[nos-bbs] IPTABLES for TUN device
Jose Ng Lee
hp2cwb at cwpanama.net
Sat Mar 3 11:07:57 EST 2012
OK Bob,
Just installed Shorewall. Setup some basic rules. Disabled the IPTables and started shorewall. In Webmin, Shorewall has a nicer web interface than IPtables.
Later in the evening after work, I will try to set it up to be able to communicate tun Linux with the Jnos.
Thanks,
Jose / HP2AT
----- Original Message -----
From: Bob Tenty
To: TAPR xNOS Mailing List
Sent: Saturday, March 03, 2012 1:48 AM
Subject: Re: [nos-bbs] IPTABLES for TUN device
Jose,
You will do yourself very much a favour be installing "shorewall" in Ubuntu.
Bob VE3TOK
On 12-03-02 11:59 PM, Jose Ng Lee wrote:
Hi Michael,
Thanks for the reply, good explanation of Iptables and the references. Your right Iptables subject is too broad.
My goal for now is to have Linux talk to the Jnos through the tun device and viceversa. I was using before Firestarter graphic interface to setup the firewall. With the Firestarter disable was able to communicate linux to Jnos. Firestarter on was not able to and just couldn't set it up the rules.
So, I unistalled Firestarter. The default Iptables firewall is on now but couldn't get it to communicate Linux to Jnos. For an easier way to setup Iptables, I use Webmin through the web browser to modify the rules. It got me confuse how to setup the rules and tried declaring the IP but doesn't work. Later, I tried declaring in the Incoming and Outgoing packets to Accept the packets from the tun0 interface and now is working. The tun0 interface is only on when jnos is execute so have to declare other interface and write the name tun0.
My next step is to setup the iptables to allow telnet from internet to the Jnos. I tried and couldn't telnet to my Jnos from the internet.
Thanks,
Jose / HP2AT
----- Original Message -----
From: Michael Fox - N6MEF
To: 'TAPR xNOS Mailing List'
Sent: Friday, March 02, 2012 10:57 PM
Subject: Re: [nos-bbs] IPTABLES for TUN device
Jose,
It looks like no one has responded to you yet. That may be because you asked a rather broad question. You'll need to be much more specific about iptables.
IPtables is for filtering (among other things). For the best security, you want to set a default policy of drop and then specify the specific traffic that you want to allow. So you need to define those traffic types first, then translate to iptables rules. If you define what you want, and take a stab at writing the rules, there are probably several of us here who would be happy to help you refine them.
If you're new to iptables, here's some background info to get you started:
Iptables has 3 principle filtering tables: input, forward, output. Input is what traffic you want linux to accept coming in on that interface. In other words, this is traffic destined for linux that comes in on the tun0 interface. Forward is for traffic you want linux to allow to pass through from one interface to another. This can be two way on the tun0 device. For example, you may want to allow certain ICMP traffic to go out from JNOS, through Linux, to the internet, but not allow incoming traffic of that type from the internet to reach JNOS. So you need to define what traffic do you want to allow linux to forward from other interfaces TO tun0 and what traffic do you want linux to forward FROM tun0 to other interfaces. Output is for what traffic you want linux to be able to originate on that interface.
To specify the traffic types, you'll need to define if they're IP, TCP, ICMP, etc., which ports (line TCP port 23 for default telnet, etc.), and possibily which source and/or destination addresses to allow to send that traffic. For example, you may want to allow linux to forward telnet to JNOS as long as it is from a 44.x address, but not from other addresses.
Once you have figured out what traffic you want to allow, here are three good references to help write the rules:
https://help.ubuntu.com/community/IptablesHowTo
http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html (this is how I learned - it has some good templates)
O'Reilly iptables pocket reference: http://www.amazon.com/Linux-iptables-Pocket-Reference-Gregor/dp/0596005695/ref=sr_1_sc_1?ie=UTF8&qid=1330745373&sr=8-1-spell
Michael
N6MEF
From: nos-bbs-bounces at tapr.org [mailto:nos-bbs-bounces at tapr.org] On Behalf Of Jose Ng Lee
Sent: Friday, March 02, 2012 11:20 AM
To: TAPR xNOS Mailing List
Subject: [nos-bbs] IPTABLES for TUN device
Hi,
Anyone can help me with a sample IPTABLES configuration that works with TUN device.
Thanks,
Jose / HP2AT
--------------------------------------------------------------------------
_______________________________________________
nos-bbs mailing list
nos-bbs at tapr.org
https://www.tapr.org/cgi-bin/mailman/listinfo/nos-bbs
_______________________________________________
nos-bbs mailing list
nos-bbs at tapr.org
https://www.tapr.org/cgi-bin/mailman/listinfo/nos-bbs
------------------------------------------------------------------------------
_______________________________________________
nos-bbs mailing list
nos-bbs at tapr.org
https://www.tapr.org/cgi-bin/mailman/listinfo/nos-bbs
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.tapr.org/pipermail/nos-bbs_lists.tapr.org/attachments/20120303/591414ca/attachment.html>
More information about the nos-bbs
mailing list