newbie needs help with iptables basics (please)

I could really use some help setting up a basic firewall using iptables. Yes
I have RTFM (man iptables) and have read several docs off the net and pages
from my Linux Bible and Network Security Bible, but for some reason my
brain is somewhat mush putting it all together. If some kind souls here
could help me walk through a basic set of iptables commands for a basic
firewall I would be very grateful; I am willing to learn at each step,
propose the commands, just could use some help telling me where I go wrong,
etc.

I have home LAN with a home office PC (192.168.1.100) hooked up to a LinkSys
WiFi Etherfast Router hooked up to cable modem. I have a secondary PC
(192.169.1.101) also cabled to the router, hence basically a two computer
LAN, not including any wifi connections to the router. Mandriva (Mandrake)
Linux LE2005 on an AMD cpu system. For the sake of the exercise, let us say
my router's IP is 300.10.10.100 (not a real IP address of course, for
anonymity sake here).

I want to allow basic internet activity: access web pages via HTTP and also
HTTPS, access FTP downloads, SSH client connections to remote computers,
run an SSHD daemon (port 22) sometimes off my main PC and also off my
second PC, and open up specfic ports for gaming (Unreal Tournament Game
needs ports 27900-28902 TCP and 7777-7787 UDP) connections to both the
internet and among LAN computers (for a LAN hosted game).

If I try proposing what I think are the iptables commands here, will someone
help tell me where I am going wrong, perhaps tell me what to fix/change? I
really want to understand iptables for configuring a firewall at the
command line level. Or help me by discussing the commands as I propose them
here?

Any help appreciated.

On Fri, 22 Jul 2005 11:58:02 -0500, Proteus <nospam@nowhere.net>
wrote:

>I could really use some help setting up a basic firewall using iptables. Yes
>I have RTFM (man iptables) and have read several docs off the net and pages
>from my Linux Bible and Network Security Bible, but for some reason my
>brain is somewhat mush putting it all together. If some kind souls here
>could help me walk through a basic set of iptables commands for a basic
>firewall I would be very grateful; I am willing to learn at each step,
>propose the commands, just could use some help telling me where I go wrong,
>etc.
>
>I have home LAN with a home office PC (192.168.1.100) hooked up to a LinkSys
>WiFi Etherfast Router hooked up to cable modem. I have a secondary PC
>(192.169.1.101) also cabled to the router, hence basically a two computer
>LAN, not including any wifi connections to the router. Mandriva (Mandrake)
>Linux LE2005 on an AMD cpu system. For the sake of the exercise, let us say
>my router's IP is 300.10.10.100 (not a real IP address of course, for
>anonymity sake here).
>
>I want to allow basic internet activity: access web pages via HTTP and also
>HTTPS, access FTP downloads, SSH client connections to remote computers,
>run an SSHD daemon (port 22) sometimes off my main PC and also off my
>second PC, and open up specfic ports for gaming (Unreal Tournament Game
>needs ports 27900-28902 TCP and 7777-7787 UDP) connections to both the
>internet and among LAN computers (for a LAN hosted game).
>
>If I try proposing what I think are the iptables commands here, will someone
>help tell me where I am going wrong, perhaps tell me what to fix/change? I
>really want to understand iptables for configuring a firewall at the
>command line level. Or help me by discussing the commands as I propose them
>here?
>
>Any help appreciated.


I had similiar question to you regarding IPTABLES and found an pretty
awesome video CBT for IPTABLES from www.linuxcbt.com Advanced folks
would yawn at this stuff, but you and me.....just like pavlov's
dog...syliva everywhere!

Here is a blurb from disc 10:
Linux Defensive Security Implementation Techniques
Implement Multi-Router Traffic Grapher (MRTG) to establish network
performance baseline
Configure Cisco PIX firewall for MRTG support via Simple Network
Management Protocol (SNMP)
Configure MRTG to generate perfomance & badwidth-related graphs for
Cisco PIX firewall
Implement IP Tables Host-based firewall support
Configure IP Tables to restrict access to necessary services
Introduce, discuss & plan the implementation of Snort 2.0 Intrustion
Detection System (IDS)
Discuss Snort intrustion detection concepts related to hubs & switches
Install Snort 2.0 Network-based Intrusion Detection System
Implement Snort 2.0 network sniffing functionality
Implement Snort 2.0 sniffing & packet-logging functionality
Demonstrate Snort's ability to monitor traffic between designated
hosts
Demonstrate password theft using Snort & FTP connections
Demonstrate password theft using Snort & Apache HTTP basic
authentication connections
Implement Snort 2.0 Network-based Intrusion Detection System
Implement SnortSnarf for web-based reporting of Snort 2.0 logs
Examine SnortSnarf reports via SSL-enabled web session
Demonstrate how to implement port mirroring on Cisco Catalyst switches
Implement Network Address Translation (NAT)
Discuss & Implement Port Address Translation (PAT)
Implement TCP Wrappers
Configure Xinetd to suppress access to the system from port-scanners
Discuss & Disable Portmap services

You looking for classic edition.

chez wrote:
> I had similiar question to you regarding IPTABLES and found an pretty
> awesome video CBT for IPTABLES from www.linuxcbt.com Advanced folks
> would yawn at this stuff, but you and me.....just like pavlov's
> dog...syliva everywhere!...You looking for classic edition.

It looks really good. But at $600 it is a bit pricey for my wanting to set
up a firewall for my home PC. Guess I will have to trudge through the
trenches and learn iptables the non-video harder way.

Proteus wrote:
> I could really use some help setting up a basic firewall using iptables. Yes
<snip>

learning iptables is admirable..........

but consider a firewall "script" first.

It'll allow you to protect yourself instantly, and at the same time
allow you to create and understand progressively more comprehensive
filters.

Lots of scripts around that produce pretty displays (e.g. firestarter),
but questionable firewalls.

Firehol, imho, is very sound and extremely powerful, quick to use, and
will aid you in learning iptables/netfilter. Once you learn it, you may
well decide that you don't want to fool with iptables.

"Proteus" <nospam@nowhere.net> wrote in message
news:jB9Ee.930$VG6.172@fe07.lga

> I could really use some help setting up a basic firewall using
> iptables. Yes I have RTFM (man iptables) and have read several docs
> off the net and pages from my Linux Bible and Network Security Bible,
> but for some reason my brain is somewhat mush putting it all
> together. If some kind souls here could help me walk through a basic
> set of iptables commands for a basic firewall I would be very
> grateful; I am willing to learn at each step, propose the commands,
> just could use some help telling me where I go wrong, etc.

http://physics.ramapo.edu/downloads/...8122002.tar.gz will be very
helpful to you. You'll need to create a startup/shutdown script for it, but
that's a fairly trivial task given the numerous other such scripts already
resident on your machine.

The only changes I'll suggest are to edit/comment the following lines:

/sbin/iptables -A INPUT -p tcp -i ${UPLINK} -j DROP \
#--reject-with tcp-reset
/sbin/iptables -A INPUT -p udp -i ${UPLINK} -j DROP \
#--reject-with icmp-port-unreachable

which will make your Internet interface invisible to all others, except
those who already have an ESTABLISHED,RELATED connection. Some here will
object to such a suggestion, but it's your machine to configure as you like.

Install the ip_conntrack_ftp.o kernel module by whatever means is
appropriate to your distro, e.g.:

/sbin/insmod ip_conntrack_ftp

and you're good to go. You can then edit that script to add whatever
functionality you need as you learn more.

I wrote in message news:3kdss4FthqmtU1@individual.net

> The only changes I'll suggest are to edit/comment the following lines:
>
> /sbin/iptables -A INPUT -p tcp -i ${UPLINK} -j DROP \
> #--reject-with tcp-reset
> /sbin/iptables -A INPUT -p udp -i ${UPLINK} -j DROP \
> #--reject-with icmp-port-unreachable

Correction, please:

/sbin/iptables -A INPUT -p tcp -i ${UPLINK} -j DROP \
#REJECT --reject-with tcp-reset
/sbin/iptables -A INPUT -p udp -i ${UPLINK} -j DROP \
#REJECT --reject-with icmp-port-unreachable

Proteus wrote:

> I could really use some help setting up a basic firewall using iptables. Yes
> I have RTFM (man iptables) and have read several docs off the net and pages
> from my Linux Bible and Network Security Bible, but for some reason my
> brain is somewhat mush putting it all together. If some kind souls here
> could help me walk through a basic set of iptables commands for a basic
> firewall I would be very grateful; I am willing to learn at each step,
> propose the commands, just could use some help telling me where I go wrong,
> etc.
>
> I have home LAN with a home office PC (192.168.1.100) hooked up to a LinkSys
> WiFi Etherfast Router hooked up to cable modem. I have a secondary PC
> (192.169.1.101) also cabled to the router, hence basically a two computer
> LAN, not including any wifi connections to the router. Mandriva (Mandrake)
> Linux LE2005 on an AMD cpu system. For the sake of the exercise, let us say
> my router's IP is 300.10.10.100 (not a real IP address of course, for
> anonymity sake here).
>
> I want to allow basic internet activity: access web pages via HTTP and also
> HTTPS, access FTP downloads, SSH client connections to remote computers,
> run an SSHD daemon (port 22) sometimes off my main PC and also off my
> second PC, and open up specfic ports for gaming (Unreal Tournament Game
> needs ports 27900-28902 TCP and 7777-7787 UDP) connections to both the
> internet and among LAN computers (for a LAN hosted game).
>
> If I try proposing what I think are the iptables commands here, will someone
> help tell me where I am going wrong, perhaps tell me what to fix/change? I
> really want to understand iptables for configuring a firewall at the
> command line level. Or help me by discussing the commands as I propose them
> here?
>
> Any help appreciated.

Do I read you right? you want to run an iptables firewall on the PCs
rather than a linux router? If so, the LinWiz website can be used to
construct your iptables rule set for you from a simple-to-fill web form.

http://www.lowth.com/LinWiz

Chris

Wolfman's Brother wrote:
...
> Do I read you right? you want to run an iptables firewall on the PCs
> rather than a linux router? If so, the LinWiz website can be used to
> construct your iptables rule set for you from a simple-to-fill web form.
>
> http://www.lowth.com/LinWiz
>
...

Very nice site for a newbie novice setting up Linux firewall! Thank you.