Mick <michaelkintzios <at> gmail.com> writes:
> > http://gentoo-en.vfose.ru > > /wiki/IptablesIptables_and_stateful_firewalls#State_basics > Start iptables, run the script, stop iptables with '/etc/init.d/iptables > stop' which will save your rules to /var/lib/iptables/rules-save, after starting iptables, I ran /etc/firewall.sh (the previously published script) and the stop with the syntax above:: cat /var/lib/iptables/rules-save # Generated by iptables-save v1.4.21 on Wed Oct 7 09:13:59 2015 *mangle :PREROUTING ACCEPT [16022765:14170972269] :INPUT ACCEPT [16022479:14170935323] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [19311825:1508198446] :POSTROUTING ACCEPT [19311825:1508198446] COMMIT # Completed on Wed Oct 7 09:13:59 2015 # Generated by iptables-save v1.4.21 on Wed Oct 7 09:13:59 2015 *filter :INPUT DROP [471:17192] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [722751:44404539] [740388:740719942] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT COMMIT # Completed on Wed Oct 7 09:13:59 2015 was the ouput. > or > run 'iptables-save /var/lib/iptables/rules-save'. Add any sysctl changes > to /etc/sysctl.conf, so that they are permanent. Re-run the script if > you want to change things in it. sysctl is not set up. I did find this page on that:: https://wiki.gentoo.org/wiki/Procfs Any suggestions on setting up sysctl for iptables and other future usage? > > Any improvements in this basic workstation firewall > > everything out, nothing in? > Yes, but such improvements are suggested in subsequent scripts on the > same page, e.g. ICMP handling, selective logging, etc. If all you want > is "a basic firewall using iptables" for the IPv4 workspace, then what > you have will do the job. I'll test out these mods and give the scripts an added sequential character in the name so there can be different ones for easy deployment. The idea is to keep it as simple as possible, test out scripts and ideas and put something easy to set up on the gentoo wiki, for all to enjoy. > > Any good tools to quickly test this firewall from another local > > workstation? > nmap -A -T4 -P0 -vvv -p1-65535 XXX.XX.XXX.XX Worked flawlessly. Very precise syntax (thanks). Here are the highlights:: Not shown: 65534 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 5.9p1-hpn13v11lpk (protocol 2.0) Not bad for a quick workstation firewall(s). After I get sysctl setup, I'll test a few other verssions and post again. Then wikify these for community consumption. Thanks James
