ZenwalkThis forum is for the discussion of Zenwalk Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
seems to say that all you need to do to use iptables is make an init script that sets up the tables in the kernel.
I have a personal pc with a dsl modem conected to the ethernet card.
Two questions:
1. Is that all there is to it, or is there anything else you have do to?
2. Is there some documentation on how to design good ip tables?
EDIT: I have the iptables tutorial, maybe that's enough. I'll post more specific questions if necessary.
seems to say that all you need to do to use iptables is make an init script that sets up the tables in the kernel.
There's basically two approaches. The first is to make a shell script with your iptables commands in it and set that script to execute at boot. The second approach is to execute your iptables commands (either at the command line or from a script), and then save the active configuration to a file, using the iptables-save command. This approach is used a lot on boxes in which the startup scripts are "factory set" set to use iptables-restore to activate a saved configuration. Typically the file used for storing the config is /etc/sysconfig/iptables. If you use the first approach, make sure you can do it so that the iptables commands are executed prior to the network being activated, as otherwise there will be a small window of exposure when your firewall rules aren't active. Distros tha use the second method already take this into consideration.
This tutorial is insanely long. The best news is that much of it seems unnecessary for a single home pc.
Quote:
Originally Posted by win32sux
There's basically two approaches. ... shell script ... iptables-save ...
Thanks, that's simple enough. So the answer to my first question is No?
I didn't know if there's some software to download, a bunch of config files to edit, or what.
Quote:
Distros tha use the second method already take this into consideration.
My system has /usr/sbin/iptables-[save|restore], but that's all I know about it so far.
Thanks, that's simple enough. So the answer to my first question is No?
I didn't know if there's some software to download, a bunch of config files to edit, or what.
You're using Zenwalk right? IIRC, that's a distro based on Slackware. So if they kept the "Slackware way" intact, you basically just need to create a /etc/rc.d/rc.firewall file with your iptables commands in it. Patrick Volkerding (the Slackware creator/maintainer) has already designed the startup scripts such that rc.firewall is loaded at the proper time. So yeah, on Slackware-based distros you basically just stick your iptables script in /etc/rc.d/rc.firewall and you're done.
For a home PC, said script can be super simple, like say:
Code:
#!/bin/sh
iptables -P INPUT DROP
iptables -F INPUT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
This extremely simple script would provide you with a full stealth firewall configuration.
EDIT: Remember to make the rc.firewall root-owned and executable.
Last edited by win32sux; 12-11-2007 at 11:34 PM.
Reason: Added "-F" in case script is re-executed.
you basically just need to create a /etc/rc.d/rc.firewall file with your iptables commands in it.
In /etc, inittab calls rc.d/rc.M in multiuser mode, rc.M is already set up to call rc.netfilter if it's executable, and rc.netfilter has some calls to iptable and a function where I can put more. Do I need rc.firewall in addition to that, or is rc.netfilter some kind of substitute?
Quote:
For a home PC, said script can be super simple, like say:
Code:
#!/bin/sh
iptables -P INPUT DROP
iptables -F INPUT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
Thanks, I'll try that.
Quote:
This extremely simple script would provide you with a full stealth firewall configuration.
Good. Is there any reason I would want to allow forwarding?
This line is in rc.netfilter:
Code:
iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
In /etc, inittab calls rc.d/rc.M in multiuser mode, rc.M is already set up to call rc.netfilter if it's executable, and rc.netfilter has some calls to iptable and a function where I can put more. Do I need rc.firewall in addition to that, or is rc.netfilter some kind of substitute?
Sounds like the Zenwalk developers decided to tweak the "Slackware way" a little bit. I would expect rc.netfilter to be their replacement, so you'd only need to use that. I only say this because it would be quite weird IMHO to have two different files for setting up the firewall rules. So yeah, just stick the rules in rc.netfilter. Then reboot and check that they became active by doing a:
Code:
iptables -nvL
Quote:
Good. Is there any reason I would want to allow forwarding?
This line is in rc.netfilter:
Code:
iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
The only reason to have FORWARD rules is if you have forwarding enabled, which would only be necessary if your box is configured to act as a gateway for a LAN or something of that nature. You can check if forwarding is enabled by doing a:
Code:
cat /proc/sys/net/ipv4/ip_forward
If you get a zero as output, then forwarding is disabled - in which case any FORWARD rules will be pointless. So if you aren't a gateway, there's no need for any FORWARD rules.
BTW, can you post the contents of the default rc.netfilter file? I did a quick google and I got the impression it uses some sort of special layout, unlike rc.firewall.
EDIT: According to this post on the Zenwalk forums, you just need to use iptables-save to save the configuration to the /etc/netfilter/policy.netfilter file. The startup script will pick it up from there. I don't know if this is true, though. I downloaded the Zenwalk manual and searched through it but couldn't find anything about how Zenwalk wants firewall rules to be set. I think you should get much better support in the LQ Zenwalk forum, as this is extremely distro-specific. So I'm moving this thread over there, and leaving a permanent redirect here in Security.
@Hacker X, what version & edition of zenwalk are you running?
current is 4.8, snapshot is 5.0. but anyways, the 'stock' zenwalk init scripts include a firewall in /etc/rc.d/rc.inet1
if you want an rc.firewall script you can do so but have to modify /etc/rc.d/rc.inet1 to source rc.firewall
like this:
Code:
########################
# LOAD FIREWALL POLICY #
########################
load_netfilter(){
if [ "${NETFILTER}" = "yes" ]; then
## Load the saved policy
if [ -e /etc/netfilter/policy.netfilter ]; then
sh /etc/rc.d/rc.firewall restore
# start firewall
else
sh /etc/rc.d/rc.firewall
sh /etc/rc.d/rc.firewall save
fi
# flush
else
sh /etc/rc.d/rc.firewall stop
fi
}
this is how I do it. I have only been using zenwalk since 4.6, never seen an rc.netfilter file. Keeping the control by $NETFILTER variable allows you to switch it on/off from the settings manager network config gui.
I'm not a iptables guru though, I just use Alien Bob's easy firewall generator to create rc.firewall.
zw2.6 is pretty old stuff. sorry I wouldn't have the foggiest about whats on there..
there are four 'editions' of zenwalk : standard, core, live, and server. Whatever iso you have should be labeled as such, otw I have no idea where you'd find it. Its most likely something like standard, I don't know how many or if any of the other editions existed in 2.6.
Quote:
It's called in multiuser mode by rc.M if it's executable by root.
I see it now, but there is no actual rc.netfilter file ( anymore ?) at least not in 4.8, -current or snapshot. maybe a forgotten dinosaur, or a way to give users something similar to slackware's +x rc.firewall flexibility.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.