| 1 |
Mick <michaelkintzios <at> gmail.com> writes: |
| 2 |
|
| 3 |
|
| 4 |
> > http://gentoo-en.vfose.ru |
| 5 |
> > /wiki/IptablesIptables_and_stateful_firewalls#State_basics |
| 6 |
|
| 7 |
> Start iptables, run the script, stop iptables with '/etc/init.d/iptables > |
| 8 |
stop' which will save your rules to /var/lib/iptables/rules-save, |
| 9 |
|
| 10 |
|
| 11 |
after starting iptables, I ran /etc/firewall.sh (the previously published |
| 12 |
script) and the stop with the syntax above:: |
| 13 |
|
| 14 |
cat /var/lib/iptables/rules-save |
| 15 |
# Generated by iptables-save v1.4.21 on Wed Oct 7 09:13:59 2015 |
| 16 |
*mangle |
| 17 |
:PREROUTING ACCEPT [16022765:14170972269] |
| 18 |
:INPUT ACCEPT [16022479:14170935323] |
| 19 |
:FORWARD ACCEPT [0:0] |
| 20 |
:OUTPUT ACCEPT [19311825:1508198446] |
| 21 |
:POSTROUTING ACCEPT [19311825:1508198446] |
| 22 |
COMMIT |
| 23 |
# Completed on Wed Oct 7 09:13:59 2015 |
| 24 |
# Generated by iptables-save v1.4.21 on Wed Oct 7 09:13:59 2015 |
| 25 |
*filter |
| 26 |
:INPUT DROP [471:17192] |
| 27 |
:FORWARD ACCEPT [0:0] |
| 28 |
:OUTPUT ACCEPT [722751:44404539] |
| 29 |
[740388:740719942] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT |
| 30 |
COMMIT |
| 31 |
# Completed on Wed Oct 7 09:13:59 2015 |
| 32 |
|
| 33 |
|
| 34 |
was the ouput. |
| 35 |
|
| 36 |
|
| 37 |
> or |
| 38 |
> run 'iptables-save /var/lib/iptables/rules-save'. Add any sysctl changes |
| 39 |
> to /etc/sysctl.conf, so that they are permanent. Re-run the script if |
| 40 |
> you want to change things in it. |
| 41 |
|
| 42 |
|
| 43 |
sysctl is not set up. I did find this page on that:: |
| 44 |
https://wiki.gentoo.org/wiki/Procfs |
| 45 |
|
| 46 |
Any suggestions on setting up sysctl for iptables and other future |
| 47 |
usage? |
| 48 |
|
| 49 |
|
| 50 |
|
| 51 |
> > Any improvements in this basic workstation firewall |
| 52 |
> > everything out, nothing in? |
| 53 |
|
| 54 |
> Yes, but such improvements are suggested in subsequent scripts on the |
| 55 |
> same page, e.g. ICMP handling, selective logging, etc. If all you want |
| 56 |
> is "a basic firewall using iptables" for the IPv4 workspace, then what |
| 57 |
> you have will do the job. |
| 58 |
|
| 59 |
I'll test out these mods and give the scripts an added sequential character |
| 60 |
in the name so there can be different ones for easy deployment. |
| 61 |
|
| 62 |
The idea is to keep it as simple as possible, test out scripts and ideas |
| 63 |
and put something easy to set up on the gentoo wiki, for all to enjoy. |
| 64 |
|
| 65 |
|
| 66 |
> > Any good tools to quickly test this firewall from another local |
| 67 |
> > workstation? |
| 68 |
|
| 69 |
> nmap -A -T4 -P0 -vvv -p1-65535 XXX.XX.XXX.XX |
| 70 |
|
| 71 |
Worked flawlessly. Very precise syntax (thanks). Here are the highlights:: |
| 72 |
|
| 73 |
Not shown: 65534 closed ports |
| 74 |
PORT STATE SERVICE VERSION |
| 75 |
22/tcp open ssh OpenSSH 5.9p1-hpn13v11lpk (protocol 2.0) |
| 76 |
|
| 77 |
|
| 78 |
Not bad for a quick workstation firewall(s). After I get sysctl setup, |
| 79 |
I'll test a few other verssions and post again. Then wikify these |
| 80 |
for community consumption. |
| 81 |
|
| 82 |
Thanks |
| 83 |
|
| 84 |
James |
Archives