Article 5523 at 06/06/03 07:07:16 From: bluequartz (at mark) vaporised.com Subject: [coba-e:05523] Re: Basic firewall package

Index: [Article Count Order] [Thread]
Date:  Fri, 2 Jun 2006 23:07:58 +0100
From:  "Vapor" <bluequartz (at mark) vaporised.com>
Subject:  [coba-e:05523] Re: Basic firewall package
To:  coba-e (at mark) bluequartz.org
Message-Id:  <20060602220642.M95953 (at mark) vaporised.com>
In-Reply-To:  <00a701c68674$12e9d340$3701a8c0@lapxp>
References:  <20060602161057.M72874 (at mark) vaporised.com> <00a701c68674$12e9d340$3701a8c0 (at mark) lapxp>
X-Mail-Count: 05523

> What file were you talking about? 

I'm not quite clear as to which part (disable hourly email or add DNS TCP ports) of my 
mods you mean, so I'll explain both :) 

nano -w /etc/cron.hourly/log_traffic 

Line 225 

By default it will just run the iptables.sh script, which is the one which reports via 
email to the admin the status of the firewall and blocked IP's.

So, yours will be: 

----- 
/usr/bin/iptables.sh 
----- 

So rather than disabling the output to email facility of the iptables.sh script (I 
actually run it daily via cron so want it to output to email then), I just force output 
of the running of it via log_traffic to null, so it doesn't output an email. 

So, basically edit your line 225 (it's very close to the bottom, so ctrl+w then ctrl+v 
to jump to bottom then it's about 10 lines up. Use ctrl+c to check your line number if 
unsure), my line 225 I modded to this: 

----- 
/usr/bin/iptables.sh >/dev/null 2>&1 
----- 

Secondly, adding TCP port access to DNS server on port 53. 

nano -w /usr/bin/iptables.sh 

After line 109 (also near bottom) I add 2 new firewall rules to the DNS section so if 
enabled/disabled in the gui for DNS, the TCP port can be polled automatically. So I'll 
post that section with and without the 2 rules added: 

Before: 

----- 
if [ -e $UDP ] 
then 
echo "Adding DNS support" 
iptables -A acctin -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT 
iptables -A acctout -p udp  --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT 
iptables -A acctin -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT 
iptables -A acctout -p udp  --sport 53 -m state --state ESTABLISHED -j ACCEPT 

fi 
---- 

After (with the 2 rules added): 

----- 
if [ -e $UDP ] 
then 
echo "Adding DNS support" 
iptables -A acctin -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT 
iptables -A acctout -p udp  --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT 
iptables -A acctin -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT 
iptables -A acctout -p udp  --sport 53 -m state --state ESTABLISHED -j ACCEPT 
iptables -A acctin -t filter -p tcp --dport 53 -j ACCEPT 
iptables -A acctout -t filter -p tcp --sport 53 -j ACCEPT   

fi 
----- 

If you need any further assistance just drop me an email. 

Good luck 

Brett