1 |
Mick <michaelkintzios <at> gmail.com> writes: |
2 |
|
3 |
|
4 |
> > http://gentoo-en.vfose.ru |
5 |
> > /wiki/IptablesIptables_and_stateful_firewalls#State_basics |
6 |
|
7 |
> Start iptables, run the script, stop iptables with '/etc/init.d/iptables > |
8 |
stop' which will save your rules to /var/lib/iptables/rules-save, |
9 |
|
10 |
|
11 |
after starting iptables, I ran /etc/firewall.sh (the previously published |
12 |
script) and the stop with the syntax above:: |
13 |
|
14 |
cat /var/lib/iptables/rules-save |
15 |
# Generated by iptables-save v1.4.21 on Wed Oct 7 09:13:59 2015 |
16 |
*mangle |
17 |
:PREROUTING ACCEPT [16022765:14170972269] |
18 |
:INPUT ACCEPT [16022479:14170935323] |
19 |
:FORWARD ACCEPT [0:0] |
20 |
:OUTPUT ACCEPT [19311825:1508198446] |
21 |
:POSTROUTING ACCEPT [19311825:1508198446] |
22 |
COMMIT |
23 |
# Completed on Wed Oct 7 09:13:59 2015 |
24 |
# Generated by iptables-save v1.4.21 on Wed Oct 7 09:13:59 2015 |
25 |
*filter |
26 |
:INPUT DROP [471:17192] |
27 |
:FORWARD ACCEPT [0:0] |
28 |
:OUTPUT ACCEPT [722751:44404539] |
29 |
[740388:740719942] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT |
30 |
COMMIT |
31 |
# Completed on Wed Oct 7 09:13:59 2015 |
32 |
|
33 |
|
34 |
was the ouput. |
35 |
|
36 |
|
37 |
> or |
38 |
> run 'iptables-save /var/lib/iptables/rules-save'. Add any sysctl changes |
39 |
> to /etc/sysctl.conf, so that they are permanent. Re-run the script if |
40 |
> you want to change things in it. |
41 |
|
42 |
|
43 |
sysctl is not set up. I did find this page on that:: |
44 |
https://wiki.gentoo.org/wiki/Procfs |
45 |
|
46 |
Any suggestions on setting up sysctl for iptables and other future |
47 |
usage? |
48 |
|
49 |
|
50 |
|
51 |
> > Any improvements in this basic workstation firewall |
52 |
> > everything out, nothing in? |
53 |
|
54 |
> Yes, but such improvements are suggested in subsequent scripts on the |
55 |
> same page, e.g. ICMP handling, selective logging, etc. If all you want |
56 |
> is "a basic firewall using iptables" for the IPv4 workspace, then what |
57 |
> you have will do the job. |
58 |
|
59 |
I'll test out these mods and give the scripts an added sequential character |
60 |
in the name so there can be different ones for easy deployment. |
61 |
|
62 |
The idea is to keep it as simple as possible, test out scripts and ideas |
63 |
and put something easy to set up on the gentoo wiki, for all to enjoy. |
64 |
|
65 |
|
66 |
> > Any good tools to quickly test this firewall from another local |
67 |
> > workstation? |
68 |
|
69 |
> nmap -A -T4 -P0 -vvv -p1-65535 XXX.XX.XXX.XX |
70 |
|
71 |
Worked flawlessly. Very precise syntax (thanks). Here are the highlights:: |
72 |
|
73 |
Not shown: 65534 closed ports |
74 |
PORT STATE SERVICE VERSION |
75 |
22/tcp open ssh OpenSSH 5.9p1-hpn13v11lpk (protocol 2.0) |
76 |
|
77 |
|
78 |
Not bad for a quick workstation firewall(s). After I get sysctl setup, |
79 |
I'll test a few other verssions and post again. Then wikify these |
80 |
for community consumption. |
81 |
|
82 |
Thanks |
83 |
|
84 |
James |