Hello,
I have to setup a firewall box for someone ASAP and I was going through the tutorials at
http://forums.debian.net/viewtopic.php?t=16166
I just have a small query as I am confused with the directions of packets. When setting a rule for the INPUT table, there is a source and destination setting. From the examples given in the above tutorial, when an incoming packet is received, the source is a local IP and destination is the world. Shouldn´t the incoming packet´s source be the world and destination the local LAN IP address? Could the experts please clarify? Otherwise it seems quite easy to setup.
I just have a small query as I am confused with the directions of packets. When setting a rule for the INPUT table, there is a source and destination setting. From the examples given in the above tutorial, when an incoming packet is received, the source is a local IP and destination is the world. Shouldn´t the incoming packet´s source be the world and destination the local LAN IP address?
Hi, As per my knowledge INPUT table is meant for purpose of allowing/disallowing packets for local host running the Iptable service. For e.g. suppose your machine (I'll call it HostA) hosting the iptable service is also running DHCP service then you may wish to allow machines on local network to be able to connect to port 67 on HostA. Thus you'll need to add a rule like:
-A INPUT -p udp --dport 67 -j ACCEPT
If some host on your private network wants to connect to a remote host on a specific port then you'll be using FORWARD table to allow access as follows:
-A FORWARD -p tcp -s 192.168.0.2 -d 91.129.121.80 --dport 8090 -j ACCEPT
Also after you've mentioned all FORWARD rules you'd also like to mention following rule:
-A FORWARD -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
Hope this info helps.
Regards, Mayank
Mayank wrote:
I just have a small query as I am confused with the directions of packets. When setting a rule for the INPUT table, there is a source and destination setting. From the examples given in the above tutorial, when an incoming packet is received, the source is a local IP and destination is the world. Shouldn´t the incoming packet´s source be the world and destination the local LAN IP address?
Hi, As per my knowledge INPUT table is meant for purpose of allowing/disallowing packets for local host running the Iptable service. For e.g. suppose your machine (I'll call it HostA) hosting the iptable service is also running DHCP service then you may wish to allow machines on local network to be able to connect to port 67 on HostA. Thus you'll need to add a rule like:
-A INPUT -p udp --dport 67 -j ACCEPT
If some host on your private network wants to connect to a remote host on a specific port then you'll be using FORWARD table to allow access as follows:
-A FORWARD -p tcp -s 192.168.0.2 -d 91.129.121.80 --dport 8090 -j ACCEPT
Hi.
I will have 2 interfaces, one to the internet and one to the LAN. So how will iptables forward the request? Do I need to specify the interface too? The interface (Call it LAN) pointing to the LAN will be 192.168.1.1 as all pcs are currently connected to MTNL ADSL directly. The interface that will now connect to MTNL (Call it NET) will be made 192.168.0.2 and MTNL's LAN IP will be changed to 192.168.0.1. Since all pcs are using static IP, changing everyone's settings is a longer procedure.
Also after you've mentioned all FORWARD rules you'd also like to mention following rule:
-A FORWARD -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
On Thu, Aug 6, 2009 at 3:31 PM, Ronygnulinuxist@gmail.com wrote:
I will have 2 interfaces, one to the internet and one to the LAN. So how will iptables forward the request? Do I need to specify the interface too? The interface (Call it LAN) pointing to the LAN will be 192.168.1.1 as all pcs are currently connected to MTNL ADSL directly. The interface that will now connect to MTNL (Call it NET) will be made 192.168.0.2 and MTNL's LAN IP will be changed to 192.168.0.1. Since all pcs are using static IP, changing everyone's settings is a longer procedure.
There are 2 ways. 1) Use source and desination in the rule Here's it's snippet from the iptable's man page -----xxxxx----- -s, --source [!] address[/mask] Source specification. Address can be either a network name, a hostname (please note that specifying any name to be resolved with a remote query such as DNS is a really bad idea), a network IP address (with/mask), or a plain IP address. The mask can be either a network mask or a plain number, specifying the number of 1’s at the left side of the network mask. Thus, a mask of 24 is equivalent to 255.255.255.0. A "!" argument before the address specification inverts the sense of the address. The flag --src is an alias for this option. -d, --destination [!] address[/mask] Destination specification. See the description of the -s (source) flag for a detailed description of the syntax. The flag --dst is an alias for this option. -----xxxxx-----
2) Use the input and output interface names Again, snippets from the man page. ----xxxxx---- -i, --in-interface [!] name Name of an interface via which a packet was received (only for packets entering the INPUT, FORWARD and PRE‐ROUTING chains). When the "!" argument is used before the interface name, the sense is inverted. If the interface name ends in a "+", then any interface which begins with this name will match. If this option is omitted, any interface name will match. -o, --out-interface [!] name Name of an interface via which a packet is going to be sent (for packets entering the FORWARD, OUTPUT and POSTROUTING chains). When the "!" argument is used before the interface name, the sense is inverted. If the interface name ends in a "+", then any interface which begins with this name will match. If this option is omitted, any interface name will match. -----xxxxx-----
I was pointed to http://iptables-tutorial.frozentux.net/ when I had gone to IRC to ask for some help on iptables. It might help you too.
On Thu, Aug 6, 2009 at 8:46 PM, Mehul Ved mehul.n.ved@gmail.com wrote:
I was pointed to http://iptables-tutorial.frozentux.net/ when I had gone to IRC to ask for some help on iptables. It might help you too.
I have this tutorial but its too long. My only confusion is with setting rules in INPUT or other chains. I don´t want to end up giving access from outside and blocking internal access to the net.
On 08/06/2009 01:35 AM, Rony Bill wrote:
Hello,
I have to setup a firewall box for someone ASAP and I was going through the tutorials at
http://forums.debian.net/viewtopic.php?t=16166
I just have a small query as I am confused with the directions of packets. When setting a rule for the INPUT table, there is a source and destination setting. From the examples given in the above tutorial, when an incoming packet is received, the source is a local IP and destination is the world. Shouldn´t the incoming packet´s source be the world and destination the local LAN IP address? Could the experts please clarify? Otherwise it seems quite easy to setup.
I assume you meant the examples such as these in the guide: iptables -A INPUT -p tcp --dport 22 -s 192.168.0.3 -j ACCEPT
Firstly the terminology in the guide appears to be incorrect. The guide refers to INPUT, OUTPUT and FORWARD as 'table'. These are in fact termed as 'chains' within the 'filter' table (which is the default table for modification when -t is not provided. There are other tables like 'nat', 'mangle' ..etc)
Think of tables as a grouping of 'what' you want to do with the packets (filter, nat, mangle) and chains as 'when' you want to do it (INPUT, OUTPUT, FOWRARD for filter, PREROUTING, POSTROUTING for nat ...etc)
So as far as the filter table is concerned, in this context, there isn't any difference between your 'home' network and the 'world' network. The rule will just be matched against the networks mentioned in the rules. Think about it a bit. Your rules might even mention a src/dest addresses on networks that none of your interfaces are even part of.
Mentioning an action in the INPUT chain simply means that the packet would be examined when received and filtered accordingly.
HTH, regards, - steve
steve wrote:
So as far as the filter table is concerned, in this context, there isn't any difference between your 'home' network and the 'world' network. The rule will just be matched against the networks mentioned in the rules. Think about it a bit. Your rules might even mention a src/dest addresses on networks that none of your interfaces are even part of.
Mentioning an action in the INPUT chain simply means that the packet would be examined when received and filtered accordingly.
So there is no input point and output point. The setup that I will have is a box with 2 ethernet ports, one connected to the MTNL router and the other to the LAN. How will the firewall recognize the inbound/outbound traffic directions as it is inbound for one interface and outbound for the other and vice versa. In a GUI firewall I remember it asking which is the local device and which is on the internet. Will I have to make all rules based on each ethernet device as well as ip addresses to let iptables know direction?
On 08/06/2009 03:18 PM, Rony wrote:
steve wrote:
So as far as the filter table is concerned, in this context, there isn't any difference between your 'home' network and the 'world' network. The rule will just be matched against the networks mentioned in the rules. Think about it a bit. Your rules might even mention a src/dest addresses on networks that none of your interfaces are even part of.
Mentioning an action in the INPUT chain simply means that the packet would be examined when received and filtered accordingly.
So there is no input point and output point.
I don't understand what you mean by 'point'. If you mean a single interface, no, iptables does not designate one interface as 'in' and the other as 'out'. If, on the other hand, by point, you mean 'point in data passage at which the packet is examined', of course there is an input and output point.
That's exactly what the INPUT and OUTPUT chains signify.
The setup that I will have is a box with 2 ethernet ports, one connected to the MTNL router and the other to the LAN. How will the firewall recognize the inbound/outbound traffic directions as it is inbound for one interface and outbound for the other and vice versa.
Stop thinking of inbound and outbound as interface specific. All traffic entering the system will be tested against the INPUT chain and all traffic leaving the system will be tested against the OUTPUT chain, irrespective of the origin, destination, interface ...etc. The rules /within/ the chain would specify what to do depending on interface, origin, destination, address, port ..etc.
In a GUI firewall I remember it asking which is the local device and which is on the internet. Will I have to make all rules based on each ethernet device as well as ip addresses to let iptables know direction?
Judging by your other responses, I have a feeling that you are confusing 'filtering' (ie: the filter table rules, which decide what type of traffic to let in, let out & forward) with IP routing (ie: the NAT table, which lets you route and masquerade packets based on certain rules).
Now, in your case, each of the interfaces are on a different network segment, aren't they ? So, you need to make rules based on either the network or the interface.
Any one would of them would do and would the same thing. The simplest from of NAT gateway is:
# Assuming eth0 is on the external network (ie: has the IP from MTNL) and eth1 # is on the internal network.
# Set up ip forwarding $ echo 1 > /proc/sys/net/ipv4/ip_forward
# read this as: in the nat table (-t), add a POSTROUTING rule (-A) that says # every packet destined to go out from eth0 (-o) should be MASQUERADE'd (-j) $ iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# Homework: Express in words the following commands $ /sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
$ /sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
Now, if you want to do packet filtering, for example you want to say
As packets come in .............. ( -A INPUT ) on the external nic ............. ( -i eth0 ) on the http port ................ ( --dport 80 ) accept it ........................( -j ACCEPT )
It is pretty interesting once you get to learn to read/write iptables rules and you might even end up getting carried away doing stuff that is not really necessary.
Here's one guide that I found fairly clear and concise: http://fedorasolved.org/Members/kanarip/iptables-howto
Have fun ! HTH, - steve
On Fri, Aug 7, 2009 at 12:07 PM, steve steve@lonetwin.net wrote:
It is pretty interesting once you get to learn to read/write iptables rules and you might even end up getting carried away doing stuff that is not really necessary.
Here's one guide that I found fairly clear and concise: http://fedorasolved.org/Members/kanarip/iptables-howto
Thanks for the explanation and the link. The box is up with Debian and I will actually try out the rules and learn practically.
Hello,
After a rollercoaster day I have managed to get my box running as a router. I will add the firewall rules tomorrow.
Initially I had Lenny installed in it without desktop. However whenever I tried to give a NAT command it said it could not locate the `NAT´ table and I might need insmod etc. etc. I spent the entire evening looking up google, even asking a friend but no solution could be found. Different modules were loaded but no result. Finally I tried a live Kubuntu 9.04 cd and tried the command and it did not return errors. Lenny was removed and Kubuntu was installed. However at one time I got the error again, thats when I realised that the syntax for nat was lowercase not uppercase as I kept doing. I felt very stupid to have wasted a day over a syntax error. But it was a good learning experience. I found kdm was very sticky to Kubuntu so I reloaded lenny again and set everything to make the system work as a router. Tomorrow I will add more rules for restrictive access.
I am sending this mail from a lappy connected to the box.
On Monday 10 Aug 2009, Rony Bill wrote:
Hello,
After a rollercoaster day I have managed to get my box running as a router. I will add the firewall rules tomorrow.
Initially I had Lenny installed in it without desktop. However whenever I tried to give a NAT command it said it could not locate the `NAT´ table and I might need insmod etc. etc.
Have you looked at firestarter http://www.fs-security.com/ From the description looks like your functional requirements are met by this package.
A list of iptables configuration tools http://linux.com/archive/feature/44818 YMMV.
On Mon, Aug 10, 2009 at 9:25 AM, Arun Khan knura@yahoo.com wrote:
Have you looked at firestarter http://www.fs-security.com/ From the description looks like your functional requirements are met by this package.
I have used firestarter and arno's firewall but this time I want to do the actual coding myself. Part of the linux graduation process. :-)
I got three parts video IPTable flash video downloaded from youtube will be helpful.
Vinod Raghavan
vinodrag@gmail.com
I got three parts video IPTable flash video downloaded from linuxjournal.com will be helpful.
www.linuxjournal.com/video/mastering-*iptables*-part-i
www.linuxjournal.com/video/mastering-*iptables*-part-2
www.linuxjournal.com/video/mastering-*iptables*-final-installment
Vinod Raghavan
vinodrag@gmail.com
Vinod Raghavan wrote:
I got three parts video IPTable flash video downloaded from linuxjournal.com will be helpful.
www.linuxjournal.com/video/mastering-*iptables*-part-i
www.linuxjournal.com/video/mastering-*iptables*-part-2
www.linuxjournal.com/video/mastering-*iptables*-final-installment
Thanks Vinod for the links.
I have one question to everyone. Off late has youtube changed its coding? I am no longer able to record videos from youtube using clive. Even vdownloader on doze machines gives errors.
On Sunday 16 August 2009, Rony wrote:
Vinod Raghavan wrote:
I got three parts video IPTable flash video downloaded from linuxjournal.com will be helpful.
www.linuxjournal.com/video/mastering-*iptables*-part-i
www.linuxjournal.com/video/mastering-*iptables*-part-2
www.linuxjournal.com/video/mastering-*iptables*-final-installment
Thanks Vinod for the links.
I have one question to everyone. Off late has youtube changed its coding? I am no longer able to record videos from youtube using clive. Even vdownloader on doze machines gives errors.
on my lenny install start playing video. ls -l /tmp/Flash* this will show you some file named Flash<whatever>. Just copy and rename this to someplace. It's the video file.
jtd wrote:
On Sunday 16 August 2009, Rony wrote:
Vinod Raghavan wrote:
I got three parts video IPTable flash video downloaded from linuxjournal.com will be helpful.
www.linuxjournal.com/video/mastering-*iptables*-part-i
www.linuxjournal.com/video/mastering-*iptables*-part-2
www.linuxjournal.com/video/mastering-*iptables*-final-installment
Thanks Vinod for the links.
I have one question to everyone. Off late has youtube changed its coding? I am no longer able to record videos from youtube using clive. Even vdownloader on doze machines gives errors.
on my lenny install start playing video. ls -l /tmp/Flash* this will show you some file named Flash<whatever>. Just copy and rename this to someplace. It's the video file.
It works. Thanks :-)
jtd wrote:
On Sunday 16 August 2009, Rony wrote:
I have one question to everyone. Off late has youtube changed its coding? I am no longer able to record videos from youtube using clive. Even vdownloader on doze machines gives errors.
on my lenny install start playing video. ls -l /tmp/Flash* this will show you some file named Flash<whatever>. Just copy and rename this to someplace. It's the video file.
While I am able to save the videos in flash format and play them using vlc player in doze (vlc has issues with my etch installation), I was able to convert only the part2 video to mpg using ffmpeg. The part1 and 3 return errors on the video format. I am sure google is mangling the format to prevent reproduction. For ffmpeg the command is
ffmpeg -i file.flv -ab 56 -ar 22050 -b 500 -s 640x480 file.mpg
Could you try this with part1 or 3 and give feedback? You could use default settings like
ffmpeg -i file.flv file.mpg
In youtube, search for 'mastering iptables'.
On Monday 17 Aug 2009, jtd wrote:
On Sunday 16 August 2009, Rony wrote:
ffmpeg -i file.flv file.mpg
This works on 1 and 2. I have not downloaded 3.
If you just want to download a Youtube video as MP4, have a look at:
http://googlesystem.blogspot.com/2008/04/download-youtube-videos-as-mp4- files.html [URL has wrapped].
I've Flash disabled, so this button works fine for me for downloading in an easily-viewable format through Firefox (well, Debian-rebranded Firefox to be precise :)
Regards,
-- Raju
On 08/17/2009 11:03 AM, Raj Mathur wrote:
On Monday 17 Aug 2009, jtd wrote:
On Sunday 16 August 2009, Rony wrote:
ffmpeg -i file.flv file.mpg
This works on 1 and 2. I have not downloaded 3.
If you just want to download a Youtube video as MP4, have a look at:
http://googlesystem.blogspot.com/2008/04/download-youtube-videos-as-mp4- files.html [URL has wrapped].
I've Flash disabled, so this button works fine for me for downloading in an easily-viewable format through Firefox (well, Debian-rebranded Firefox to be precise :)
Just to add to the list of suggestions, here is what I use:
youtube-dl - Nice cli script http://www.arrakis.es/~rggi3/youtube-dl/
Download Helper extension for Firefox - This is especially nice, since it lets you also discover new video sites, through it's 'Supported sites' option. http://www.downloadhelper.net/
cheers, - steve
On Monday 17 Aug 2009, steve wrote:
Just to add to the list of suggestions, here is what I use:
youtube-dl - Nice cli script http://www.arrakis.es/~rggi3/youtube-dl/
Download Helper extension for Firefox - This is especially nice, since it lets you also discover new video sites, through it's 'Supported sites' option. http://www.downloadhelper.net/
You know, I tried a couple of FF extensions for downloading videos (including downloadhelper IIRC) and wasn't very impressed with their consistency -- they would refuse to download at least half the videos I wanted to watch. Apart from that, I'm not too happy giving control to a remote site for downloading videos and displaying $deity-only-knows adware, so for the time being I'm sticking to the JS snippet I posted, which I can see is safe and secure :) The youtube-dl script looks neat, will gave that a shot for when I need command-line access. There's also clive, installable as a package in Debian, at least, which claims to do something similar (not tested at all).
BTW, in case you folks missed it, here's one more reason to not have Flash installed in your browser:
http://www.wired.com/epicenter/2009/08/you-deleted-your-cookies-think- again/ [URL has wrapped]
Regards,
-- Raju
Raj Mathur wrote:
On Monday 17 Aug 2009, steve wrote:
Just to add to the list of suggestions, here is what I use:
youtube-dl - Nice cli script http://www.arrakis.es/~rggi3/youtube-dl/
Download Helper extension for Firefox - This is especially nice, since it lets you also discover new video sites, through it's 'Supported sites' option. http://www.downloadhelper.net/
[snip] The youtube-dl script looks neat, will gave that a shot for when I need command-line access. There's also clive, installable as a package in Debian, at least, which claims to do something similar (not tested at all).
I have used clive extensively and even customised it to directly convert the video into mp3. However, google's new format has rendered it unusable. I will try out your earlier suggestion of directly downloading the mp4. and thanks to all those who gave their suggestions.
BTW, in case you folks missed it, here's one more reason to not have Flash installed in your browser:
http://www.wired.com/epicenter/2009/08/you-deleted-your-cookies-think- again/ [URL has wrapped]
I use flash block to prevent flash videos from directly downloading. Only those videos that I want to see are clicked upon.
Hi,
On 08/17/2009 12:06 PM, Raj Mathur wrote:
On Monday 17 Aug 2009, steve wrote:
Just to add to the list of suggestions, here is what I use:
youtube-dl - Nice cli script http://www.arrakis.es/~rggi3/youtube-dl/
Download Helper extension for Firefox - This is especially nice, since it lets you also discover new video sites, through it's 'Supported sites' option. http://www.downloadhelper.net/
You know, I tried a couple of FF extensions for downloading videos (including downloadhelper IIRC) and wasn't very impressed with their consistency -- they would refuse to download at least half the videos I wanted to watch. Apart from that, I'm not too happy giving control to a remote site for downloading videos and displaying $deity-only-knows adware, so for the time being I'm sticking to the JS snippet I posted, which I can see is safe and secure :)
I agree totally ! ...so, just to set the record straight, the download helper extension does not work via a remote site, it a just a glorified (albeit convenient) button to do what jtd suggested (ie: save the downloaded flv) from within the browser itself[1]. It has a good community, proper bug tracking and is a very popular extension on the mozilla site[2]. Sadly though it's license sucks[3], so yes, purely from a non-technical view, other alternatives might be a better.
The youtube-dl script looks neat, will gave that a shot for when I need command-line access. There's also clive, installable as a package in Debian, at least, which claims to do something similar (not tested at all).
Yep ! CLI rocks ! youtube-dl is especially good to 'batch' downloads. Something I forgot to mention in my last mail -- youtube-dl is available as a fedora package from the official repos.
BTW, in case you folks missed it, here's one more reason to not have Flash installed in your browser:
http://www.wired.com/epicenter/2009/08/you-deleted-your-cookies-think- again/ [URL has wrapped]
Regards,
-- Raju
[1] http://www.downloadhelper.net/faq.php#about-privacy [2] https://addons.mozilla.org/en-US/firefox/addon/3006 [3] https://addons.mozilla.org/en-US/firefox/versions/license/73594
-
Arun Khan -
jtd -
Mayank -
Mehul Ved -
Raj Mathur -
Rony -
Rony Bill
-
steve -
Vinod Raghavan