I found a script at http://www.knoppix.net/forum/viewtopic.php?t=5424#24865
but would really like to stop all traffic that I haven't asked for but be able to run bittorrent.
Any suggestions?

And it seems my iptables isn't starting at all (or I can't find info in syslog).

I have a file named rc.firewall which I placed in /etc/init.d
In /etc/bootmisc.sh I placed a line at the end:

/etc/init.d/rc.firewall

This is the lsmod:

Module Size Used by Not tainted
ipt_REJECT 3256 5 (autoclean)
ipt_state 632 6 (autoclean)
ip_conntrack 18952 1 (autoclean) [ipt_state]
iptable_filter 1736 1 (autoclean)
ip_tables 11576 3 [ipt_REJECT ipt_state iptable_filter]
i810 63776 14
agpgart 38296 7
autofs4 8756 0 (unused)
af_packet 13448 0
nls_cp437 4348 1
nls_iso8859-1 2844 1
ntfs 51168 0 (unused)
msdos 4652 0 (unused)
i810_audio 25064 0 (unused)
ac97_codec 11884 0 [i810_audio]
soundcore 3428 2 [i810_audio]
8139too 17096 1
mii 2240 0 [8139too]
crc32 2816 0 [8139too]
serial 51972 0
usb-uhci 21836 0 (unused)
usbcore 57472 1 [usb-uhci]
apm 9768 1
rtc 6908 0
ext3 63940 2
jbd 46100 2 [ext3]

This is the file rc.firewall:

#!/bin/sh

# Trace, exit at 1st err
set -x -e

# Flush 1st
iptables -F

# Deletes any tables that you've created, and leaves the
# default (input, output, forward, etc.)
iptables -X

# Allow loopback access. This rule must come before the rules denying
# port access!!
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A OUTPUT -o lo -p all -j ACCEPT
##iptables -A INPUT -i lo -j ACCEPT


#This allows all data that has been sent out for the computer running the
# firewall to come back (for all of ICMP/TCP/UDP).
#For example, if a ping request is made it will allow the reply back
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p icmp
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p tcp
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p udp

# Drop outside ping
iptables -A INPUT -p icmp -j DROP

#These lines add rules (-A) to the OUTPUT and INPUT tables
# that match state as well. However, this time it only matches
# packets that are related to packets that have already been
# passed, or packets that are a part of an already-established
# connection (-m state --state RELATED,ESTABLISHED) and allows
# them to be accepted (-j ACCEPT). Think of this as a
# combination of yahoo sending its web page to you and you
# asking for a second one.
#/* You would need to load at least the ip_conntrack, iptable_filter and
#ipt_state modules, and would probably want to load the ip_conntrack_ftp
#module too.
#These rules should block incoming traffic which isn't associated to a
#connection which you've initiated from your machine.
#*/

iptables -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow ssh
# iptables -A INPUT -p tcp --dport ssh -j ACCEPT

#Drop incoming FTP requests - xxx uncomment
iptables -A INPUT -p tcp -i eth0 --dport 20 -j DROP
iptables -A INPUT -p tcp -i eth0 --dport 21 -j DROP
iptables -A INPUT -p tcp -i ppp0 --dport 20 -j REJECT
iptables -A INPUT -p tcp -i ppp0 --dport 21 -j REJECT

## Allow Squid from local net
# iptables -A INPUT -s 0/0 -p tcp --dport 8080 -j REJECT
# iptables -A INPUT -s 127.0.0.1 -p tcp --dport 3128 -j ACCEPT
# iptables -A INPUT -s 10.0.0.0/8 -p tcp --dport 3128 -j ACCEPT
# iptables -A INPUT -s 0/0 -p tcp --dport 3128 -j REJECT

# Allow BitTorrent connections
# xxx 2003.1012 modified for only 3 ports (was 6881:6889)
iptables -A INPUT -p tcp -s 0/0 -i ppp0 --dport 6881:6883 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 -i ppp0 --dport 6969 -j ACCEPT

# Allow 1 VNC
# iptables -A INPUT -i eth0 -p tcp --dport 5902 -j ACCEPT

#####
##### BLOCKING
#####

#Example: Block all ports, besides port 22 to allow sshd:
##/sbin/iptables -A INPUT -p tcp --syn --destination-port 22 -j ACCEPT
###/sbin/iptables -A INPUT -p tcp --syn -j DROP

#Block all ports,besides port 22, and only allow predefined IP to access that
#port.
##/sbin/iptables -A INPUT -p tcp --syn -s 192.168.1.100/32 --destination-port 22 -j ACCEPT
##/sbin/iptables -A INPUT -p tcp --syn -j DROP

#/sbin/iptables -A INPUT -p tcp --syn -s 192.168.1.100/32 --destination-port 22 -j ACCEPT
#allow connection to sshd from IP 192.168.1.100
#/sbin/iptables -A INPUT -p tcp --syn --destination-port 80 -j ACCEPT
#allow httpd server to be accessed by world
#/sbin/iptables -A INPUT -p tcp --syn -j DROP
#block all ports (besides the limitations of above)

#More elaborate rules can be created that control access to specific subnets,
#or even specific nodes, within a LAN. You can also restrict certain dubious
#services such as trojans, worms, and other client/server viruses from
#contacting their server. For example, there are some trojans that scan
#networks for services on ports from 31337 to 31340 (called the elite ports
#in cracking lingo). Since there are no legitimate services that communicate
#via these non-standard ports, blocking it can effectively diminish the
#chances that potentially infected nodes on your network independently
#communicate with their remote master servers. Note that the following rule
#is only useful if your default OUTPUT policy is set to ACCEPT. If you set
#OUTPUT policy to DROP, then this rule is not needed.

#iptables -A OUTPUT -o eth0 -p tcp --dport 31337 --sport 31337 -j DROP
# Remember, dport can only be used with -ptcp or -pudp specific.
iptables -A INPUT -i ppp0 -p tcp --dport 31337 --sport 31337 -j DROP
iptables -A OUTPUT -o ppp0 -p tcp --dport 31337 --sport 31337 -j DROP

#FORWARD rules can be implemented to restrict certain types of traffic to the
#LAN only, such as local network file shares through NFS or Samba. The
#following rules reject outside connections to Samba shares:

iptables -A FORWARD -p tcp --sport 137:139 -j DROP
iptables -A FORWARD -p udp --sport 137:139 -j DROP


# remote interface, claiming to be local machines, IP spoofing, get lost
# This turns out to be same as non-routable IPs
##iptables -A INPUT -i ppp0 -s 10.0.0.0/8 -d 0.0.0.0/0 -j DROP
# New way:
# Block nonroutable IPs
iptables -A INPUT -s 10.0.0.0/8 -i ppp0 -j DROP
iptables -A INPUT -s 127.0.0.0/8 -i ppp0 -j DROP
iptables -A INPUT -s 172.16.0.0/12 -i ppp0 -j DROP
iptables -A INPUT -s 192.168.0.0/16 -i ppp0 -j DROP

#"A" for append, "INPUT" to specify the state for the condition (coming,
#going, or forwarding), and "sport" for source port.

# Block common Windoze ports / specific ports
iptables -A INPUT -s 0/0 -p tcp --sport 69 -j DROP
iptables -A INPUT -s 0/0 -p tcp --sport 135 -j DROP
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 139 -j REJECT # Block Windows file sharing
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 445 -j REJECT # Block Windows file sharing
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 1214 -j REJECT # Block Kazaa
iptables -A INPUT -s 0/0 -p tcp --sport 4444 -j DROP


# Block incoming Blaster Worm traffic on ports 153 and 707
# Chgd eth0 to ppp0, added -p tcp and got it to work :)
iptables -A INPUT -i ppp0 -p tcp --dport 153 -j DROP
iptables -A INPUT -i ppp0 -p tcp --dport 707 -j DROP

# Block infected machines from spreading Blaster Worm on 153 and 707
##/sbin/iptables -A OUTPUT -o ppp0 --dport 153 -j DROP
##/sbin/iptables -A OUTPUT -o ppp0 --dport 707 -j DROP


# !! Consider dropping all traffic to port 25 (mail)
# Block ports 127, 137, 138 and 139 (Sambe/windows) - blocked in FORWARD, above




# Fallthru

# Default rule
# Sets the default policy (-P) for INPUT packets to DROP. If a
# packet comes into your interface and doesn't match any other
# rules, the default policy takes effect and the packet is dropped.
iptables -P INPUT DROP


# Default rule
# Sets the default policy (-P) for FORWARD packets to DROP. If
# a packet needs to be routed from one interface to another
# (such as a firewall/router with two network cards) and
# doesn't match any other rules, the default policy takes
# effect and the packet is dropped.
iptables -P FORWARD DROP

# Final rule (stopgap)
iptables -A INPUT -p tcp --tcp-flags ALL SYN -j DROP

exit;



# References:
# http://nekohako.xware.cx/tech/adsl-2.4.html
# http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/security-guide/ch-fw.html
# http://uug.byu.edu/pipermail/uug-list/2003-April/002060.html
# http://www.linuxchix.org/pipermail/techtalk/2003-August/016116.html
# http://linuxwiki.de/FlorianWoegerer/Notizen
# http://www.linuxforum.com/forums/index.php?s=2f9a3a12448e23a0de24814e16807622&showtopic=1548&st=0&#entry5637
# http://www.ltsp.org/contrib/vnc.html

## Orig ssh mess:
# Allow ssh
iptables -A INPUT -p tcp --sport 22 -j ACCEPT
iptables -A INPUT -p udp --sport 22 -j ACCEPT
# XXX added below
iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p udp --dport 22 -j ACCEPT
#(Orig:)
##iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
##iptables -A OUTPUT -p udp --sport 22 -j ACCEPT

# Added more
##iptables -A INPUT -i eth0 -p udp --dport 22 -j ACCEPT
##iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
##iptables -A OUTPUT -o eth0 -p udp --dport 22 -j ACCEPT
##iptables -A OUTPUT -o eth0 -p tcp --dport 22 -j ACCEPT

# UNUSED:
#To take the restrictions a step further, block all outside connections that
#attempt to spoof private IP address ranges to infiltrate your LAN. If a LAN
#uses the 192.168.1.0/24 range, a rule can set the Internet facing network
#device (for example, eth0) to drop any packets to that device with an
#address in your LAN IP range. Because it is recommended to reject forwarded
#packets as a default policy, any other spoofed IP address to the
#external-facing device (eth0) will be rejected automatically.
#
##iptables -A FORWARD -p tcp -s 192.168.1.0/24 -i eth0 -j DROP
##iptables -A FORWARD -p udp -s 192.168.1.0/24 -i eth0 -j DROP
# xxx corrected
##iptables -A FORWARD -p tcp -s 192.168.0.0/24 -i ppp0 -j DROP
##iptables -A FORWARD -p udp -s 192.168.0.0/24 -i ppp0 -j DROP
##iptables -A FORWARD -p tcp -s 192.168.1.0/24 -i ppp0 -j DROP
##iptables -A FORWARD -p udp -s 192.168.1.0/24 -i ppp0 -j DROP

# Block common Windoze ports / specific ports
# (this just doesnt wrk)
# I bet the reason is because -j DENY doesn't exist. Chg to DROP.
# Got it working :)
##iptables -A INPUT -s 0/0 -p tcp --sport 69 -j DENY
##iptables -A INPUT -s 0/0 -p tcp --sport 135 -j DENY
##iptables -A INPUT -s 0/0 -p tcp --sport 4444 -j DENY

# for transprent proxy
#> /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT
#> --to-port 3128

Well, now I tried $ping localhost and it replied with all packets, so I did:
$echo 0 > /proc/sys/net/ipv4/ip_forward
$echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
$echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all

.... which took care of the ping problem, but I don't get it; why did my computer answer.

This is $iptables -L

Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere state ESTABLISHED
ACCEPT tcp -- anywhere anywhere state ESTABLISHED
ACCEPT udp -- anywhere anywhere state ESTABLISHED
DROP icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP tcp -- anywhere anywhere tcp dpt:ftp-data
DROP tcp -- anywhere anywhere tcp dpt:ftp
REJECT tcp -- anywhere anywhere tcp dpt:ftp-data reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:ftp reject-with icmp-port-unreachable
ACCEPT tcp -- anywhere anywhere tcp dpts:6881:6883
ACCEPT tcp -- anywhere anywhere tcp dpt:6969
DROP tcp -- anywhere anywhere tcp spt:31337 dpt:31337
DROP all -- 10.0.0.0/8 anywhere
DROP all -- 127.0.0.0/8 anywhere
DROP all -- 172.16.0.0/12 anywhere
DROP all -- 192.168.0.0/16 anywhere
DROP tcp -- anywhere anywhere tcp spt:69
DROP tcp -- anywhere anywhere tcp spt:135
REJECT tcp -- anywhere anywhere tcp dpt:netbios-ssn reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:microsoft-ds reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere tcp dpt:1214 reject-with icmp-port-unreachable
DROP tcp -- anywhere anywhere tcp spt:4444
DROP tcp -- anywhere anywhere tcp dpt:153
DROP tcp -- anywhere anywhere tcp dpt:707
DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/SYN

Chain FORWARD (policy DROP)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp spts:netbios-ns:netbios-ssn
DROP udp -- anywhere anywhere udp spts:netbios-ns:netbios-ssn

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP tcp -- anywhere anywhere tcp spt:31337 dpt:31337

hmm complex beast IP tables....
have to admit I use webmin to admin it.....
Its usually the order of ACCEPT and DROP/REJECT that's a gotcha....

inparticualr
DROP all -- 127.0.0.0/8
hence you can't ping yourself.
Also you are dropping all theRFC addresses therefore you won't have any LAN access unless you have real IP's...
(10.0,172.16 and 192.168)

Its usually the order of ACCEPT and DROP/REJECT that's a gotcha...
Sounds reasonable. I'll just toss them around and have a look at what happens.


DROP all -- 127.0.0.0/8
hence you can't ping yourself.
Well, actually I thought I could, but then I realized that I have a rule that says ACCEPT for established pings,
so in theory I can ping my machine and it answers but shouldn't answers anyone else's pings, "theory" while I really don't have a clue about all this :D



Also you are dropping all theRFC addresses therefore you won't have any LAN access unless you have real IP's...
(10.0,172.16 and 192.168)
Oops, Thanks!

Marcus, Im not an expert, its almost always the order of the ACCEPT and DROP.
Thus at the moment your blocking 127.0.0.1 and that is the localhost.

I always use WEBMIN becuase it sorts out the correct order for you and saves a lot of head scratching >D

darn, I really must fix this keyboard.....

Well, back to the drawing board with this one, still not working.

I'll have a closer look at webmin.

Thanks,
Markus

Weeeellll, smaller seems to be better also in this case.
Cooked up a new rc.firewall with help from a friend.
If someone is interested in a firewall for a single workstation, this is it.
And if someone notices a fault, please tell :D

rc.firewall:

#policies
$IPTABLES -F INPUT
$IPTABLES -P INPUT DROP
$IPTABLES -F OUTPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F FORWARD
$IPTABLES -P FORWARD DROP
$IPTABLES -t nat -F

#accept internal net and loopback, and some external
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

# open ports
$IPTABLES -A INPUT -i eth0 -p tcp -m tcp --dport 6881:6883 -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p tcp -m tcp --dport 6889 -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p udp -m udp --dport 6881:6883 -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p udp -m udp --dport 6889 -j ACCEPT