PDA

View Full Version : Change Firewall settings


majtekst
7th February 2005, 07:21 AM
Does someone can help me how I can change firewall settings from command line. I would like how I can permanently open port 22, and close them when I want.

Thanks,
:( majtekst

CorneLinux
7th February 2005, 12:31 PM
Drop packets on port 22:

iptables -A INPUT -p tcp --dport 22 -j DROP

This adds a rule to iptables.
To delete this rule:
iptables -D INPUT -p tcp --dport 22 -j DROP

If your default policy is drop, then you have to add a rule, to open the port:
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

then, to close the port:
iptables -D INPUT -p tcp --dport 22 -j ACCEPT

Regards
Cornelius

majtekst
7th February 2005, 12:35 PM
Drop packets on port 22:

iptables -A INPUT -p tcp --dport 22 -j DROP

This adds a rule to iptables.
To delete this rule:
iptables -D INPUT -p tcp --dport 22 -j DROP

If your default policy is drop, then you have to add a rule, to open the port:
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

then, to close the port:
iptables -D INPUT -p tcp --dport 22 -j ACCEPT

Regards
Cornelius
Thanks!!!

Bye

greatscot
7th February 2005, 04:05 PM
Someone whould write up an easy-to-understand tutorial for iptables in such a way that it is intended for newbies. What I'd like to see is how to create a completely closed firewall, no connections allowed from anywhere... and then have the tutorial teach about how to open just the ports that the user needs. Then go on to things like disabling ping, telnet, etc.

I have seen many tutorials about iptables and they all seem to get very technical very quickly and my brain begs me for a CTRL+C, hehe. I'd like to learn iptables, but I guess I aint smart enough yet.

majtekst
8th February 2005, 07:11 AM
Yes, I agree with you. We need some more details about Security Setting (from command line)...

CorneLinux
9th February 2005, 08:34 PM
Hi,
guess there is not much sense in writing the 23.201st iptables howto.

Use google with iptables howto, read some of them.
If there a things, that are to technical for you, ask these things in the forum. You will not set up your firewall with iptables in 20 minutes. I would set it up in even much more time. Lets say one or two hours and modify it during the next two weeks.

I someone would write the 23.201st howto, I guess ten persons would like it an n-10 persons would say: where isn't there an easy howto for iptables ;-)

So just start asking your specific problems...

Kind regards
Cornelius

greatscot
10th February 2005, 12:48 AM
I did ask in the forum... I asked for an easier-to-understand iptables how to ;)
Seen tons of iptables "how-to's" on google, but they all seem geared toward Linux guru's.
I would end up filling the forum up with questions if I did this.

All I need is to learn:
1. How to create a completely closed firewall, no connections allowed in or out.

2. How to allow only myself out (for surfing, email, IRC, ftp, etc.) and allow no one in.

That doesn't sound like it would be too hard to write up. But, all of the tutorials I see seem like they are trying to prepare me for a Doctorate in Computer Engineering and I already have a Doctorate degree... one is enough, trust me ;)

CorneLinux
10th February 2005, 09:38 PM
ok, here is a small script. But you also should read man pages, howtos and books. But this can be a start, that might make it easiet for you to understand:

#!/bin/bash
# flush all rules
iptables -F
# Finally drop all incoming packets.
iptables -P INPUT DROP
# Allow everything locally
iptables -A INPUT -i lo -j ACCEPT
# allow everything from this local adress
iptables -A INPUT -p tcp -s 172.16.200.3 -j ACCEPT
iptables -A INPUT -p udp -s 172.16.200.3 -j ACCEPT
# allow all response from requests, that you sent to the web
iptables -A INPUT -p tcp -m tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -m udp -m state --state RELATED,ESTABLISHED -j ACCEPT
# log all blocked traffic
iptables -A INPUT -j LOG

The OUTPUT chain can be ACCEPT. You _could_ also change it to DROP and define all services, you want to allow to pass the firewall...

Watch the logs in /var/log/messages and you can decide what else ports you want to open...

Regards
Cornelius

majtekst
11th February 2005, 06:51 AM
It's very good advice for begginers like me. Thanks...

ok, here is a small script. But you also should read man pages, howtos and books. But this can be a start, that might make it easiet for you to understand:

#!/bin/bash
# flush all rules
iptables -F
# Finally drop all incoming packets.
iptables -P INPUT DROP
# Allow everything locally
iptables -A INPUT -i lo -j ACCEPT
# allow everything from this local adress
iptables -A INPUT -p tcp -s 172.16.200.3 -j ACCEPT
iptables -A INPUT -p udp -s 172.16.200.3 -j ACCEPT
# allow all response from requests, that you sent to the web
iptables -A INPUT -p tcp -m tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -m udp -m state --state RELATED,ESTABLISHED -j ACCEPT
# log all blocked traffic
iptables -A INPUT -j LOG

The OUTPUT chain can be ACCEPT. You _could_ also change it to DROP and define all services, you want to allow to pass the firewall...

Watch the logs in /var/log/messages and you can decide what else ports you want to open...

Regards
Cornelius

heml0ck
11th February 2005, 03:05 PM
I use a script called gShield which is easy to understand and gives really good control over things without having to learn IPtables language.

heml0ck
11th February 2005, 03:08 PM
I am a newbie to Fedora Core 3. When I installed, the firewall IPtables was set up automatically. I run the gShield script which overwrites whatever Fedora does at start up, so that is ok, but I would like to know where the Core 3 firewall script is stored? What runs it at start up? Does anyone know? Thanks.

CorneLinux
11th February 2005, 04:50 PM
/etc/init.d/iptables start / stop
starts and stops the firewall.

The config is stored in /etc/sysconfig/iptables...

Regards
Cornelius

Vorobyovo - Illichivsk - Norilsk