help with mud server please

Bruno Wolff III bruno at wolff.to
Fri Jan 19 14:10:45 UTC 2007 

Note you should keep discussions copied to the list unless you have a
particular reason not to, so that other people can learn from and
contribute to the discussion.

On Thu, Jan 18, 2007 at 21:35:50 +0100,
  Kristoffer Gustafsson <kg84 at nikolausson.cc> wrote:
> Hello!
> 
> Because I'm a blind linux user, I can't use gui applications.
> 
> But The ports I want to open is ftp, port 21. http port 80, port 23 and 
> port 2222 for telnet.
> 
> What shall i Type in order to open these ports?
> 
> Or to make it easier, is there a way to open every port at once and not 
> have any closed at all?

service iptables stop
will turn delete all of the iptables rules. If you are running a really minimal
system, you mioght be OK doing that, but I don't recommend it. You can
certainly try that for short periods to make sure the iptables rules are
what's causing problems for your application.

If you set up rules using iptables commands directly, you can save them in
a way that the normal fire wall start up will use them at next boot. Just
get the rules set up the way you want and then run:
service iptables save

To see the current list of iptables rules run:
iptables -L

Below is a set of rules I use for my work station at work. It has some stuff
you won't need in it, but it should give you some ideas you can use to make
your own set of rules. For adding just one inbound port, you make also want
to try editing /etc/sysconfig/iptables . That is where rules are saved.
They aren't saved as actual iptables commands, but most of the contents should
be what would be the arguments to the iptables command. If you system has
something there by default, you should be able to add another allow rule to
accept inbound connections on specific ports.

#!/bin/sh

# Protect network with packet filter rules

CERBERUS=129.89.124.28

# Quickly block traffic no matter what the current rules
/sbin/iptables -I INPUT -j DROP
/sbin/iptables -I FORWARD -j DROP
/sbin/iptables -I OUTPUT -j DROP

# Set policy to drop all packets
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT DROP

# Get rid of all rules and chains so that policy controls apply
/sbin/iptables -F
/sbin/iptables -X

# Keep things blocked while building new rule set
/sbin/iptables -I INPUT -j DROP
/sbin/iptables -I FORWARD -j DROP
/sbin/iptables -I OUTPUT -j DROP

# Real rules get defined here

# Log and drop
/sbin/iptables -N ERROR
/sbin/iptables -A ERROR  -m limit -j LOG
/sbin/iptables -A ERROR -j DROP

# Chain to check PRIVATE addresses aren't being used
/sbin/iptables -N PRIVATE
/sbin/iptables -A PRIVATE -d 255.255.255.255 -j DROP
/sbin/iptables -A PRIVATE -d 129.89.124.255 -j DROP
/sbin/iptables -A PRIVATE -d 0.0.0.0/8 -j ERROR
/sbin/iptables -A PRIVATE -d 127.0.0.0/8 -j ERROR
/sbin/iptables -A PRIVATE -d 172.16.0.0/12 -j ERROR
/sbin/iptables -A PRIVATE -d 192.168.0.0/16 -j ERROR
/sbin/iptables -A PRIVATE -d 169.254.0.0/16 -j DROP
/sbin/iptables -A PRIVATE -p igmp -d 224.0.0.1 -j DROP
/sbin/iptables -A PRIVATE -d 224.0.0.0/4 -j DROP
/sbin/iptables -A PRIVATE -d 10.0.0.0/8 -j ERROR
/sbin/iptables -A PRIVATE -s 0.0.0.0/8 -j ERROR
/sbin/iptables -A PRIVATE -s 127.0.0.0/8 -j ERROR
/sbin/iptables -A PRIVATE -s 172.16.0.0/12 -j ERROR
/sbin/iptables -A PRIVATE -s 192.168.0.0/16 -j ERROR
/sbin/iptables -A PRIVATE -s 169.254.0.0/16 -j DROP
/sbin/iptables -A PRIVATE -s 224.0.0.0/4 -j ERROR
/sbin/iptables -A PRIVATE -s 10.0.0.0/8 -j ERROR
/sbin/iptables -A INPUT -i ! lo -j PRIVATE
/sbin/iptables -A OUTPUT -o ! lo -j PRIVATE
/sbin/iptables -A FORWARD -j PRIVATE

# Supported services
/sbin/iptables -N SERVICES
/sbin/iptables -A SERVICES -p icmp --icmp-type redirect -m limit -j LOG
/sbin/iptables -A SERVICES -p icmp --icmp-type redirect -j DROP
/sbin/iptables -A SERVICES -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A SERVICES -p tcp --dport 22 -j ACCEPT
/sbin/iptables -A SERVICES -p tcp --dport 25 -j ACCEPT
# bittorrent ports:
#/sbin/iptables -A SERVICES -p tcp --dport 6881:6999 -j ACCEPT
#/sbin/iptables -A SERVICES -p udp --dport 6881:6999 -j ACCEPT
/sbin/iptables -A SERVICES -p tcp -s 129.89.0.0/16 --dport 80 -j ACCEPT
/sbin/iptables -A SERVICES -p tcp -s 127.0.0.0/8 --dport 80 -j ACCEPT
/sbin/iptables -A SERVICES -p tcp -s 129.89.0.0/16 --dport 443 -j ACCEPT
/sbin/iptables -A SERVICES -p tcp -s 127.0.0.0/8 --dport 443 -j ACCEPT
/sbin/iptables -A SERVICES -p icmp --icmp-type echo-request -j ACCEPT
/sbin/iptables -A SERVICES -p tcp --dport 113 -j REJECT --reject-with tcp-reset
/sbin/iptables -A SERVICES -m limit -j LOG
/sbin/iptables -A SERVICES -j DROP

# Only allow expected outbound protocols
/sbin/iptables -N OUTBOUND
/sbin/iptables -A OUTBOUND -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A OUTBOUND -p tcp -j ACCEPT
/sbin/iptables -A OUTBOUND -p udp -j ACCEPT
/sbin/iptables -A OUTBOUND -p icmp --icmp-type echo-request -j ACCEPT
/sbin/iptables -A OUTBOUND -m limit -j LOG
/sbin/iptables -A OUTBOUND -j DROP

# LO
/sbin/iptables -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
/sbin/iptables -A INPUT -i lo -s $CERBERUS -d $CERBERUS -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -s $CERBERUS -d $CERBERUS -j ACCEPT

# ETH4 - Connects to the world
/sbin/iptables -N ETH4IN
/sbin/iptables -A ETH4IN -s $CERBERUS -j ERROR
/sbin/iptables -A ETH4IN -d $CERBERUS -j SERVICES
/sbin/iptables -A ETH4IN -m limit -j LOG
/sbin/iptables -A ETH4IN -j DROP
/sbin/iptables -A INPUT -i eth4 -j ETH4IN

/sbin/iptables -N ETH4OUT
/sbin/iptables -A ETH4OUT -d $CERBERUS -j ERROR
/sbin/iptables -A ETH4OUT -s $CERBERUS -j OUTBOUND
/sbin/iptables -A ETH4OUT -m limit -j LOG
/sbin/iptables -A ETH4OUT -j DROP
/sbin/iptables -A OUTPUT -o eth4 -j ETH4OUT

# Log any packets dropped for not being in a previous category
/sbin/iptables -A INPUT -m limit -j LOG
/sbin/iptables -A INPUT -j DROP
/sbin/iptables -A FORWARD -m limit -j LOG
/sbin/iptables -A FORWARD -j DROP
/sbin/iptables -A OUTPUT -m limit -j LOG
/sbin/iptables -A OUTPUT -j DROP

# Turn network on
/sbin/iptables -D INPUT 1
/sbin/iptables -D FORWARD 1
/sbin/iptables -D OUTPUT 1

More information about the fedora-list mailing list