Permalink
Browse files

Update README.md

  • Loading branch information...
1 parent f7b9dcb commit 594c4a28b15dade4fa152c0cf8178e72c56e846f @danradom committed Oct 2, 2015
Showing with 0 additions and 178 deletions.
  1. +0 −178 README.md
View
@@ -4,181 +4,3 @@ quicktables is an iptables firewall and firewall / nat (gateway) script
generator. it was created to provide a secure set of iptables rules
quickly. quicktables will ask you to answer a small handful of
questions, and generates your very own personalized firewall script.
-
-if you have questions or comments please subscribe to the qtables-users
-mailing list by sending email to minimalist@radom.org with the subject
-'subscribe qtables-users <your_email_address>' without the quotes. i
-can also be found on the EFnet IRC network using the nickname graffix.
-
-i'd like to thank trey_ of efnet irc for help with the regexp used for
-IP address validation.
-
-
-current support includes the following.
-
-
-- nat and no nat (firewall only) options
-- default policy of DROP on INPUT and FORWARD chains (all packets
- dropped)
-- tcp and udp ACCEPTs on INPUT chain (open ports to the firewall
- machine)
-- advanced tcp and upd port forwarding with nat
-- multiple icmp (ping) options
-- multiple logging options (syslog - kern.info)
-- ip spoofing protection via rp_filter
-- log throttling
-- incoming icmp throttling
-- creates backups of existing rc.firewall scripts
-- advanced support for transparent http proxying
-- redhat specific installation script
-- redhat specific /sbin/service and /sbin/chkconfig aware init script
-
-
-when you run quicktables you will be asked a series of questions. if
-you don't fully understand any of the questions, please read the
-questions and example answers and descriptions below. you might not be
-prompted to answer some of the questions that you see described below.
-for example if you don't answer yes to the nat question the script will
-skip the nat related questions. some of the questions aren't really
-questions, but i'll describe them as well.
-
-
-
-question: iptables was found at /some/path/to/iptables. is that the location you wish to use in your firewall script (yes/no)
-description: is this the correct location for iptables on the firewall machine?
-
-
-question: i have determined that the interface that connects you to your ISP (untrusted network) is ethX
-description: this is the interface that connect to your ISP, cable modem, dsl, or regular old modem
-
-
-question: would you like to use NAT (yes/no)
-description: nat lets you connect multuple computers to the internet using a single internet IP address
-
-
-question: which interface is your internal interface
-description: your internal interface connects your computer to your LAN
-
-
-question: what network would you like to nat
-description: if your internal ip address is 192.168.0.10 and your netmask is 255.255.255.0 you would answer 192.168.0.0/24 to this question
-
-
-question: is your internet IP address a dynamic or static address
-description: a static IP address is one that is assigned specifically to your internet account, and never changes. a dynamic IP address is one that is usually assigned by your ISP. the nat helpers (MASQUERADE and SNAT) vary only slightly, but SNAT does offer a small advantage. if you have a static IP address then you will want to answer static to this question. if your address is dynamic then you will want to answer dynamic. your basic residential internet services generally use dynamic IP addresses.
-
-
-question: would you like your internet IP address to be pingable
-description: do you want your internet IP address to respond to ICMP echo requests (pings)
-
-
-question: would you like to use icmp type restriction to block unwanted icmp types from the internet
-description: icmp has many messages that are generated by a type field. certain types of ICMP messages should be dropped unless you have specific reasons for allowing them. the current types of ICMP messages dropped by quicktables are redirect, router-advertisement, router-solicitation, address-mask-request, and address-mask-reply
-
-
-question: would you like to open any tcp ports to the firewall
-description: this option is used to open ports to the firewall itself. this is most often used in non-nat situations or where services run directly on the firewall.
-
-
-question: would you like to open any udp ports to the firewall
-description: same as previous description
-
-
-question: would you like to load the ftp nat and conntrack kernel modules if they are available
-description: this option makes active ftp play nicely with nat. if you're using nat you'll want this option.
-
-
-question: would you like to load the irc nat and conntrack kernel modules if they are available
-description: if using nat you'll need this for irc dcc connections to work.
-
-
-question: do you want to block internet access from reservced private networks
-description: these networks use reserved IP space, and isn't normally routable across the internet. if your use of quicktables includes traditional internet firewalling or NAT then you will want to answer yes to this question unless you have a specific reason not to.
-
-
-question: enter the ip address(es) and/or network address(es) to completely block
-description: these IP addresses will be not have access to any ports including those that are open.
-
-
-question: would you like to log dropped packets
-description: logging dropped packets creates a syslog entry of the logged packet using the kern.info syslog facility and log level.
-
-
-question: do you wish to use squid
-description: squid is a web proxy cache. answering yes to this questions causes all outboung http requests to be proxied through a web proxy cache
-
-
-question: what is the IP address of the squid machine
-description: this is the IP address of the machine that squid runs on
-
-
-question: what port is squid listening on
-description: this is the port squid is listening on. default is 3128
-
-
-question: which interface will the to-be-proxied requests be received on.
-description: this is the interface on the firewall machine that the outbound http requests will come from
-
-
-question: do you run squid on the firewall machine itself
-description: the iptables setup depends on where your web proxy cache runs. if squid runs on the fireqall machine answer yes
-
-
-question: what is the quicktables firewall machine IP address
-description: this is the IP address on the firewall machine that the web clients will use to connect. this is usually the same as their default gateway
-
-
-question: what client network address(es) will be using the squid proxy
-description: this is the network address of the client machine that will be using squid
-
-
-question: do you wish to block outbound access to any services
-description: blocking outbound access to services or ports will restrict users on the trusted side of the firewall from accessing services on the internet such as irc and aim
-
-
-question: what single destination port would you like to block
-description: this is the port you wish to block. for irc this would be ports 6667, 6668, and 6669 tcp. this could be represented as a range of ports like 6667-6669
-
-
-question: what protocol do you wish to block
-description: this is either tcp or udp. which protocol does the service use
-
-
-question: would you like to exclude any host from this service block
-description: this would allow you to override this block for a single host on the trusted side of the firewall
-
-
-question: do you wish to block outbound access to another service
-description: this allows you to block another service on the internet from trusted side of the firewall
-
-
-question: would you like to forward ports from one or more external IP addresses to one or more internal IP addresses
-description: this allows you to forward ports from your internet IP address to services running on your LAN hosts.
-
-
-question: i see that your internet IP address is x.x.x.x. is this the destination address you want to match for this port forwarding
-description: quicktables determined your internet IP address was x.x.x.x. is this the real desatination address you want to match for this forward?
-
-
-question: what destination address would you like to match for this port forward
-description: if you answer no to the previous question you will be prompted to enter the destination address to match.
-
-
-question: what destination port or range (1-1024) of ports would you like to match
-description: this is the external port or range of ports to match
-
-
-question: what internal address would you like to forward port xx to
-description: this is the address of the LAN machine you want to forward port xx from the previous question to.
-
-
-question: what internal port or range of ports would you like to forward external port xx with destination address x.x.x.x to
-description: this is the destination port or range of ports on the LAN machine you're forwarding to
-
-
-question: which protocol are we forwarding
-description: enter tcp or udp
-
-
-question: would you like to setup another port forward
-description: the port forwarding questions will loop until you answer no to this question

0 comments on commit 594c4a2

Please sign in to comment.