Differences between version 25 and predecessor to the previous major change of FirewallNotes.
Other diffs: Previous Revision, Previous Author, or view the Annotated Edit History
Newer page: | version 25 | Last edited on Friday, April 22, 2005 11:48:44 am | by JohnMcPherson | Revert |
Older page: | version 16 | Last edited on Monday, August 11, 2003 1:13:52 pm | by CraigBox | Revert |
@@ -1,79 +1,99 @@
-__FireWall__ can either refer to a machine used to filter
(usually IP
) packets or the software used on that machine to provide packet filtering
.
+Before you read anything else, make sure you have read and understood HowFirewallingWorks. This tells you about iptables
(8
) and gives some examples
.
-!!Before
you read anything else
, make sure
you have read and understood HowFirewallingWorks
.
+If
you need a decent iptables FireWall for your [Linux] box
, you probably want to give PerrysFirewallingScript a try
.
-If you need
a decent iptables firewall for your
Linux box, you probably want to give PerrysFirewallingScript
a try
.
+There are LinuxDistribution~s that exist only to provide firewalling; PerryLorier is working on
a FireWall-on-a-disc system. You can technically speaking shut a [
Linux] machine down into [Kernel]-only mode and still be running
a FireWall
.
-There are distributions that exist only to provide firewalling; PerryLorier is working on
a Firewall-on-a-disc system. You can technically speaking shut a Linux machine down into kernel-only mode and still be running a firewall.
+!!! Adding
a rule
-!Adding
a rule
+To create
a rule that will send back an [ICMP] message, use
-To create a rule that will send back an ICMP message, use
-
iptables -A chain [
[...] --jump REJECT --reject-with icmp-port-unreachable
+<verbatim>
+iptables -A chain [...] --jump REJECT --reject-with icmp-port-unreachable
+</verbatim>
-The type given can be icmp-net-unreachable, icmp-host-unreachable, icmp-port-unreachable, icmp-proto-unreachable, icmp-net-prohibited or icmp-host-prohibited, which return the appropriate
ICMP error message (port-unreachable is the default).
+The type corresponds to an [
ICMP]
error and can be one of:
-!Deleting a rule
+* <tt>icmp-net-unreachable</tt>
+* <tt>icmp-host-unreachable</tt>
+* <tt>icmp-port-unreachable</tt> (default)
+* <tt>icmp-proto-unreachable</tt>
+* <tt>icmp-net-prohibited</tt>
+* <tt>icmp-host-prohibited</tt>
- iptables -D chain [[
rule number]
- iptables -D chain [[rule description]
+!!! Deleting a
rule
-Hint: if you want to delete a
rule and you don't want to have to mess around with specifying ports etc, try
+<verbatim>
+iptables -D chain [
rule number]
+iptables -D chain [rule description]
+</verbatim>
-
iptables -L --line-numbers
+Hint: if you want to delete a rule and you don't want to have to mess around with specifying ports etc, try <tt>
iptables -L --line-numbers</tt>. Then you can just use <tt>iptables -D FORWARD 1</tt> to remove it.
-Then you can just use iptables -D FORWARD 1 to remove it.
+!!! Deleting all rules
-!Deleting all rules
-
-
iptables [
[-t <table>] -F [
[chain]
+<verbatim>
+iptables [-t <table>] -F [chain]
+</verbatim>
This removes all rules from the specified table and chain, or all the chains in the table if none is specified.
-Hint: It won't delete any user-defined chains, although it will remove the rules within them, nor will it set the default policy for the table. This, tho
, should.
+Hint: It won't delete any user-defined chains, although it will remove the rules within them, nor will it set the default policy for the table. This, though
, should:
-
iptables -t filter -F
-
iptables -t filter -X
-
iptables -t nat -F
-
iptables -t nat -X
-
iptables -t mangle -F
-
iptables -t mangle -X
-
iptables -t filter -P INPUT ACCEPT
-
iptables -t filter -P FORWARD ACCEPT
-
iptables -t filter -P OUTPUT ACCEPT
-
iptables -t nat -P PREROUTING ACCEPT
-
iptables -t nat -P OUTPUT ACCEPT
-
iptables -t nat -P POSTROUTING ACCEPT
-
iptables -t mangle -P PREROUTING ACCEPT
-
iptables -t mangle -P INPUT ACCEPT
-
iptables -t mangle -P FORWARD ACCEPT
-
iptables -t mangle -P OUTPUT ACCEPT
-
iptables -t mangle -P POSTROUTING ACCEPT
+<verbatim>
+
iptables -t filter -F
+iptables -t filter -X
+iptables -t nat -F
+iptables -t nat -X
+iptables -t mangle -F
+iptables -t mangle -X
+iptables -t filter -P INPUT ACCEPT
+iptables -t filter -P FORWARD ACCEPT
+iptables -t filter -P OUTPUT ACCEPT
+iptables -t nat -P PREROUTING ACCEPT
+iptables -t nat -P OUTPUT ACCEPT
+iptables -t nat -P POSTROUTING ACCEPT
+iptables -t mangle -P PREROUTING ACCEPT
+iptables -t mangle -P INPUT ACCEPT
+iptables -t mangle -P FORWARD ACCEPT
+iptables -t mangle -P OUTPUT ACCEPT
+iptables -t mangle -P POSTROUTING ACCEPT
+</verbatim>
+!!! Hints, tips and traps
-!Hints, tips and traps
-
* Having a default DENY or REJECT policy is a good idea
-* But don
't start with that rule if you're working remotely
-* DENY might sound nice, but it means people can spoof packets from your computer, and your computer won't abort the connection. a
rate limited (using -m limit) REJECT
is much much safer.
-* You probably want to rate limit log messages too otherwise
a good portscan can flood syslogd(8) for ages.
+* Having a default <tt>
DENY</tt>
or <tt>
REJECT</tt>
policy is a good idea. Don
't start with that rule if you're working remotely, though...
+* <tt>
DENY</tt>
might sound nice, but it means people can spoof packets from your computer, and your computer won't abort the connection. A
rate limited <tt>REJECT</tt>
(using <tt>
-m limit</tt>
) is much much safer.
+* You probably want to rate limit log messages too. Otherwise
a good portscan can flood syslogd(8) for ages.
+* If you are having problems using <tt>-m owner</tt> with iptables 1.2.6a and [Kernel] 2.4.x see IptablesNotes
+* For those stupid places that don't support packet fragmentation (like some online banking sites a while back):
+ <verbatim>
+ iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
+ </verbatim>
+ Make sure it's the first thing in the <tt>FORWARD</tt> chain on your router, or in the <tt>OUTPUT</tt> chain if you use one of those hardware [DSL] router boxes
.
-!Pinholing
-If you have a firewall running iptables, chances are you'll want to forward a port at some point (to run a P2P app, a game server etc). Experiment with this command line:
+!!! Pinholing
-
iptables -t nat -A PREROUTING -i ppp0 -j DNAT -p tcp --
to=10.69.1
.200 --dport 4661
+If you have a FireWall running
iptables, chances are you'll want
to forward a port at some point (to run a P2P app, a game server etc)
.
-(Substitute ppp0/tcp/10.69.etc/4661
with whatever you need)
+Experiment
with this command line, substituting the emphasized bits according to your needs:
-You might want
to read [HowToIPCHAINSHOWTO], [HowToBridgeFirewall], [HowToBridgeFirewallDSL], [HowToFirewallHOWTO], [HowToFirewallPiercing], [HowToSentryFirewallCDHOWTO] or [HowToTermFirewall]. (They
're all really, REALLY old
.)
+<pre>
+iptables -t nat -A PREROUTING -i ''ppp0'' -j DNAT -p ''tcp'' --
to=
''10
.69.1.200'' --dport ''4661''
+</pre>
------
+!!! Can't access the [NZ Herald | http://www.nzherald.co.nz] or other sites?
-Can
't access the NZ Herald? (http:
//www.nzherald.co.nz) (or other sites)
.
+Make sure you have [ECN] (Explicit Congestion Notification) disabled and don
't have any TypeOfService settings in your FireWall script. If you know what you're doing, try <tt>iptables -t mangle -F PREROUTING<
/tt> which should clean up any of them
.
-Make sure
you have Explicit Congestion Notification disabled (see
the [ECN
] page) and
don't have any
[TOS
] (TermsOfService
) settings
in your firewall script (iptables
-t mangle
-F PREROUTING might clean up any you have: don't try this without knowing what you are doing.)
+Alternatively,
you can go with
the ''Don't fix good science to work with a bad implementation'', or manually add rules allowing access to the NZ Herald
[IP
]s.
+
+Also, it should be noted that some home routers
don't seem to like
[ECN
]s either. If you're having problems accessing the InterNet with a home [ADSL] router, and tcpdump
(8
) output is mentioning packets with [SWE], try turning [ECN]s off as seen
in the [ECN] page.
+
+---
--
-Alternatively, you can go with the "Don't fix good science to work with
a bad implementation", or manually add rules allowing access
to the NZ Herald IPs.
+Have
a [NAT] FireWall that only allows one person behind it
to make a [VPN] connection at once? See [PPTPConnectionTracking]
----
Part of CategoryNetworking and CategorySecurity