Results 1 to 8 of 8

Thread: Ip Tables???

  1. #1
    Senior Member
    Join Date
    Aug 2002

    Ip Tables???

    Hi guys..I'm totally new using of linux(red hat linux 7.3).....and I wanna setup my firewall using IP tables.
    I've already look at "TUTORIAL FORUM " but I couldn't find..clear and step by step how do I use IP tables( please forgive me I'm totally ..absolutely beginner )....so if any one of you can give me advise..I really appreciated...(I don't even know how to starting of command IP tables......hmmmm..how stupid I am),,Do I have to start as root.......and then what else..?????

  2. #2
    Senior Member
    Join Date
    Sep 2001


    \'hi, welcome to *****. if you would like to speak to an operator, please hang up now.\'
    * click *

  3. #3
    Senior Member problemchild's Avatar
    Join Date
    Jul 2002
    Hi there. Iptables can be somewhat frustrating for beginners to work with directly... heck, even old timers sometimes cuss it.

    Fortunately, there are several graphical frontends for iptables that make setting up your firewall rules much easier for a beginner. Firestarter would be a good choice for beginners. You can download it (and many others) from freshmeat.net. A search on "iptables firewall" should give you enough hits to keep you busy for a while.

    If you really have a thing for pain and prefer to work directly with iptables, there's a quick and dirty guide to iptables at http://www.gentoo.org/doc/gentoo-security.html. Of course, the document deals with Gentoo Linux specifically, but it works the same on Red Hat.
    Do what you want with the girl, but leave me alone!

  4. #4
    Senior Member
    Join Date
    Sep 2001
    hi again

    google search:

    from redhat's support docs...

    good luck!

    \'hi, welcome to *****. if you would like to speak to an operator, please hang up now.\'
    * click *

  5. #5
    Junior Member
    Join Date
    Jul 2002
    Good Luck! I was in the same position a year and a half ago. Make sure you have access to two boxes, one local with ip tables and one remote with nmap. The best thing you can do aside from learning how to configure iptables or ipchains, is to learn nmap inside and out or you will never know if your firewall is really working.

  6. #6
    Senior Member
    Join Date
    Sep 2001
    maybe this will help... I too at one point was new to using iptables. I Had a terrible time figuring out how to get it to work.

    finally someone gave me a very basic and somewhat flawed iptables script that let me figure it all out and write one of my own..

    so here's that script so you might beable to see a simple script that works.

    ## rc.firewall
    ## Disable forwarding until the script has run completely
    echo 0 > /proc/sys/net/ipv4/ip_forward

    ## setup some variables for use later.. setting your external ip, and internal network, location of iptables.


    ##Clear the tables and set the default action
    echo "Clearing and setting default rules"
    $TABLES -F
    $TABLES -t nat -F

    ## here's the biggest flaw.. this works with a accept everything then deny specific
    ## except this accepts everything then deny's all explicitly...
    ## allows for less headaches

    ## set some kernel flags to stop some common attacks
    echo "1" > /proc/sys/net/ipv4/tcp_syncookies
    echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
    echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
    echo "10" > /proc/sys/net/ipv4/icmp_ratelimit
    echo "1" > /proc/sys/net/ipv4/conf/eth0/rp_filter
    echo "0" > /proc/sys/net/ipv4/conf/eth0/accept_redirects
    echo "0" > /proc/sys/net/ipv4/conf/eth0/accept_source_route
    echo "0" > /proc/sys/net/ipv4/conf/eth0/bootp_relay
    echo "1" > /proc/sys/net/ipv4/conf/eth0/log_martians
    echo "1" > /proc/sys/net/ipv4/conf/eth1/rp_filter
    echo "0" > /proc/sys/net/ipv4/conf/eth1/accept_redirects
    echo "0" > /proc/sys/net/ipv4/conf/eth1/accept_source_route
    echo "0" > /proc/sys/net/ipv4/conf/eth1/bootp_relay
    echo "1" > /proc/sys/net/ipv4/conf/eth1/log_martians

    ## setup NAT to allow your internal network to access the web

    ## This is where we deny connections we don't want into the network.
    $TABLES -A INPUT -p tcp -i $OUT_IF --dport 0:1023 -j DROP
    $TABLES -A INPUT -p udp -i $OUT_IF --dport 0: -j DROP
    $TABLES -A INPUT -p icmp -i $OUT_IF -j DROP
    $TABLES -I INPUT -p icmp -m state --state INVALID -j DROP
    $TABLES -A INPUT -p tcp -i $OUT_IF -m state --state NEW,INVALID --dport 1024: -j DROP

    ## then accept what we want.
    $TABLES -I INPUT -p icmp -i $OUT_IF --icmp-type 0 -j ACCEPT
    $TABLES -I INPUT -p icmp -i $OUT_IF --icmp-type 3 -j ACCEPT
    $TABLES -I INPUT -p icmp -i $OUT_IF --icmp-type 11 -j ACCEPT

    ## if you have a web server, e-mail, dns, or such hosted on your server.
    $TABLES -I INPUT -p tcp -i $OUT_IF -d $OUTSIDE_IP --dport 25 -j ACCEPT
    $TABLES -I INPUT -p tcp -i $OUT_IF -d $OUTSIDE_IP --dport 80 -j ACCEPT
    $TABLES -I INPUT -p udp -i $OUT_IF -d $OUTSIDE_IP --dport 53 -j ACCEPT
    $TABLES -I INPUT -p tcp -i $OUT_IF -d $OUTSIDE_IP --dport 53 -j ACCEPT
    $TABLES -I INPUT -p tcp -i $OUT_IF -d $OUTSIDE_IP --dport 22 -j ACCEPT

    ## An example of using port forwarding (using counter-strike as my example)
    $TABLES -t nat -A PREROUTING -d $OUTSIDE_IP -p udp --dport 27015 -j DNAT --to-dest

    ## Turn on forwarding again.
    echo "1" > /proc/sys/net/ipv4/ip_forward
    echo "1" > /proc/sys/net/ipv4/ip_dynaddr

    ##end rc.firewall

    Now, i'm sure that others will be more than happy to point out how flawed this is, but it's what helped me to get started.. I had a hard time reading all those sites and books and trying to figure this stuff out for myself.

    Once i put up a website and started hosting my own e-mail and dns i've reworked this taking out the flaw i noted above, where i changed it to deny all and allow certain ports. Which I think is easy to visualize and design, however i had trouble at first getting it to work.

    Hope this helps, and others can tweak what is here to make it easier or better for new comers to iptables to learn.

    --- and since i pieced this together from a collection of files i had broken up to simplify my rules once i had expanded and changed everything. So, i cannot say that copying this file and executing it work perfectly without some errors. So, please just read and follow the code, and look up what's done and try to understand how it's doing it, and what order and commands you need to use.

  7. #7
    Senior Member
    Join Date
    Feb 2002

    To use iptables you need to su to root in a terminal (In KDE Konsole will do fine).

    Here is a very simple guide by one of our members here at AO (not me--I found this in the Tutorials Section).
    Read the guide very carefully. If you're new, I recommend allowing all outgoing traffic. That means when you set the policy for the OUTPUT chain, set it to accept.

    If you're using RedHat 7.3, you will need to put /sbin/iptables before each command you use. Press enter after each command you use on the command line.

    One more thing. You want your iptables to start up when you boot your Linux. Here's what to do with Red Hat:

    After you enter all your rules do this: /sbin/iptables-save> /etc/sysconfig/iptables

    This will save your iptables firewall rules. Your firewall will automatically start up when you boot your system. When you get through, go to www.grc.com and take the Shields UP test. It isn't very comprehensive, but it will give you an idea if your firewall is working ok. All your ports should be "stealth" if you did it right.
    For the wages of sin is death, but the free gift of God is eternal life in Christ Jesus our Lord.
    (Romans 6:23, WEB)

  8. #8
    Senior Member
    Join Date
    Aug 2002
    thanks guys......every time I have problem(windows,linux,multioperating system OS,etc......)any members of AO will replied very quick..

    And I FEEL this is "MY HOME WEBSITE"

    Thanks JP keep up a good work
    Not an image or image does not exist!
    Not an image or image does not exist!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts