iptables Rules

0000000000000 · Apprentice Joined: 21 Mar 2008 Posts: 163

I've been trying out various iptable configuration frontends lately. ipkungfu didn't seem to do anything, firestarter is no longer in portage, fwbuilder appeared to be too troublesome, and I do not think I am knowledgeable enough to edit iptables directly, so I am trying to use Guarddog again.

I set up my rules through the GUI seemingly as needed. Then copied the rc.firewall script that guarddog creates to init.d and then added it to default runlevel. However, when I boot those rules are not initialized. I have to start guarddog, click apply and ok, and then do they seem to work. Would it be more sensible to apply those rules, then run "/etc/init.d/iptables save" and put iptables into default runlevel instead of guarddog?

Also, even though I have allowed ports 6881-6889 and have deluge using those ports, I still cannot actually connect to any of the seeders. They all show up as available, but the download speed stays at 0, and connections stay at 0. When I disable the guarddog firewall then it connects.

I just want to drop every connection and block all ports other than a select few (http, https, IRC, AIM, YIM, torrent, gnutella, nicotine, and rsync) but am having more trouble than I thought I would...

My question(s) then is/are: is it beneficial to set iptables rules with guarddog, save the rules with "iptables save", and add iptables to default runlevel?
And any idea why I don't connect to seeds despite having seemingly the right ports opened?

Thanks.

Hu · Administrator Joined: 06 Mar 2007 Posts: 23087

0000000000000 · Apprentice Joined: 21 Mar 2008 Posts: 163

edited due to inability to delete

0000000000000 · Apprentice Joined: 21 Mar 2008 Posts: 163

okay i just decided to take the plunge and do everything through terminal.

I want to set up a policy to drop everything, then just add what i want accepted, but

vaguy02 · Posted: Wed May 28, 2008 5:03 pm Post subject:

Related and Established shouldn't be a problem. They are "relatively" safe connections, although nothing is 100% safe, there are always exploits.
_________________
Linux Registered User #458185

Intel Quad-Core w/ 4gigs Ram w/ 8800 GTX - Windows 7 RC
2x (Intel Dual-Core w/ 2gigs Ram - Gentoo)
Mac G5 Dual-Core w/ 2gigs Ram - OS 10.5

0000000000000 · Apprentice Joined: 21 Mar 2008 Posts: 163

ok, i thought it would be relatively safe, but i still don't know exactly what is opened up by allowing established,related connections, but if anyone cares to take a look at what i have ended up with now and tell me if they think it is a good set up i'd be much appreciative

0000000000000 · Apprentice Joined: 21 Mar 2008 Posts: 163

still cannot get deluge to connect to any of the available seeders/peers without changing the output policy to ACCEPT, so I'm obviously missing something, but I cannot imagine what, since I have deluge set to use ports 6881-6889

mimosinnet · Posted: Thu Aug 21, 2008 11:02 am Post subject:

vaguy02 · Posted: Fri Aug 22, 2008 7:39 pm Post subject:

Are you sure you need to have all of those ports open? That seems a bit extreme... it has more holes than a colender.

3 Main states are New, Established, and Related:
New = New Connection request, your side did not initiate, their side did. this someone else hitting your box first.
Established = You sent a request, the other side got it and replied on the same request. therefore, you start the conversation, this is allowing the otherside to reply to you.
Related = you have a conversation going with an outside host and it spins off another conversation related to the first conversation. therefore it's still partly based on the previous one.

This is as lamen as I can get with it, it's not 100% accurate, but I was going for understanding rather than 100% accuracy right now. I hope that helps. So If you don't need to have someone else "start" the conversation, then don't open that port in the firewall. Like AIM (AOL Instant Messager), you click signon and the conversation goes from there, so it should be covered under the established and related rules and you shouldn't have to open that port to NEW packets.

Sorry if this is confusing.
_________________
Linux Registered User #458185

Intel Quad-Core w/ 4gigs Ram w/ 8800 GTX - Windows 7 RC
2x (Intel Dual-Core w/ 2gigs Ram - Gentoo)
Mac G5 Dual-Core w/ 2gigs Ram - OS 10.5

bartlm · n00b Joined: 15 Aug 2008 Posts: 15 Location: Fürstenzell

Hi there.

What im doing is letting the OUTPUT chain to ACCEPT.
I guess this allows me to establish a connection from every port I want.

In the INPUT chain I accept states ESTABISHED, RELATED.
This should be enough as long as you initiated the connection to somewhere else.

Im doing the same in the FORWARD chain.

In my opinion you should add a "final" chain where you REJECT all packets which are not allowed at this time instead of just DROP them.
My final chain looks like:

Hu · Administrator Joined: 06 Mar 2007 Posts: 23087

vaguy02 · Posted: Sat Aug 23, 2008 8:36 pm Post subject:

Drop is much "safer" than Reject. I agree with Hu above.
_________________
Linux Registered User #458185

Intel Quad-Core w/ 4gigs Ram w/ 8800 GTX - Windows 7 RC
2x (Intel Dual-Core w/ 2gigs Ram - Gentoo)
Mac G5 Dual-Core w/ 2gigs Ram - OS 10.5

bartlm · n00b Joined: 15 Aug 2008 Posts: 15 Location: Fürstenzell

Well, if you search the internet for DROP or REJECT there are millions of discussions going on whats better to use.
I didnt want to break another one loose.
What i wanted to say is that the FORWARD chain in the example above is closed completely what i cant really understand while in the INPUT chain in my opinion way too much ports are opened.

mimosinnet · Posted: Tue Aug 26, 2008 12:06 am Post subject: Re: iptables Rules