forum.excito.org

I was wondering why there is no iptables running on bubba ?

The package seems to be there.

Would something like this work to start iptables ?

#!/bin/bash

#for e1000 card to work the following are needed
echo "forcing eth0 to 100baseTx-FD full-duplex autoneg off"
/usr/sbin/ethtool -s eth0 duplex full speed 100 autoneg off

echo "forcing stupid settings on e1000 off"
/usr/sbin/ethtool -K eth0 rx off tx off sg off

#3com and other cards use this to configure them
#/bin/echo "forcing eth0 to 100baseTx-FD full-duplex"
#/sbin/mii-tool eth0 -F 100baseTx-FD

# full path of the programs we need - changed them to your needs
iptables=/sbin/iptables
modprobe=/sbin/modprobe
echo=/bin/echo

bubba='192.168.63.103'

# Load appropriate modules.
echo "load iptables module"
$modprobe ip_tables

# we load that modules as we want to do statefull firewalling
echo "load ip_conntrack module"
$modprobe ip_conntrack

# These lines are here in case rules are already in place and the script is ever rerun on the fly.
# We want to remove all rules and pre-exisiting user defined chains and zero the counters
# before we implement new rules.
$iptables -F
$iptables -X
$iptables -Z

echo "flush firewall rules"
iptables -F
iptables -F OUTPUT
iptables -F INPUT
iptables -F FORWARD
## LOOPBACK
# Allow unlimited traffic on the loopback interface.
# e.g. needed for KDE, Gnome
$iptables -A INPUT -i lo -j ACCEPT
$iptables -A OUTPUT -o lo -j ACCEPT

# Disable ICMP redirect acceptance. ICMP redirects can be used to alter your routing
# tables, possibly to a bad end.
$echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects

echo "no forwarding with only one network port"
$echo "0" > /proc/sys/net/ipv4/ip_forward

# don't want services that are not explictly allowed.
$iptables -P INPUT DROP
$iptables -P FORWARD DROP
$iptables -P OUTPUT DROP
# ---------------- INPUT ---------------------

## First rule is to let packetes through which belong to establisted or related connection
# and we let all traffic out as we trust ourself.
$iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

## ssh listens on port 22
$iptables -A INPUT -s 0/0 -p tcp --dport 22 -j ACCEPT
##mail server allowed
$iptables -A INPUT -p tcp -s 0/0 --dport 25 -j ACCEPT
##port 80 and 443
$iptables -A INPUT -p tcp -s 0/0 --dport 80-j ACCEPT
$iptables -A INPUT -p tcp -s 0/0 --dport 443 -j ACCEPT
##allow pings
$iptables -A INPUT -p icmp --icmp-type ping -j ACCEPT

Hi tknab2,

you need iptables kernelmodules in order to run netfilter on bubba.
I have compiled some of them and are using it on my own bubba, i can supply them if you'd like.

as for your script, i would leave out the initial ethtool-stuff. Forcing 100/FULL on network without having compliant hardware all the way is not a good idea and would probably perform rather bad. Autonegotiated 100/Full is good enough and both bubba and switch will use it if available.

And the iptables-portion of the script it will work, but if it does what YOU want it to do is a totally different story.
Furthermore i havn't yet compiled the STATE module, but could do that too if you really want them.

And a word of caution, be VERY sure that your iptables script does EXACTLY what you want before putting it in automatic startup at boot. Badly configured iptables/netfilter could very well render your bubba inaccessible! And since there's no local console, you would need to disassemble the unit and plug the harddrive into another linux-system and remove faulty config, or do a system reinstall (the disassemblement will probably void your warranty).

Perhaps excito crew has a place where compiled kernel-modules could be PUT/GET?

I need the iptables modules. I don't want to risk recompiling the kernel.

I've recompiled the iptables modules and you can get them here:

http://www.deviltry.se/~bjorn/bubba/bub ... les.tar.gz

Hi bjorn (and others),

Regarding modules and the posibility to have a place to up/download these i unfortunately think that would be unmanagable. Both in terms of people misuse it for their own purpose and the other thing is security or validity on the uploaded content.

But there is one other solution that actually sits on our todo-list. That is to provide modules precompiled as a package that could be easily installed with apt. Other than that we have a note on our list to write a short howto on recompiling the kernel and in the same part compiling modules as well.

/Tor

If you where to supply precompiled modules as a package it would be great!

I forgot to write in my previous post, the modules posted may very well not work and could possibly be h4xx0red by someone in order to gain unfair access to other bubba systems.

Use them at your own risk!

If you care about security you should compile your own modules from sources grabbed from kernel.org!

/Bjorn

bjorn wrote:If you where to supply precompiled modules as a package it would be great!

I forgot to write in my previous post, the modules posted may very well not work and could possibly be h4xx0red by someone in order to gain unfair access to other bubba systems.

Use them at your own risk!

If you care about security you should compile your own modules from sources grabbed from kernel.org!

/Bjorn

Hi Björn

Please couldnt you make a small howto on how you compiled the iptables kernelmodules in order to run netfilter. This would be grately appriciated!

Cheers
/Limpo