Differences between version 21 and revision by previous author of FirewallNotes.
Other diffs: Previous Major Revision, Previous Revision, or view the Annotated Edit History
| Newer page: | version 21 | Last edited on Monday, October 25, 2004 1:38:55 pm | by AristotlePagaltzis | Revert |
| Older page: | version 19 | Last edited on Friday, June 4, 2004 12:16:49 pm | by CraigBox | Revert |
@@ -1,86 +1,93 @@
-__FireWall__ can either refer to a machine used to filter (usually IP) packets or the software used on that machine to provide packet filtering
.
+Before you read anything else, make sure you have read and understood HowFirewallingWorks
.
-!!Before
you read anything else
, make sure
you have read and understood HowFirewallingWorks
.
+If
you need a decent iptables FireWall for your [Linux] box
, you probably want to give PerrysFirewallingScript a try
.
-If you need
a decent iptables firewall for your
Linux box, you probably want to give PerrysFirewallingScript
a try
.
+There are LinuxDistribution~s that exist only to provide firewalling; PerryLorier is working on
a FireWall-on-a-disc system. You can technically speaking shut a [
Linux] machine down into [Kernel]-only mode and still be running
a FireWall
.
-There are distributions that exist only to provide firewalling; PerryLorier is working on
a Firewall-on-a-disc system. You can technically speaking shut a Linux machine down into kernel-only mode and still be running a firewall.
+!!! Adding
a rule
-!Adding
a rule
+To create
a rule that will send back an [ICMP] message, use
-To create a rule that will send back an ICMP message, use
-
iptables -A chain [
[...] --jump REJECT --reject-with icmp-port-unreachable
+<verbatim>
+iptables -A chain [...] --jump REJECT --reject-with icmp-port-unreachable
+</verbatim>
-The type given can be icmp-net-unreachable, icmp-host-unreachable, icmp-port-unreachable, icmp-proto-unreachable, icmp-net-prohibited or icmp-host-prohibited, which return the appropriate
ICMP error message (port-unreachable is the default).
+The type corresponds to an [
ICMP]
error and can be one of:
-!Deleting a rule
+* <tt>icmp-net-unreachable</tt>
+* <tt>icmp-host-unreachable</tt>
+* <tt>icmp-port-unreachable</tt> (default)
+* <tt>icmp-proto-unreachable</tt>
+* <tt>icmp-net-prohibited</tt>
+* <tt>icmp-host-prohibited</tt>
- iptables -D chain [[
rule number]
- iptables -D chain [[rule description]
+!!! Deleting a
rule
-Hint: if you want to delete a
rule and you don't want to have to mess around with specifying ports etc, try
+<verbatim>
+iptables -D chain [
rule number]
+iptables -D chain [rule description]
+</verbatim>
-
iptables -L --line-numbers
+Hint: if you want to delete a rule and you don't want to have to mess around with specifying ports etc, try <tt>
iptables -L --line-numbers</tt>. Then you can just use <tt>iptables -D FORWARD 1</tt> to remove it.
-Then you can just use iptables -D FORWARD 1 to remove it.
+!!! Deleting all rules
-!Deleting all rules
-
-
iptables [
[-t <table>] -F [
[chain]
+<verbatim>
+iptables [-t <table>] -F [chain]
+</verbatim>
This removes all rules from the specified table and chain, or all the chains in the table if none is specified.
-Hint: It won't delete any user-defined chains, although it will remove the rules within them, nor will it set the default policy for the table. This, tho
, should.
+Hint: It won't delete any user-defined chains, although it will remove the rules within them, nor will it set the default policy for the table. This, though
, should:
-
iptables -t filter -F
-
iptables -t filter -X
-
iptables -t nat -F
-
iptables -t nat -X
-
iptables -t mangle -F
-
iptables -t mangle -X
-
iptables -t filter -P INPUT ACCEPT
-
iptables -t filter -P FORWARD ACCEPT
-
iptables -t filter -P OUTPUT ACCEPT
-
iptables -t nat -P PREROUTING ACCEPT
-
iptables -t nat -P OUTPUT ACCEPT
-
iptables -t nat -P POSTROUTING ACCEPT
-
iptables -t mangle -P PREROUTING ACCEPT
-
iptables -t mangle -P INPUT ACCEPT
-
iptables -t mangle -P FORWARD ACCEPT
-
iptables -t mangle -P OUTPUT ACCEPT
-
iptables -t mangle -P POSTROUTING ACCEPT
+<verbatim>
+
iptables -t filter -F
+iptables -t filter -X
+iptables -t nat -F
+iptables -t nat -X
+iptables -t mangle -F
+iptables -t mangle -X
+iptables -t filter -P INPUT ACCEPT
+iptables -t filter -P FORWARD ACCEPT
+iptables -t filter -P OUTPUT ACCEPT
+iptables -t nat -P PREROUTING ACCEPT
+iptables -t nat -P OUTPUT ACCEPT
+iptables -t nat -P POSTROUTING ACCEPT
+iptables -t mangle -P PREROUTING ACCEPT
+iptables -t mangle -P INPUT ACCEPT
+iptables -t mangle -P FORWARD ACCEPT
+iptables -t mangle -P OUTPUT ACCEPT
+iptables -t mangle -P POSTROUTING ACCEPT
+</verbatim>
+!!! Hints, tips and traps
-!Hints, tips and traps
-
-* But don
't start with that rule if you're working remotely
-* DENY might sound nice, but it means people can spoof packets from your computer, and your computer won't abort the connection. a
rate limited (using -m limit) REJECT
is much much safer.
-* You probably want to rate limit log messages too otherwise
a good portscan can flood syslogd(8) for ages.
-* If you are having problems using -m owner with iptables 1.2.6a and kernel
2.4.x try [
IptablesNotes]
+* Having a default <tt>
DENY</tt>
or <tt>
REJECT</tt>
policy is a good idea. Don
't start with that rule if you're working remotely, though...
+* <tt>
DENY</tt>
might sound nice, but it means people can spoof packets from your computer, and your computer won't abort the connection. A
rate limited <tt>REJECT</tt>
(using <tt>
-m limit</tt>
) is much much safer.
+* You probably want to rate limit log messages too. Otherwise
a good portscan can flood syslogd(8) for ages.
+* If you are having problems using <tt>
-m owner</tt>
with iptables 1.2.6a and [Kernel]
2.4.x see
IptablesNotes
-!Pinholing
+!!
! Pinholing
-If you have a firewall
running iptables, chances are you'll want to forward a port at some point (to run a P2P app, a game server etc). Experiment with this command line:
+If you have a FireWall
running iptables, chances are you'll want to forward a port at some point (to run a P2P app, a game server etc).
- iptables -t nat -A PREROUTING -i ppp0 -j DNAT -p tcp --
to=10.69.1.200 --dport 4661
+Experiment with this command line, substituting the emphasized bits according
to your needs:
-(Substitute
ppp0/
tcp/
10.69.etc/4661 with whatever you need)
-
-You might want to read [HowToIPCHAINSHOWTO], [HowToBridgeFirewall], [HowToBridgeFirewallDSL], [HowToFirewallHOWTO], [HowToFirewallPiercing], [HowToSentryFirewallCDHOWTO] or [HowToTermFirewall]
. (They
're all really, REALLY old.)
-
----
--
+<pre>
+iptables -t nat -A PREROUTING -i ''
ppp0'' -j DNAT -p ''
tcp'' --to=''
10.69.1
.200'
' --dport ''4661''
+</pre>
-Can't access the NZ Herald? (
http://www.nzherald.co.nz) (
or other sites).
+!!!
Can't access the [
NZ Herald |
http://www.nzherald.co.nz]
or other sites?
-Make sure you have Explicit Congestion Notification disabled (see the [ECN] page)
and don't have any [TOS] (TermsOfService)
settings in your firewall
script (
iptables -t mangle -F PREROUTING might
clean up any you have: don't try this without knowing what you are doing
.)
+Make sure you have [ECN] (
Explicit Congestion Notification)
disabled and don't have any TypeOfService
settings in your FireWall
script. If you know what you're doing, try <tt>
iptables -t mangle -F PREROUTING</tt> which should
clean up any of them
.
-Alternatively, you can go with the "
Don't fix good science to work with a bad implementation"
, or manually add rules allowing access to the NZ Herald IPs
.
+Alternatively, you can go with the ''
Don't fix good science to work with a bad implementation''
, or manually add rules allowing access to the NZ Herald [IP]s
.
-Also, it should be noted that some home routers don't seem to like ECNs
either. If you're having problems accessing the internet
with a home ADSL router, and tcpdump output is mentioning packets with SWE, try turning ECNs
off as seen in the [ECN] page.
+Also, it should be noted that some home routers don't seem to like [ECN]s
either. If you're having problems accessing the InterNet
with a home [
ADSL]
router, and tcpdump(8)
output is mentioning packets with [
SWE]
, try turning [ECN]s
off as seen in the [ECN] page.
-----
-Have a NAT firewall
that only allows one person behind it to make a VPN connection at once? See [PPTPConnectionTracking]
+Have a [
NAT] FireWall
that only allows one person behind it to make a [
VPN]
connection at once? See [PPTPConnectionTracking]
----
Part of CategoryNetworking and CategorySecurity
