Firewall

IP tables

I finally got a little tired of Firestarter - although it did a good job most of the time, it annoyed me when I was trying to share my connection or connect to another box with a simple network.

Actually, all it does is act as a manager of the system's ports, accepting and rejecting traffic, by writing "iptables". So that's why it's possible to ditch your GUI firewall because you can configure your own iptables and have complete control with them, like allow any unusual ports which a GUI firewall might just block.

I still don't know much about IP tables, with hardly any time to learn, but they can be used extensively... I got a firewall set up using the iptables file on the Debian Wiki here https://wiki.debian.org/iptables

With just a few easy steps...

1.    make a test iptables file, as root,

nano /etc/iptables.test.rules  

2.    fill that with the Debian Wiki example (including a new line at end after "COMMIT") and save it

3.    stop firestarter, if you have it running

4.    run

iptables-restore < /etc/iptables.test.rules  

5.    see how it's running with

iptables -L  

6.    save the configuration to the master iptables file with

iptables-save > /etc/iptables.up.rules  

7.    and to have the rules run at start-up, make a file

nano /etc/network/if-pre-up.d/iptables  

fill with this script

#!/bin/sh /sbin/iptables-restore < /etc/iptables.up.rules  

finally, make the script executable with

chmod +x /etc/network/if-pre-up.d/iptables  

Allowing another linux box to share your internet connection

This is called masquerading -but I didn't need a MASQUERADE iptables rule to make it work.

add this rule to the "test.rules" and test it out (your out interface may be different)...

-A FORWARD -i wlan0 -j ACCEPT  

and enable routing

echo 1 > /proc/sys/net/ipv4/ip_forward  

This works with Network manager - server side as "Share" and client side as "Automatic"

Setting_up_a_simple_Debian_gateway

nfs through a firewall via static ports

With nfs (see my nfs page) choosing random ports to send/receive on, how is it going to get through the firewall at all unless those ports it's using are made static and added to the firewall rules? Let's do that then...

there are some 4 files to edit - basically we have to sync some port numbers, and you could use others than these..

nano /etc/default/nfs-kernel-server  

RPCMOUNTDOPTS="--manage-gids --port 892"

nano /etc/default/nfs-common  

STATDOPTS="--port 32765 --outgoing-port 32766"

nano /etc/modprobe.d/local.conf  

options lockd nlm_udpport=32769 nlm_tcpport=32803

nano /etc/services  

# NFS ports rpc.nfsd 2049/tcp # RPC nfsd rpc.nfsd 2049/udp # RPC nfsd rpc.statd-bc 32765/tcp # RPC statd broadcast rpc.statd-bc 32765/udp # RPC statd broadcast rpc.statd 32766/tcp # RPC statd listen rpc.statd 32766/udp # RPC statd listen rpc.mountd 892/tcp # RPC mountd rpc.mountd 892/udp # RPC mountd rpc.lockd 32803/tcp # RPC lockd/nlockmgr rpc.lockd 32769/udp # RPC lockd/nlockmgr  

restart nfs

sudo /etc/init.d/nfs-kernel-server restart rpcinfo -p  

iptable rules to add (to the test.rules file)

-I INPUT -m state --state NEW -p tcp -m multiport --dport 111,892,2049,32803 -s 10.0.0.2 -j ACCEPT -I INPUT -m state --state NEW -p udp -m multiport --dport 111,892,2049,32769 -s 10.0.0.2 -j ACCEPT  

of course   -s 192.168.0.0/24    or   -s 10.0.0.0/24   would allow a lot more IP addresses, and omitted will allow any

then run

iptables-restore < /etc/iptables.test.rules  

and when you're happy

iptables-save > /etc/iptables.up.rules  

lastly, on the client, check for exported shares from server,

showmount -e 10.0.0.1  

and after that you should be mounting the shares OK
(just don't mount the server's home dir in the client's home dir! 8P)


Next page:

XnView MP - configure the image browser