Difference between revisions of "Talk:Firewall"
Line 15: | Line 15: | ||
The instructions do not work with my Dlink DI-604. When I try and add the Application rule I get a notice saying that there is a conflict with the Virtual Server rule I've just set up. HTH | The instructions do not work with my Dlink DI-604. When I try and add the Application rule I get a notice saying that there is a conflict with the Virtual Server rule I've just set up. HTH | ||
+ | |||
+ | |||
+ | ---- | ||
+ | |||
+ | Cleaning the iptables rules : | ||
+ | I think the basic rules (section 2 : IPTables Configuration) are not really good. | ||
+ | If you use (as said in the wiki) : | ||
+ | |||
+ | iptables -A INPUT -p tcp --dport XX -j ACCEPT | ||
+ | |||
+ | it works but to my mind the other lign : | ||
+ | |||
+ | iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | ||
+ | |||
+ | does nothing because the first lign accept all state packets (NEW,ESTABLISHED,RELATED,UNTRACKED and INVALID). So the first line accept more the second (but only for the amule ports). | ||
+ | |||
+ | I think we could increase the security by using : | ||
+ | |||
+ | iptables -P INPUT DROP | ||
+ | |||
+ | iptables -A INPUT -p tcp --dport XX -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT | ||
+ | |||
+ | iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT | ||
+ | |||
+ | The first line is the global policy : we drop all. | ||
+ | The second line is the strategy for amule. | ||
+ | The third line is the strategy for the other ports. | ||
+ | |||
+ | For aMule,we need the 'ESTABLISHED' and 'RELATED' states to allow the answer to our requests. We need the 'NEW' state to allow the request of the others p2p clients. If we don't allow 'NEW', we are on low ID. (that's the result of my test.) | ||
+ | |||
+ | Perhaps, it's even possible to delete ESTABLISHED or RELATED (only one). It depends on how the answer request are done. (? I don't know. Need further research.) | ||
+ | |||
+ | Of course, you need to add modified lines if XX+3 or UDP are needed. | ||
+ | |||
+ | I don't made direct change on the wiki because I think several persons should test my change to check if I have made an error. | ||
+ | |||
+ | stephane. |
Revision as of 01:11, 19 July 2005
I think that think page should also contain basic Linksys and Dlink router information since you're also trying to attract windows users. -- Juan 21:28, 27 May 2005 (CEST)
Yap. fine now, who's gonna provide that info? ;-P
I'll add linksys information soon. Anyone with a DLink router should also contribute.. =) -- Juan 19:41, 28 May 2005 (CEST)
Um. I thought the == before and after a section automatically creates a menu for the page? Am I wrong?
You're not. But only if there are at least four == sections in the article. Otherwise no menu will be created
I just threw some D-Link info in there, based on what I did on my DI-624 to get aMule to show High ID. I have to admit though that I don't quite get how the Applications page settings relate to the port forwarding in Virtual Servers, unless you do an entry in Virtual Servers for each port in the 4662-4672 range for UDP. Any thoughts? -Sharakan
:-) Thanks for your tips!
The instructions do not work with my Dlink DI-604. When I try and add the Application rule I get a notice saying that there is a conflict with the Virtual Server rule I've just set up. HTH
Cleaning the iptables rules :
I think the basic rules (section 2 : IPTables Configuration) are not really good. If you use (as said in the wiki) :
iptables -A INPUT -p tcp --dport XX -j ACCEPT
it works but to my mind the other lign :
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
does nothing because the first lign accept all state packets (NEW,ESTABLISHED,RELATED,UNTRACKED and INVALID). So the first line accept more the second (but only for the amule ports).
I think we could increase the security by using :
iptables -P INPUT DROP
iptables -A INPUT -p tcp --dport XX -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
The first line is the global policy : we drop all. The second line is the strategy for amule. The third line is the strategy for the other ports.
For aMule,we need the 'ESTABLISHED' and 'RELATED' states to allow the answer to our requests. We need the 'NEW' state to allow the request of the others p2p clients. If we don't allow 'NEW', we are on low ID. (that's the result of my test.)
Perhaps, it's even possible to delete ESTABLISHED or RELATED (only one). It depends on how the answer request are done. (? I don't know. Need further research.)
Of course, you need to add modified lines if XX+3 or UDP are needed.
I don't made direct change on the wiki because I think several persons should test my change to check if I have made an error.
stephane.