Skip to content

Commit

Permalink
Update README.md
Browse files Browse the repository at this point in the history
  • Loading branch information
@danradom
danradom committed Oct 2, 2015
1 parent f7b9dcb commit 594c4a2
Showing 1 changed file with 0 additions and 178 deletions.
178 changes: 0 additions & 178 deletions README.md
View file
Original file line number Original file line Diff line number Diff line change
Expand Up @@ -4,181 +4,3 @@ quicktables is an iptables firewall and firewall / nat (gateway) script
generator. it was created to provide a secure set of iptables rules generator. it was created to provide a secure set of iptables rules
quickly. quicktables will ask you to answer a small handful of quickly. quicktables will ask you to answer a small handful of
questions, and generates your very own personalized firewall script. questions, and generates your very own personalized firewall script.

if you have questions or comments please subscribe to the qtables-users
mailing list by sending email to minimalist@radom.org with the subject
'subscribe qtables-users <your_email_address>' without the quotes. i
can also be found on the EFnet IRC network using the nickname graffix.

i'd like to thank trey_ of efnet irc for help with the regexp used for
IP address validation.


current support includes the following.


- nat and no nat (firewall only) options
- default policy of DROP on INPUT and FORWARD chains (all packets
dropped)
- tcp and udp ACCEPTs on INPUT chain (open ports to the firewall
machine)
- advanced tcp and upd port forwarding with nat
- multiple icmp (ping) options
- multiple logging options (syslog - kern.info)
- ip spoofing protection via rp_filter
- log throttling
- incoming icmp throttling
- creates backups of existing rc.firewall scripts
- advanced support for transparent http proxying
- redhat specific installation script
- redhat specific /sbin/service and /sbin/chkconfig aware init script


when you run quicktables you will be asked a series of questions. if
you don't fully understand any of the questions, please read the
questions and example answers and descriptions below. you might not be
prompted to answer some of the questions that you see described below.
for example if you don't answer yes to the nat question the script will
skip the nat related questions. some of the questions aren't really
questions, but i'll describe them as well.



question: iptables was found at /some/path/to/iptables. is that the location you wish to use in your firewall script (yes/no)
description: is this the correct location for iptables on the firewall machine?


question: i have determined that the interface that connects you to your ISP (untrusted network) is ethX
description: this is the interface that connect to your ISP, cable modem, dsl, or regular old modem


question: would you like to use NAT (yes/no)
description: nat lets you connect multuple computers to the internet using a single internet IP address


question: which interface is your internal interface
description: your internal interface connects your computer to your LAN


question: what network would you like to nat
description: if your internal ip address is 192.168.0.10 and your netmask is 255.255.255.0 you would answer 192.168.0.0/24 to this question


question: is your internet IP address a dynamic or static address
description: a static IP address is one that is assigned specifically to your internet account, and never changes. a dynamic IP address is one that is usually assigned by your ISP. the nat helpers (MASQUERADE and SNAT) vary only slightly, but SNAT does offer a small advantage. if you have a static IP address then you will want to answer static to this question. if your address is dynamic then you will want to answer dynamic. your basic residential internet services generally use dynamic IP addresses.


question: would you like your internet IP address to be pingable
description: do you want your internet IP address to respond to ICMP echo requests (pings)


question: would you like to use icmp type restriction to block unwanted icmp types from the internet
description: icmp has many messages that are generated by a type field. certain types of ICMP messages should be dropped unless you have specific reasons for allowing them. the current types of ICMP messages dropped by quicktables are redirect, router-advertisement, router-solicitation, address-mask-request, and address-mask-reply


question: would you like to open any tcp ports to the firewall
description: this option is used to open ports to the firewall itself. this is most often used in non-nat situations or where services run directly on the firewall.


question: would you like to open any udp ports to the firewall
description: same as previous description


question: would you like to load the ftp nat and conntrack kernel modules if they are available
description: this option makes active ftp play nicely with nat. if you're using nat you'll want this option.


question: would you like to load the irc nat and conntrack kernel modules if they are available
description: if using nat you'll need this for irc dcc connections to work.


question: do you want to block internet access from reservced private networks
description: these networks use reserved IP space, and isn't normally routable across the internet. if your use of quicktables includes traditional internet firewalling or NAT then you will want to answer yes to this question unless you have a specific reason not to.


question: enter the ip address(es) and/or network address(es) to completely block
description: these IP addresses will be not have access to any ports including those that are open.


question: would you like to log dropped packets
description: logging dropped packets creates a syslog entry of the logged packet using the kern.info syslog facility and log level.


question: do you wish to use squid
description: squid is a web proxy cache. answering yes to this questions causes all outboung http requests to be proxied through a web proxy cache


question: what is the IP address of the squid machine
description: this is the IP address of the machine that squid runs on


question: what port is squid listening on
description: this is the port squid is listening on. default is 3128


question: which interface will the to-be-proxied requests be received on.
description: this is the interface on the firewall machine that the outbound http requests will come from


question: do you run squid on the firewall machine itself
description: the iptables setup depends on where your web proxy cache runs. if squid runs on the fireqall machine answer yes


question: what is the quicktables firewall machine IP address
description: this is the IP address on the firewall machine that the web clients will use to connect. this is usually the same as their default gateway


question: what client network address(es) will be using the squid proxy
description: this is the network address of the client machine that will be using squid


question: do you wish to block outbound access to any services
description: blocking outbound access to services or ports will restrict users on the trusted side of the firewall from accessing services on the internet such as irc and aim


question: what single destination port would you like to block
description: this is the port you wish to block. for irc this would be ports 6667, 6668, and 6669 tcp. this could be represented as a range of ports like 6667-6669


question: what protocol do you wish to block
description: this is either tcp or udp. which protocol does the service use


question: would you like to exclude any host from this service block
description: this would allow you to override this block for a single host on the trusted side of the firewall


question: do you wish to block outbound access to another service
description: this allows you to block another service on the internet from trusted side of the firewall


question: would you like to forward ports from one or more external IP addresses to one or more internal IP addresses
description: this allows you to forward ports from your internet IP address to services running on your LAN hosts.


question: i see that your internet IP address is x.x.x.x. is this the destination address you want to match for this port forwarding
description: quicktables determined your internet IP address was x.x.x.x. is this the real desatination address you want to match for this forward?


question: what destination address would you like to match for this port forward
description: if you answer no to the previous question you will be prompted to enter the destination address to match.


question: what destination port or range (1-1024) of ports would you like to match
description: this is the external port or range of ports to match


question: what internal address would you like to forward port xx to
description: this is the address of the LAN machine you want to forward port xx from the previous question to.


question: what internal port or range of ports would you like to forward external port xx with destination address x.x.x.x to
description: this is the destination port or range of ports on the LAN machine you're forwarding to


question: which protocol are we forwarding
description: enter tcp or udp


question: would you like to setup another port forward
description: the port forwarding questions will loop until you answer no to this question

0 comments on commit 594c4a2

Please sign in to comment.