setting up a firewall from scratch

Linux Netfilter discussions
 help / color / mirror / Atom feed

* setting up a firewall from scratch
@ 2006-05-16  0:46 Mansour Al-Aqeel
  2006-05-16 11:54 ` Pascal Hambourg
  0 siblings, 1 reply; 4+ messages in thread
From: Mansour Al-Aqeel @ 2006-05-16  0:46 UTC (permalink / raw)
  To: netfilter

Hi Everybody:
I need an advice from someone about what to do. I have a small lan and
looking to connect it to the net through a LinkSys router using OpenWrt.
The router comes with a built in rules that does everything. However,
I'm a new to iptables, and therefore it would be good chance for me to
be introduced to this tool. I need to delete all the built in rules and
recteate them again from scratch in order to know what each of them
does... I wrote a small script to excute and save my rules in. The
router stopps responding when I excute the script, and I have to reboot
it. All I need at this point is to disable any connection attempt from
out side ($WAN) and enable everything on the ($LAN) side. Here's what I
did so far. Can any one tell me what's next, or what I'm missing ??

#delete all the existing rules from all chains
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD

#set the default policy on the external interface not to accept anything
iptables -P INPUT -i $WAN -j REJECT  # dont let anything coming from
outside
iptables -P OUTPUT -i $WAN -j ACCEPT # let anything go out
iptables -P FORWARD -i $WAN -j REJECT # dont forward anyhting from
outside to inside

#######################################
## allow everyThign internally
#######################################
iptables -f filter -A INPUT -i $LAN -j ACCEPT
iptables -f filter -A INPUT -o $LAN -j ACCEPT

iptable  -A OUTPUT -i $LAN -j ACCEPT
iptable -A OUTPUT -o $LAN -j ACCEPT

####forward internally through the br0
iptables -f filter -A FORWARD -i $LAN -j ACCEPT
iptables -f filter -A FORWARD -o $LAN -j ACCEPT

Thanx
-- 
  Mansour Al-Aqeel
  mansour77@ownmail.net

-- 
http://www.fastmail.fm - I mean, what is it about a decent email service?

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: setting up a firewall from scratch
  2006-05-16  0:46 setting up a firewall from scratch Mansour Al-Aqeel
@ 2006-05-16 11:54 ` Pascal Hambourg
  2006-05-16 11:57   ` Tim Evans
  0 siblings, 1 reply; 4+ messages in thread
From: Pascal Hambourg @ 2006-05-16 11:54 UTC (permalink / raw)
  To: netfilter

Hello,

Mansour Al-Aqeel a écrit :
> I'm a new to iptables,

So I strongly suggest that you read the "Packet Filtering HOWTO" from 
the www.netfilter.org documentation page.

> All I need at this point is to disable any connection attempt from
> out side ($WAN) and enable everything on the ($LAN) side

By doing so, you will block the replies to packets you send. Is this 
really what you want ?

> #delete all the existing rules from all chains
> iptables -F INPUT
> iptables -F OUTPUT
> iptables -F FORWARD

'iptables -F' does the same in a sigle command.

> #set the default policy on the external interface not to accept anything
> iptables -P INPUT -i $WAN -j REJECT  # dont let anything coming from
> outside
> iptables -P OUTPUT -i $WAN -j ACCEPT # let anything go out
> iptables -P FORWARD -i $WAN -j REJECT # dont forward anyhting from
> outside to inside

Syntax error. A default policy applies to a whole chain, it can't apply 
to only an interface. Also, REJECT is not a valid default policy, you 
can only use DROP or ACCEPT.

> #######################################
> ## allow everyThign internally
> #######################################
> iptables -f filter -A INPUT -i $LAN -j ACCEPT
> iptables -f filter -A INPUT -o $LAN -j ACCEPT

Syntax error. The table is specified by option -t. Option -f is to match 
fragments. Also, you can't have a -o option (output interface) in an 
INPUT chain.

> iptable  -A OUTPUT -i $LAN -j ACCEPT
> iptable -A OUTPUT -o $LAN -j ACCEPT

Syntax error. It's iptables, not iptable. Also, you can't have a -i 
option (input interface) in an OUTPUT chain.

> ####forward internally through the br0
> iptables -f filter -A FORWARD -i $LAN -j ACCEPT
> iptables -f filter -A FORWARD -o $LAN -j ACCEPT

-f mistake again. There is not a single correct rule in your script, so 
I'm not surprised that it blocks everything.

iptables targets act on individual packets, not on connections. If you 
block anything coming from the outside, you block the replies to the 
packets you send.

If you want to filter connections, your rules should use connection 
tracking state match (-m state --state ESTABLISHED,RELATED) to accept 
replies but reject new connection requests from the outside.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: setting up a firewall from scratch
  2006-05-16 11:54 ` Pascal Hambourg
@ 2006-05-16 11:57   ` Tim Evans
  2006-05-16 14:47     ` Dimitri Yioulos
  0 siblings, 1 reply; 4+ messages in thread
From: Tim Evans @ 2006-05-16 11:57 UTC (permalink / raw)
  To: Pascal Hambourg, netfilter

On Tue, 16 May 2006 13:54:11 +0200, Pascal Hambourg wrote

> So I strongly suggest that you read the "Packet Filtering HOWTO" 
> from the www.netfilter.org documentation page.

And:  Oskar Andreasson's tutorial:
http://iptables-tutorial.frozentux.net/iptables-tutorial.html


--
Tim Evans, TKEvans.com, Inc.    |    5 Chestnut Court
tkevans@tkevans.com             |    Owings Mills, MD 21117
http://www.tkevans.com/         |    443-394-3864
http://www.come-here.com/News/  |    



^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: setting up a firewall from scratch
  2006-05-16 11:57   ` Tim Evans
@ 2006-05-16 14:47     ` Dimitri Yioulos
  0 siblings, 0 replies; 4+ messages in thread
From: Dimitri Yioulos @ 2006-05-16 14:47 UTC (permalink / raw)
  To: netfilter

On Tuesday May 16 2006 7:57 am, Tim Evans wrote:
> On Tue, 16 May 2006 13:54:11 +0200, Pascal Hambourg wrote
>
> > So I strongly suggest that you read the "Packet Filtering HOWTO"
> > from the www.netfilter.org documentation page.
>
> And:  Oskar Andreasson's tutorial:
> http://iptables-tutorial.frozentux.net/iptables-tutorial.html
>
>
> --
> Tim Evans, TKEvans.com, Inc.    |    5 Chestnut Court
> tkevans@tkevans.com             |    Owings Mills, MD 21117
> http://www.tkevans.com/         |    443-394-3864
> http://www.come-here.com/News/  |

You might also want to visit the LinuxGuruz site (www.linuxguruz.com).  It has 
iptables scripts for various scenarios.  I wouldn't use them without reading 
the tutes first, though.  Use them first as a learning aid.

HTH.

Dimitri

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2006-05-16 14:47 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-05-16  0:46 setting up a firewall from scratch Mansour Al-Aqeel
2006-05-16 11:54 ` Pascal Hambourg
2006-05-16 11:57   ` Tim Evans
2006-05-16 14:47     ` Dimitri Yioulos

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox