Differences between version 21 and predecessor to the previous major change of FirewallNotes.
Other diffs: Previous Revision, Previous Author, or view the Annotated Edit History
| Newer page: | version 21 | Last edited on Monday, October 25, 2004 1:38:55 pm | by AristotlePagaltzis | Revert |
| Older page: | version 16 | Last edited on Monday, August 11, 2003 1:13:52 pm | by CraigBox | Revert |
@@ -1,79 +1,93 @@
-__FireWall__ can either refer to a machine used to filter (usually IP) packets or the software used on that machine to provide packet filtering
.
+Before you read anything else, make sure you have read and understood HowFirewallingWorks
.
-!!Before
you read anything else
, make sure
you have read and understood HowFirewallingWorks
.
+If
you need a decent iptables FireWall for your [Linux] box
, you probably want to give PerrysFirewallingScript a try
.
-If you need
a decent iptables firewall for your
Linux box, you probably want to give PerrysFirewallingScript
a try
.
+There are LinuxDistribution~s that exist only to provide firewalling; PerryLorier is working on
a FireWall-on-a-disc system. You can technically speaking shut a [
Linux] machine down into [Kernel]-only mode and still be running
a FireWall
.
-There are distributions that exist only to provide firewalling; PerryLorier is working on
a Firewall-on-a-disc system. You can technically speaking shut a Linux machine down into kernel-only mode and still be running a firewall.
+!!! Adding
a rule
-!Adding
a rule
+To create
a rule that will send back an [ICMP] message, use
-To create a rule that will send back an ICMP message, use
-
iptables -A chain [
[...] --jump REJECT --reject-with icmp-port-unreachable
+<verbatim>
+iptables -A chain [...] --jump REJECT --reject-with icmp-port-unreachable
+</verbatim>
-The type given can be icmp-net-unreachable, icmp-host-unreachable, icmp-port-unreachable, icmp-proto-unreachable, icmp-net-prohibited or icmp-host-prohibited, which return the appropriate
ICMP error message (port-unreachable is the default).
+The type corresponds to an [
ICMP]
error and can be one of:
-!Deleting a rule
+* <tt>icmp-net-unreachable</tt>
+* <tt>icmp-host-unreachable</tt>
+* <tt>icmp-port-unreachable</tt> (default)
+* <tt>icmp-proto-unreachable</tt>
+* <tt>icmp-net-prohibited</tt>
+* <tt>icmp-host-prohibited</tt>
- iptables -D chain [[
rule number]
- iptables -D chain [[rule description]
+!!! Deleting a
rule
-Hint: if you want to delete a
rule and you don't want to have to mess around with specifying ports etc, try
+<verbatim>
+iptables -D chain [
rule number]
+iptables -D chain [rule description]
+</verbatim>
-
iptables -L --line-numbers
+Hint: if you want to delete a rule and you don't want to have to mess around with specifying ports etc, try <tt>
iptables -L --line-numbers</tt>. Then you can just use <tt>iptables -D FORWARD 1</tt> to remove it.
-Then you can just use iptables -D FORWARD 1 to remove it.
+!!! Deleting all rules
-!Deleting all rules
-
-
iptables [
[-t <table>] -F [
[chain]
+<verbatim>
+iptables [-t <table>] -F [chain]
+</verbatim>
This removes all rules from the specified table and chain, or all the chains in the table if none is specified.
-Hint: It won't delete any user-defined chains, although it will remove the rules within them, nor will it set the default policy for the table. This, tho
, should.
+Hint: It won't delete any user-defined chains, although it will remove the rules within them, nor will it set the default policy for the table. This, though
, should:
-
iptables -t filter -F
-
iptables -t filter -X
-
iptables -t nat -F
-
iptables -t nat -X
-
iptables -t mangle -F
-
iptables -t mangle -X
-
iptables -t filter -P INPUT ACCEPT
-
iptables -t filter -P FORWARD ACCEPT
-
iptables -t filter -P OUTPUT ACCEPT
-
iptables -t nat -P PREROUTING ACCEPT
-
iptables -t nat -P OUTPUT ACCEPT
-
iptables -t nat -P POSTROUTING ACCEPT
-
iptables -t mangle -P PREROUTING ACCEPT
-
iptables -t mangle -P INPUT ACCEPT
-
iptables -t mangle -P FORWARD ACCEPT
-
iptables -t mangle -P OUTPUT ACCEPT
-
iptables -t mangle -P POSTROUTING ACCEPT
+<verbatim>
+
iptables -t filter -F
+iptables -t filter -X
+iptables -t nat -F
+iptables -t nat -X
+iptables -t mangle -F
+iptables -t mangle -X
+iptables -t filter -P INPUT ACCEPT
+iptables -t filter -P FORWARD ACCEPT
+iptables -t filter -P OUTPUT ACCEPT
+iptables -t nat -P PREROUTING ACCEPT
+iptables -t nat -P OUTPUT ACCEPT
+iptables -t nat -P POSTROUTING ACCEPT
+iptables -t mangle -P PREROUTING ACCEPT
+iptables -t mangle -P INPUT ACCEPT
+iptables -t mangle -P FORWARD ACCEPT
+iptables -t mangle -P OUTPUT ACCEPT
+iptables -t mangle -P POSTROUTING ACCEPT
+</verbatim>
+!!! Hints, tips and traps
-!Hints, tips and traps
-
-* But don
't start with that rule if you're working remotely
-* DENY might sound nice, but it means people can spoof packets from your computer, and your computer won't abort the connection. a
rate limited (using -m limit) REJECT
is much much safer.
-* You probably want to rate limit log messages too otherwise
a good portscan can flood syslogd(8) for ages.
+* Having a default <tt>
DENY</tt>
or <tt>
REJECT</tt>
policy is a good idea. Don
't start with that rule if you're working remotely, though...
+* <tt>
DENY</tt>
might sound nice, but it means people can spoof packets from your computer, and your computer won't abort the connection. A
rate limited <tt>REJECT</tt>
(using <tt>
-m limit</tt>
) is much much safer.
+* You probably want to rate limit log messages too. Otherwise
a good portscan can flood syslogd(8) for ages.
+* If you are having problems using <tt>-m owner</tt> with iptables 1.2.6a and [Kernel] 2.4.x see IptablesNotes
-!Pinholing
+!!
! Pinholing
-If you have a firewall
running iptables, chances are you'll want to forward a port at some point (to run a P2P app, a game server etc). Experiment with this command line:
+If you have a FireWall
running iptables, chances are you'll want to forward a port at some point (to run a P2P app, a game server etc).
- iptables -t nat -A PREROUTING -i ppp0 -j DNAT -p tcp --
to=10.69.1.200 --dport 4661
+Experiment with this command line, substituting the emphasized bits according
to your needs:
-(Substitute
ppp0/
tcp/
10.69.etc
/4661 with whatever you need)
+<pre>
+iptables -t nat -A PREROUTING -i ''
ppp0'' -j DNAT -p ''
tcp'' --to=''
10.69.1.200'' --dport ''4661''
+<
/pre>
-You might want to read
[HowToIPCHAINSHOWTO], [HowToBridgeFirewall], [HowToBridgeFirewallDSL], [HowToFirewallHOWTO], [HowToFirewallPiercing], [HowToSentryFirewallCDHOWTO
] or [HowToTermFirewall]. (They're all really, REALLY old.)
+!!! Can't access the
[NZ Herald | http://www.nzherald.co.nz
] or other sites?
------
+Make sure you have [ECN] (Explicit Congestion Notification) disabled and don't have any TypeOfService settings in your FireWall script. If you know what you're doing, try <tt>iptables
-t mangle
-F PREROUTING</tt> which should clean up any of them.
-Can
't access the NZ Herald? (http://www.nzherald.co.nz) (or other sites)
.
+Alternatively, you can go with the ''Don
't fix good science to work with a bad implementation'', or manually add rules allowing
access to
the NZ Herald [IP]s
.
-Make sure you have Explicit Congestion Notification disabled (see the
[ECN] page) and don
't have any
[TOS
] (TermsOfService
) settings
in your firewall script (iptables
-t mangle
-F PREROUTING might clean up any you have: don't try this without knowing what you are doing.)
+Also, it should be noted that some home routers don't seem to like
[ECN]s either. If you
're having problems accessing the InterNet with a home
[ADSL
] router, and tcpdump
(8
) output is mentioning packets with [SWE], try turning [ECN]s off as seen
in the [ECN] page.
+
+---
--
-Alternatively, you can go with the "Don't fix good science to work with
a bad implementation", or manually add rules allowing access
to the NZ Herald IPs.
+Have
a [NAT] FireWall that only allows one person behind it
to make a [VPN] connection at once? See [PPTPConnectionTracking]
----
Part of CategoryNetworking and CategorySecurity
