quicktables is no longer being developed
quicktables is an iptables firewall and firewall / nat (gateway) script generator. it was created to provide a secure set of iptables rules quickly. quicktables will ask you to answer a small handful of questions, and generates your very own personalized firewall script.
if you have questions or comments please subscribe to the qtables-users mailing list by sending email to email@example.com with the subject 'subscribe qtables-users ' without the quotes. i can also be found on the EFnet IRC network using the nickname graffix.
i'd like to thank trey_ of efnet irc for help with the regexp used for IP address validation.
current support includes the following.
- nat and no nat (firewall only) options
- default policy of DROP on INPUT and FORWARD chains (all packets dropped)
- tcp and udp ACCEPTs on INPUT chain (open ports to the firewall machine)
- advanced tcp and upd port forwarding with nat
- multiple icmp (ping) options
- multiple logging options (syslog - kern.info)
- ip spoofing protection via rp_filter
- log throttling
- incoming icmp throttling
- creates backups of existing rc.firewall scripts
- advanced support for transparent http proxying
- redhat specific installation script
- redhat specific /sbin/service and /sbin/chkconfig aware init script
when you run quicktables you will be asked a series of questions. if you don't fully understand any of the questions, please read the questions and example answers and descriptions below. you might not be prompted to answer some of the questions that you see described below. for example if you don't answer yes to the nat question the script will skip the nat related questions. some of the questions aren't really questions, but i'll describe them as well.
question: iptables was found at /some/path/to/iptables. is that the location you wish to use in your firewall script (yes/no) description: is this the correct location for iptables on the firewall machine?
question: i have determined that the interface that connects you to your ISP (untrusted network) is ethX description: this is the interface that connect to your ISP, cable modem, dsl, or regular old modem
question: would you like to use NAT (yes/no) description: nat lets you connect multuple computers to the internet using a single internet IP address
question: which interface is your internal interface description: your internal interface connects your computer to your LAN
question: what network would you like to nat description: if your internal ip address is 192.168.0.10 and your netmask is 255.255.255.0 you would answer 192.168.0.0/24 to this question
question: is your internet IP address a dynamic or static address description: a static IP address is one that is assigned specifically to your internet account, and never changes. a dynamic IP address is one that is usually assigned by your ISP. the nat helpers (MASQUERADE and SNAT) vary only slightly, but SNAT does offer a small advantage. if you have a static IP address then you will want to answer static to this question. if your address is dynamic then you will want to answer dynamic. your basic residential internet services generally use dynamic IP addresses.
question: would you like your internet IP address to be pingable description: do you want your internet IP address to respond to ICMP echo requests (pings)
question: would you like to use icmp type restriction to block unwanted icmp types from the internet description: icmp has many messages that are generated by a type field. certain types of ICMP messages should be dropped unless you have specific reasons for allowing them. the current types of ICMP messages dropped by quicktables are redirect, router-advertisement, router-solicitation, address-mask-request, and address-mask-reply
question: would you like to open any tcp ports to the firewall description: this option is used to open ports to the firewall itself. this is most often used in non-nat situations or where services run directly on the firewall.
question: would you like to open any udp ports to the firewall description: same as previous description
question: would you like to load the ftp nat and conntrack kernel modules if they are available description: this option makes active ftp play nicely with nat. if you're using nat you'll want this option.
question: would you like to load the irc nat and conntrack kernel modules if they are available description: if using nat you'll need this for irc dcc connections to work.
question: do you want to block internet access from reservced private networks description: these networks use reserved IP space, and isn't normally routable across the internet. if your use of quicktables includes traditional internet firewalling or NAT then you will want to answer yes to this question unless you have a specific reason not to.
question: enter the ip address(es) and/or network address(es) to completely block description: these IP addresses will be not have access to any ports including those that are open.
question: would you like to log dropped packets description: logging dropped packets creates a syslog entry of the logged packet using the kern.info syslog facility and log level.
question: do you wish to use squid description: squid is a web proxy cache. answering yes to this questions causes all outboung http requests to be proxied through a web proxy cache
question: what is the IP address of the squid machine description: this is the IP address of the machine that squid runs on
question: what port is squid listening on description: this is the port squid is listening on. default is 3128
question: which interface will the to-be-proxied requests be received on. description: this is the interface on the firewall machine that the outbound http requests will come from
question: do you run squid on the firewall machine itself description: the iptables setup depends on where your web proxy cache runs. if squid runs on the fireqall machine answer yes
question: what is the quicktables firewall machine IP address description: this is the IP address on the firewall machine that the web clients will use to connect. this is usually the same as their default gateway
question: what client network address(es) will be using the squid proxy description: this is the network address of the client machine that will be using squid
question: do you wish to block outbound access to any services description: blocking outbound access to services or ports will restrict users on the trusted side of the firewall from accessing services on the internet such as irc and aim
question: what single destination port would you like to block description: this is the port you wish to block. for irc this would be ports 6667, 6668, and 6669 tcp. this could be represented as a range of ports like 6667-6669
question: what protocol do you wish to block description: this is either tcp or udp. which protocol does the service use
question: would you like to exclude any host from this service block description: this would allow you to override this block for a single host on the trusted side of the firewall
question: do you wish to block outbound access to another service description: this allows you to block another service on the internet from trusted side of the firewall
question: would you like to forward ports from one or more external IP addresses to one or more internal IP addresses description: this allows you to forward ports from your internet IP address to services running on your LAN hosts.
question: i see that your internet IP address is x.x.x.x. is this the destination address you want to match for this port forwarding description: quicktables determined your internet IP address was x.x.x.x. is this the real desatination address you want to match for this forward?
question: what destination address would you like to match for this port forward description: if you answer no to the previous question you will be prompted to enter the destination address to match.
question: what destination port or range (1-1024) of ports would you like to match description: this is the external port or range of ports to match
question: what internal address would you like to forward port xx to description: this is the address of the LAN machine you want to forward port xx from the previous question to.
question: what internal port or range of ports would you like to forward external port xx with destination address x.x.x.x to description: this is the destination port or range of ports on the LAN machine you're forwarding to
question: which protocol are we forwarding description: enter tcp or udp
question: would you like to setup another port forward description: the port forwarding questions will loop until you answer no to this question