLES -P FORWARD DROP
                $IPTABLES -P OUTPUT ACCEPT
                $IPTABLES -P INPUT DROP

                # Accept localhost/loopback traffic.
                $IPTABLES -A INPUT -i lo -j ACCEPT

                ## ICMP (ping)
                #
                # ICMP rules, allow the bare essential types of ICMP only. Ping
                # request is blocked, ie we won't respond to someone else's pings,
                # but can still ping out.
                $IPTABLES -A INPUT  -p icmp  --icmp-type echo-reply \
                   -s $ANYWHERE -i $WAN_IFACE -j ACCEPT
                $IPTABLES -A INPUT  -p icmp  --icmp-type destination-unreachable \
                   -s $ANYWHERE -i $WAN_IFACE -j ACCEPT
                $IPTABLES -A INPUT  -p icmp  --icmp-type time-exceeded \
                   -s $ANYWHERE -i $WAN_IFACE -j ACCEPT

                ###################################################################
                # Set the catchall, default rule to DENY, and log it all. All other
                # traffic not allowed by the rules above, winds up here, where it is
                # blocked and logged. This is the default policy for this chain
                # anyway, so we are just adding the logging ability here with '-j
                # LOG'. Outgoing traffic is allowed as the default policy for the
                # 'output' chain. There are no restrictions on that.

                $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
                $IPTABLES -A INPUT -m state --state NEW -i ! $WAN_IFACE -j ACCEPT
                $IPTABLES -A INPUT -j LOG -m limit --limit 30/minute --log-prefix "Dropping: "

                echo "Iptables firewall is up `date`."

 ##-- eof iptables.sh

--------------Boundary-00=_NOAB0HS7IU97OBA4NXQ4--