WELL, WEll, well... It all begins with wanting to setup a firewall for my "unprotected, innocent young little Linux box." ;) Been reading whole lot these couple days. I told myself, "SIMPLE.... type in some lines in iptables, save, restart and heres my armoured, still young and still innocent box!" BUT, just when I was go about doing some "actions" (oh yea!) and finally realized ...where is my iptables!?
Under /etc/sysconfig, I could find ipchains, but not iptables. So I type rpm -q iptables, got "iptables-1.2.1a-1". I checked /usr/local/sbin (default directory for iptables >1.2,right?) and nothing is there..
You gurus please gives me and my "unprotected, innocent, young box" a hand... (I am using RH7.1, Kernal 2.4.2)

please ask if more info is needed..

Originally posted by Xysus:
<STRONG>WELL, WEll, well... It all begins with wanting to setup a firewall for my "unprotected, innocent young little Linux box." ;) Been reading whole lot these couple days. I told myself, "SIMPLE.... type in some lines in iptables, save, restart and heres my armoured, still young and still innocent box!" BUT, just when I was go about doing some "actions" (oh yea!) and finally realized ...where is my iptables!?
Under /etc/sysconfig, I could find ipchains, but not iptables. So I type rpm -q iptables, got "iptables-1.2.1a-1". I checked /usr/local/sbin (default directory for iptables &gt;1.2,right?) and nothing is there..
You gurus please gives me and my "unprotected, innocent, young box" a hand... (I am using RH7.1, Kernal 2.4.2)

please ask if more info is needed..</STRONG>
# /sbin/iptables --version
iptables v1.2.1a

And as for setting up a firewall, if you want an utterly anal-retentive one (which is fine if you aren't running any services like telnet, etc...) then put these in a script:

set PATH='/sbin'
modprobe ip_conntrack
modprobe ip_conntrack_ftp

echo 1 &gt; /proc/sys/net/ipv4/ip_forward
echo 1 &gt; /proc/sys/net/ipv4/ip_dynaddr

iptables -P FORWARD DROP

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

iptables -N block
iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A block -m state --state NEW -i ! eth1 -j ACCEPT

iptables -A block -j DROP
iptables -A INPUT -j block
iptables -A FORWARD -j block

-= Now, it's very important that you modify this script above. When I say eth1, it's the NIC connected to the outside world. If your cable modem is plugged into eth0, then say eth0 instead. If you don't have a cable modem, say ppp0 (or whatever you DO have) instead.

ok, so I have to manually create the file "iptables". But where should I put this file?
I saw the 1st line of your code "#sbin/iptables" , does this mean I should save this file to "/sbin"?
also, I just found out I got both ipchains and iptables installed on my box, do I have to remove ipchains? or just leave it there...
cheers~

Originally posted by Xysus:
<STRONG>ok, so I have to manually create the file "iptables". But where should I put this file?
I saw the 1st line of your code "#sbin/iptables" , does this mean I should save this file to "/sbin"?
also, I just found out I got both ipchains and iptables installed on my box, do I have to remove ipchains? or just leave it there...
cheers~</STRONG>
/sbin is a dir for system binaries- binaries like iptables. /sbin/iptables is the fulll path to run iptables on RedHat 7.1. Try it. Open a new terminal and (as root) type: /sbin/iptables -L

(the -L means to "List" the rules you have made). Don't save ANYTHING to /sbin/iptables. that's where the command is.

If you save something over iptables, you'll have to reinstall iptables all over again. Just edit that script like I directed, and try running it. You should then be able to access the net from any computer in your network. UNLESS i don't understand what your question was... :confused:

EDIT: And NO, you do not need to uninstall ipchains. You can use iptables if you don't use ipchains, so that shouldn't be a problem.

[ 22 August 2001: Message edited by: lsibn ]

oops... heres what I got..

[root@localhost /sbin]# iptables -L
/lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/ip_tables.o: init_module: Device or resource busy
Hint: insmod errors can be caused by incorrect module parameters, including invalid IO or IRQ parameters
/lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/ip_tables.o: insmod /lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/ip_tables.o failed
/lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed
iptables v1.2.1a: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
[root@localhost /sbin]#

....ok, more help plz.. :0

Originally posted by Xysus:
<STRONG>oops... heres what I got..

[root@localhost /sbin]# iptables -L
/lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/ip_tables.o: init_module: Device or resource busy
Hint: insmod errors can be caused by incorrect module parameters, including invalid IO or IRQ parameters
/lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/ip_tables.o: insmod /lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/ip_tables.o failed
/lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed
iptables v1.2.1a: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
[root@localhost /sbin]#

....ok, more help plz.. :0</STRONG>
I'm sorry, I forgot RH71 installs ipchains & iptables, but only uses chains by default. I have no idea whatsoever how to use ipchains, so shut them down:
/etc/init.d/ipchains stop
chmod -x /etc/init.d/ipchains
rmmod ipchains

And THEN try running the commands I listed above. Sorry about my memory... :(

WoW... its working now..!! Thanks alot man~~ The sky had brighten, I could hear songs coming from the sky....

But I have a couple more questions, if you dont mind.. ;)
--Do i have to disable ipchains every time I startup the box? or its done..no more ipchains.
--I am a total newbie in linux, so when you say "script" does it just simply means a txt file? Let me put it this way.. how do I make a script?
--You said that dont save the rule in sbin/iptables, so How can I not run the script on every startup?
cheers~~

Thanks a lot for the post lsibn; it helped me also. I have a question though. What iptable definition do I use for ssh. I can get into it from the internal network, but not externally.

Thanks for the help.

This works for me:

iptables -A INPUT -p tcp --sport 513: --dport 22 -j ACCEPT

This assumes you have SSH running on port 22. The firewall I use has default Accept on the Output table; if you do default Drop/Reject you'll need to add a corresponding Output rule.