ab iptables (downloads netfilter & iptables)
DO THIS FROM CONSOLE (not from SSH, otherwise you'll disconnect yourself!)
eth0 = WAN , eth1 = LAN , eth2 = DMZ
List all chains, numeric values (port #'s), verbose with interfaces, line numbers
iptables -L -n -v --line-numbers
set each table to "DROP" and then "flush" any existing rules
iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP
maybe faster to just use iptables --flush
iptables -F INPUT iptables -F FORWARD iptables -F OUTPUT
delete all User specified chains, next iptables Counters
iptables -X iptables -Z
Allow loopback (as the first rule in the table)
iptables -I INPUT 1 -i lo -j ACCEPT iptables -I OUTPUT 1 -o lo -j ACCEPT
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
iptables -L -n -v --line-numbers
Allow incoming ping requests from LAN on eth1 , echo-request = 8 in numeric
iptables -A INPUT -i eth1 -p icmp --icmp-type echo-request -j ACCEPT
Allow outgoing ping replies to LAN , echo reply = 0 in numeric
iptables -A OUTPUT -o eth1 -p icmp --icmp-type echo-reply -j ACCEPT
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Forward ping requests from LAN to WAN
iptables -A FORWARD -i eth1 -o eth0 -p icmp --icmp-type echo-request -j ACCEPT
Forward outgoing ping replies to LAN , echo reply = 0 in numeric
iptables -A OUTPUT -o eth0 -p icmp --icmp-type echo-reply -j ACCEPT
iptables -L -n -v --line-numbers
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
allow new outgoing traffic from LAN to WAN
iptables -A FORWARD -i eth1 -o eth0 -m state --state NEW,ESTABLISHED -j ACCEPT
allow established traffic from the WAN back into the LAN
iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED -j ACCEPT
show the nat table
iptables -t nat -nvL
DMZ to internet = OK Internet to DMZ = only one port, ESTABLISHED = OK from LAN to DMZ = OK from DMZ to LAN = only one port?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
WAN = eth1 , allowing port 443
iptables -A INPUT -i eth1 -p tcp -j ACCEPT iptables -A OUTPUT -o eth1 -p icmp --icmp-type echo-reply -j ACCEPT
-p protocol = tcp or icmp -s source = source ip address? -d = destination ip (and mask )
create a new chain for icmp_packets
IPTABLES -N icmp_packets
Allow established connections, and those not coming from the outside
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
--state = NEW,ESTABLISHED,RELATED
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:Ch14:_Linux_Firewalls_Using_iptables
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
MICROCORE PERSISTENT BOOT AND NETWORK SCRIPTS
default 0 timeout 2 title microcore-3-3 kernel /boot/bzImage tce=hda1 home=hda1 opt=hda1 noswap vga=771 initrd /boot/microcore.gz
vi /home/tc/static-network.sh
!/bin/sh
ifconfig eth0 10.10.10.238 netmask 255.255.255.0 broadcast 10.10.10.255 up route add default gw 10.10.10.3 eth0 sudo cat /etc/resolv.conf << EOF nameserver 8.8.8.8 nameserver 8.8.4.4 EOF
UNFORTUNATELY THE TRICKS TO MODIFYING resolv.conf REQUIRE ROOT PERMISSIONS...
Instead apparently: sudo vi /usr/share/udhcpc/default.script
after the line "echo nameserver $i >> $RESOLV_CONF insert on the next line (around line 36)
echo "nameserver 8.8.8.8" >> $RESOLV_CONF
escape key then x (to save and quit)
ensure the modified file is added to the backup lst, then backup & reboot & test
echo /usr/share/udhcpc/default.script >> /opt/.filetool.lst
sudo filetool -b sudo reboot
(THESE WON'T WORK IF YOU DISABLE DHCP!!!!!!!)
/opt/bootlocal.sh
!/bin/sh
/home/tc/static-network.sh
filetool.sh -b //backup the filesystem to persistent drive folders sudo reboot