LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Fedora (https://www.linuxquestions.org/questions/fedora-35/)
-   -   which iptables to modify? I have 3. (https://www.linuxquestions.org/questions/fedora-35/which-iptables-to-modify-i-have-3-a-125529/)

cpv204 12-13-2003 12:17 PM
which iptables to modify? I have 3.
 
I'm just learning about security and did a port scan at grc.com. I got a "Stealth" status except for one thing, my machine will reply to pings. They say most firewalls can be configured to ignore pings.

I think this needs to be done my modifying my iptables script. The thing is, I have three of them on my Fedora distribution:

/var/lock/subsys/iptables
/etc/sysconfig/iptables
/etc/rc.d/init.d/iptables

None of them are symlinks to another.

So, which iptables script should I modify and, for bonus points, does anyone know how to set my machine to ignore pings?

Thanks.

david_ross 12-13-2003 12:25 PM
Just run:
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

cpv204 12-13-2003 12:37 PM
Thanks, that certainly did the trick!

For Fedora users (possibly Red Hat users) what is the "proper" place to stick these two lines so they automatically run at startup?

david_ross 12-13-2003 01:06 PM
You can put the commands at the end of rc.local or configure the directives in /etc/sysctl.conf

/bin/bash 12-14-2003 03:48 AM
Actually responding to a ping is a requirement or RFC_1122. So not many distros will supply you with a non-compliant firewall. But they will give you the option to not-comply, if you so choose. Don't let the port scanners scare you, replying to a ping does not make your computer any more vulnerable to an attack than not replying.

There is a good discussion on the subject here.

cpv204 12-14-2003 06:40 AM
Very interesting, /bin/bash. Nice to hear the straight dope from someone who knows. I know next to nothing about security and want to open up port 80 to run a web server for the first time, so I'm trying to learn all I can before doing so. Thanks!

david_ross 12-14-2003 09:35 AM
Although it doesn't help security much it does deter some viruses. Viruses like the MS Blaster virus used pings to find out which machines were responding then flooded them with more traffic. Although Linux will be immune to Microsoft viruses it will still push extra traffic in your direction.

/bin/bash 12-14-2003 12:44 PM
Quote:
Nice to hear the straight dope from someone who knows.
I hope you are referring to the author of the article I linked to. :D

I had never heard that side of the argument before and I thought it was logical. I have since become less concerned about getting all green blocks on www.grc.com. :)

And I think the attacks david_ross is referring to are usually aimed at bigger fish that me e.g. Microsoft.com or better yet SCO.com :D


All times are GMT -5. The time now is 12:45 PM.