I used this on my new eeepc rebuild and ran a few scans on it and it seems to be fairly effective.I give it a thumbs up
A Simple Firewall
Recently while reading some post about Nmap, I found out that BT3 had no firewall by default; at least not running at the start-up scripts. So I started digging into the topic and came out with a good knowledge on Firewalls and Shell Scripting as well. I encourage those new to linux as myself to really understand what's below and not just copy and run the code. A bit of reading on iptables will come in handy...
Credits to pureh@te Fischer's firewall and the one included in BT3 rc.FireWall. After placing the firewall, a port scan with Nmap -T Aggressive will be unusually slow and ports will show up as filtered and not closed!
To start the script at startup place it in /etc/rc.d and name it. In this case it will be rc.firewall.Code:#!/bin/sh # Variables IPTABLES=/usr/sbin/iptables WAN_IFACE="ath0 eth0" if [ "$1" = "start" ]; then echo "Starting Firewall" # Flush Current Rules $IPTABLES -F $IPTABLES -X # delete all user-defined chains echo 1 > /proc/sys/net/ipv4/tcp_syncookies # DoS Protection echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Disable responding to ping broadcasts echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter # disable spoofing on all interfaces # Set Default Rules for Chains $IPTABLES -P INPUT DROP # Drop every packet from the outside $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow requested INPUTS # Accept local requests $IPTABLES -P OUTPUT ACCEPT # Drop since NAT protocol is not required $IPTABLES -P FORWARD DROP # Section to open desired ports # Open Ports for SSH and HTTP #$IPTABLES -A INPUT -i $WAN_IFACE -p TCP --destination-port 22 -j ACCEPT #$IPTABLES -A INPUT -i $WAN_IFACE -p TCP --destination-port 80 -j ACCEPT elif [ "$1" = "stop" ]; then echo "Firewall Halted" $IPTABLES -F $IPTABLES -X $IPTABLES -P INPUT ACCEPT $IPTABLES -P FORWARD ACCEPT elif [ "$1" = "status" ]; then $IPTABLES -L -v else echo "usage: $0 start|stop|status" fi
bt~ # chmod 775 rc.firewall
bt~ # chmod 775 rc.local
bt~ # kwrite rc.local
Here I used rc.local to load rc.firewall by making both of them executable. Note that I commented out rc.fuse. Any comments will be welcome and also be aware that BT3 has a firewall but is not set to run at start up.Code:#!/bin/bash echo "Initializing rc.local..." #Fuse # To disable Fuse, chmod rc.fuse to 644 #if [ -x /etc/rc.d/rc.fuse ]; then # sh /etc/rc.d/rc.fuse start #fi #Firewall if [ -x /etc/rc.d/rc.firewall ]; then sh /etc/rc.d/rc.firewall start fi
I used this on my new eeepc rebuild and ran a few scans on it and it seems to be fairly effective.
Nice, btw the script is missing this line which allows everything coming from the localhost interface:Originally Posted by pureh@te
I used this on my new eeepc rebuild and ran a few scans on it and it seems to be fairly effective.
Code:$IPTABLES -A INPUT -i lo -j ACCEPT
hmm i've made this script for the firewall...
rc.firewall
# usage: rc.firewall start|stop|status
#
# Simple firewall disallowing all incomming connections
# but allowing all traffic on localhost (lo device)
# and allowing all outgoing traffic for $ALLOWED_PORTS
Code:#!/bin/bash # # enter ports with spaces between eg: "21 80 443" ALLOWED_TCP_PORTS="" ALLOWED_UDP_PORTS="" #----------------------------------------------------------- # Avoid using root's TMPDIR unset TMPDIR # Source networking configuration. # /etc/sysconfig/network # Start the firewall test -x /usr/sbin/iptables || { echo "Iptables not properly installed" exit 1 } start() { KIND="Iptables" echo -n $"Starting $KIND services: " SYSCTLW="/sbin/sysctl -q -w" IPTABLES="/usr/sbin/iptables" # Disable routing triangulation. Respond to queries out # the same interface, not another. Helps to maintain state # Also protects against IP spoofing $SYSCTLW net.ipv4.conf.all.rp_filter=1 # Enable logging of packets with malformed IP addresses, # Disable redirects, # Disable source routed packets, # Disable acceptance of ICMP redirects, # Turn on protection from Denial of Service (DOS) attacks, # Disable responding to ping broadcasts, # Enable IP routing. Required if your firewall is protecting a network, NAT included $SYSCTLW net.ipv4.conf.all.log_martians=1 $SYSCTLW net.ipv4.conf.all.send_redirects=0 $SYSCTLW net.ipv4.conf.all.accept_source_route=0 $SYSCTLW net.ipv4.conf.all.accept_redirects=0 $SYSCTLW net.ipv4.tcp_syncookies=1 $SYSCTLW net.ipv4.icmp_echo_ignore_broadcasts=1 # $SYSCTLW net.ipv4.ip_forward=1 # Firewall initialization, remove everything, start with clean tables $IPTABLES -F # remove all rules $IPTABLES -X # delete all user-defined chains $IPTABLES -P OUTPUT ACCEPT # allow all outgoing packets $IPTABLES -P FORWARD DROP # drop all forward packets $IPTABLES -P INPUT DROP # drop all incomming packets # allow everything for loop device $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A OUTPUT -j ACCEPT # allow DNS in all directions # $IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT # $IPTABLES -A INPUT -p udp --sport 53 -j ACCEPT # Allow previously established connections $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # allowed ports for PORT in $ALLOWED_TCP_PORTS; do $IPTABLES -A INPUT -p tcp --dport $PORT -j ACCEPT done for PORT in $ALLOWED_UDP_PORTS; do $IPTABLES -A INPUT -p udp --dport $PORT -j ACCEPT done # Create a chain for logging all dropped packets $IPTABLES -N LOG_DROP # $IPTABLES -A LOG_DROP -j LOG --log-prefix "Attack log: " $IPTABLES -A LOG_DROP -j DROP $IPTABLES -A INPUT -j LOG_DROP # drop all incomming $IPTABLES -A FORWARD -j LOG_DROP # drop all forwarded echo $KIND services started... RETVAL=0 echo [ $RETVAL -eq 0 ] && touch /var/lock/subsys/iptables return $RETVAL return 0 } stop() { KIND="Iptables" echo -n $"Shutting down $KIND services: " IPTABLES="/usr/sbin/iptables" $IPTABLES -F $IPTABLES -X $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT $IPTABLES -P INPUT ACCEPT #test -f /var/lock/subsys/iptables && kill `cat /var/lock/subsys/iptables` RETVAL=$? #sleep 4 if [ "$RETVAL" == "0" ]; then rm -f /var/lock/subsys/iptables echo $KIND services stopped successfully else echo Failed! Could not stop $KIND services... fi echo return 0 } rhstatus() { echo "-----------------------------------------------------------------------------------------------------------------" IPTABLES="/usr/sbin/iptables" $IPTABLES -L -v echo "-----------------------------------------------------------------------------------------------------------------" } case "$1" in start) start ;; stop) stop ;; status) rhstatus ;; *) echo "Usage: rc.FireWall {start|stop|status}" exit 1 esac exit $?
Giptables
Try this. A great script for firewall.
www dot giptables dot org
try this www dot giptables dot org
Please, delete this post it's duplicated. thank you
Program Utilizing IP Tables
try Slackfire
its a good prog for IP tables
How do I find / activate the BT3 firewall i'm just setting up bt3 F and i don't know a whole lot about it
I found a rather simple script upon which to build at /etc/rc.d/rc.FireWall start|stop|status
If you want to use the one that comes with BT3F simple rename rc.FireWall in /etc/rc.d/ to rc.firewall. Also give it executing rights if not done. DoHow do I find / activate the BT3 firewall i'm just setting up bt3 F and i don't know a whole lot about it
before rebooting and after to see if the firewall script was executed at start-up. If it wasn't, place a line in rc.local to execute it. Good luck!Code:iptables -L
Posting Permissions