| View previous topic :: View next topic |
| Author |
Message |
Sallad_Tosser
Tux's lil' helper
Joined: 21 Jan 2003
Posts: 95
Location: Edmonton
|
 Posted: Thu Aug 28, 2003 2:23 am Post subject: IPTABLES!!!!! |
 |
|
I bet you guys hear that word alot. But anyways I am running IPTables and the gf is always complaining "WHY CANT I SEND STUFF THRU ICQ OR MSN blah blah blah". So ahem anyways can someone tell me or point me the way to getting these ports open? PLEASE O PLEASE O PLEASE!
Sallad Tosser
_________________
Linux > Windows |
|
| Back to top |
|
 |
Sallad_Tosser
Tux's lil' helper
Joined: 21 Jan 2003
Posts: 95
Location: Edmonton
|
| Posted: Thu Aug 28, 2003 2:28 am Post subject: |
|
|
Maybe if its at all possible to open all the ports?
Sallad Tosser
_________________
Linux > Windows |
|
| Back to top |
|
|
ixion
l33t
Joined: 16 Dec 2002
Posts: 708
|
| Posted: Thu Aug 28, 2003 2:31 am Post subject: |
|
|
aren't you utilizing Stateful Packet Filtering?? this is what my script looks like and works like a champ.. the line that will help you is the one with '-m state --state ESTABLISHED,RELATED' in it.. 
| Code: |
#!/sbin/runscript
IPTABLES=/sbin/iptables
EXTIF="eth0"
INTIF="eth1"
IFCONFIG=/sbin/ifconfig
LSMOD=/sbin/lsmod
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe
GREP=/bin/grep
AWK=/bin/awk
SED=/bin/sed
start() {
ebegin "Loading Firewall"
printf "\nExternal Interface: $EXTIF\nInternal Interface: $INTIF\n\n"
EXTIP="`$IFCONFIG $EXTIF | $AWK \
/$EXTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"
echo "Exernal ip is $EXTIP"
echo "Clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
echo "Loading Firewall Scripts.."
$IPTABLES -A INPUT -i $EXTIF -p tcp --destination-port 6000:6009 -j DROP
$IPTABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -j DROP
printf "\n"
eend 0
}
stop() {
ebegin "Clearing Firewall"
$IPTABLES -F
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
eend 0
}
|
EDIT: Oh and you may want to do as I am right now.. edit your posts instead of making a second one... It'll keep the MODs happy... 
_________________
only the paranoid survive |
|
| Back to top |
|
|
Sallad_Tosser
Tux's lil' helper
Joined: 21 Jan 2003
Posts: 95
Location: Edmonton
|
| Posted: Thu Aug 28, 2003 2:40 am Post subject: |
|
|
See now I am a super n00b. Is that in your config? Or do I have to run that as a seperate script?
_________________
Linux > Windows |
|
| Back to top |
|
|
ixion
l33t
Joined: 16 Dec 2002
Posts: 708
|
| Posted: Thu Aug 28, 2003 3:20 am Post subject: |
|
|
you would run this as a seperate script. Make sure to make it executable, and run it in the default runlevel! (chmod +x /etc/init.d/firewall, rc-update add firewall default).. oh and make sure iptables is in the default runlevel first..
_________________
only the paranoid survive |
|
| Back to top |
|
|
Sallad_Tosser
Tux's lil' helper
Joined: 21 Jan 2003
Posts: 95
Location: Edmonton
|
| Posted: Thu Aug 28, 2003 3:37 am Post subject: |
|
|
Hmmm I am too scared to try it. Dont want to fuck things up. Isnt there just some command I can do to fix this?
_________________
Linux > Windows |
|
| Back to top |
|
|
feardapenguin
Guru
Joined: 23 Jul 2003
Posts: 414
Location: Texas
|
| Posted: Thu Aug 28, 2003 4:03 am Post subject: |
|
|
| Sallad_Tosser wrote: | | Isnt there just some command I can do to fix this? |
I wish iptables were that simple.
You can easily recover (if necessary) by executing the following:
| Code: | iptables -F
iptables -X
iptables -P INPUT ACCEPT
|
This clears the rules and puts your box back to -WIDE OPEN-.
If the rules (in the above script) work for you, you can run the following:
| Code: | | /etc/init.d/iptables save |
This saves the rules for future use (assuming you load iptables on boot).
Its a different story if things don't work. iptable rules vary depending on your configuration (i.e. workstation, server, firewall box, mail setup, remote access needs, etc.). There is a LOT of good (and bad) info available on various documentation sites. A Google search will bring up a ton.
By the way, opening all the ports is NOT a good idea!!
 |
|
| Back to top |
|
|
Sallad_Tosser
Tux's lil' helper
Joined: 21 Jan 2003
Posts: 95
Location: Edmonton
|
| Posted: Fri Aug 29, 2003 12:10 am Post subject: |
|
|
How different is opening all the ports wide open that having a computer without a linux box?
_________________
Linux > Windows |
|
| Back to top |
|
|
MOS-FET
Apprentice
Joined: 20 May 2003
Posts: 291
Location: Cologne, Germany
|
| Posted: Fri Aug 29, 2003 12:30 am Post subject: |
|
|
| try FIREHOL! emerge it, and then look at the firehol documentation (search google). it's _really_ easy to set up. firehol is basically a script that makes setting up iptables easy. just read the firehol tutorial on it's website, they're doing a configuration there that should most likely fit your needs. i've done it, and it works perfectly. from the outside, all my ports are "stealthed" meaning nobody can ping me or anything else. but still i can use all apps i need like jabber, icq, msn, emule, online games and so on ... |
|
| Back to top |
|
|
brucifer
n00b
Joined: 15 Nov 2002
Posts: 10
Location: Eugene, OR
|
| Posted: Fri Aug 29, 2003 3:17 am Post subject: |
|
|
| Sallad_Tosser wrote: | | How different is opening all the ports wide open that having a computer without a linux box? |
This could be significantly different depending on services you are running. ftp, www, nfs, dns, sendmail/qmail, etc.
Home user Win boxes don't have too many standard services, just their own workgroup/fileshareing stuff <and if you've read the news lately you've seen where that can get you>
emerge the FIREHOL, good stuff for easy admin, best not to skip the firewall. |
|
| Back to top |
|
|
feardapenguin
Guru
Joined: 23 Jul 2003
Posts: 414
Location: Texas
|
| Posted: Fri Aug 29, 2003 3:34 am Post subject: |
|
|
| Sallad_Tosser wrote: | | How different is opening all the ports wide open that having a computer without a linux box? |
Don't get me wrong, I'm not advocating you open the box. The code I showed just gets you out of trouble if you find ixion's script (or any other) causes problems.
I'd agree with the others' suggestion. Try out FIREHOL. I configured my firewall manually and IT WAS A PAIN! A good config tool would save you the aggravation.
One other note: https://grc.com/x/ne.dll?bh0bkyd2 is a good site for testing your firewall. Give it a try. (And, no... I'm not associated with it). |
|
| Back to top |
|
|
Sallad_Tosser
Tux's lil' helper
Joined: 21 Jan 2003
Posts: 95
Location: Edmonton
|
| Posted: Mon Sep 01, 2003 8:22 pm Post subject: |
|
|
Firehol was too complex heh. I just wish I didnt need to use a firewall =\
Oh well I guess I will have to live with this.
Sallad Tosser
_________________
Linux > Windows |
|
| Back to top |
|
|
|
Networking & Security
