LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 12-22-2009, 02:31 AM   #1
lupusarcanus
Senior Member
 
Registered: Mar 2009
Location: USA
Distribution: Arch
Posts: 1,022
Blog Entries: 19

Rep: Reputation: 146Reputation: 146
Smile Firewall up & working; need input & advice on configuration.


Hello LQ.

I am running Ubuntu Karmic Koala 9.10 on my laptop connecting to the internet via wireless (wlan0). I have cable internet connection than runs a wire into a modem, and then a wire from the modem to the router. I can confirm I connect to the internet using DHCP. My routers' encryption is WPA2 TKIP+AES. I use the Firestarter GUI tool in Ubuntus repositories to configure the firewall. I did not use the CLI iptables for any configuration: I'm a rookie.

I whitelisted all the IP addresses my router uses as reported by the Network Manager -> Connection Information in Ubuntu. I whitelisted the services HTTP, HTTPS, POP3, SMTP and Bittorent.

Here is my firewall configuration (x.x.x.x is DHCP IP Address; ISP is internet service provider):
Code:
user@linux:~$ sudo iptables --list
[sudo] password for user: 
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     tcp  --  cdns1.ISP.net        anywhere            tcp flags:!FIN,SYN,RST,ACK/SYN 
ACCEPT     udp  --  cdns1.ISP.net        anywhere            
ACCEPT     tcp  --  cdns6.ISP.net        anywhere            tcp flags:!FIN,SYN,RST,ACK/SYN 
ACCEPT     udp  --  cdns6.ISP.net        anywhere            
ACCEPT     tcp  --  cdns2.ISP.net        anywhere            tcp flags:!FIN,SYN,RST,ACK/SYN 
ACCEPT     udp  --  cdns2.ISP.net        anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request limit: avg 1/sec burst 5 
ACCEPT     icmp --  anywhere             anywhere            icmp echo-reply limit: avg 1/sec burst 5 
LSI        udp  --  anywhere             anywhere            udp dpt:33434 
LSI        icmp --  anywhere             anywhere            
DROP       all  --  anywhere             255.255.255.255     
DROP       all  --  anywhere             192.168.1.255       
DROP       all  --  BASE-ADDRESS.MCAST.NET/8  anywhere            
DROP       all  --  anywhere             BASE-ADDRESS.MCAST.NET/8 
DROP       all  --  255.255.255.255      anywhere            
DROP       all  --  anywhere             0.0.0.0             
DROP       all  --  anywhere             anywhere            state INVALID 
LSI        all  -f  anywhere             anywhere            limit: avg 10/min burst 5 
INBOUND    all  --  anywhere             anywhere            
LOG_FILTER  all  --  anywhere             anywhere            
LOG        all  --  anywhere             anywhere            LOG level info prefix `Unknown Input' 

Chain FORWARD (policy DROP)
target     prot opt source               destination         
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request limit: avg 1/sec burst 5 
ACCEPT     icmp --  anywhere             anywhere            icmp echo-reply limit: avg 1/sec burst 5 
LSI        udp  --  anywhere             anywhere            udp dpt:33434 
LSI        icmp --  anywhere             anywhere            
LOG_FILTER  all  --  anywhere             anywhere            
LOG        all  --  anywhere             anywhere            LOG level info prefix `Unknown Forward' 

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     tcp  --  X.X.X.X           cdns1.ISP.net       tcp dpt:domain 
ACCEPT     udp  --  X.X.X.X           cdns1.ISP.net       udp dpt:domain 
ACCEPT     tcp  --  X.X.X.X           cdns6.ISP.net       tcp dpt:domain 
ACCEPT     udp  --  X.X.X.X           cdns6.ISP.net       udp dpt:domain 
ACCEPT     tcp  --  X.X.X.X           cdns2.ISP.net       tcp dpt:domain 
ACCEPT     udp  --  X.X.X.X           cdns2.ISP.net       udp dpt:domain 
ACCEPT     all  --  anywhere             anywhere            
DROP       all  --  BASE-ADDRESS.MCAST.NET/8  anywhere            
DROP       all  --  anywhere             BASE-ADDRESS.MCAST.NET/8 
DROP       all  --  255.255.255.255      anywhere            
DROP       all  --  anywhere             0.0.0.0             
DROP       all  --  anywhere             anywhere            state INVALID 
OUTBOUND   all  --  anywhere             anywhere            
LOG_FILTER  all  --  anywhere             anywhere            
LOG        all  --  anywhere             anywhere            LOG level info prefix `Unknown Output' 

Chain INBOUND (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     udp  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     all  --  X.X.X.X              anywhere            
ACCEPT     all  --  192.168.1.255        anywhere            
ACCEPT     all  --  255.255.255.0        anywhere            
ACCEPT     all  --  192.168.1.1          anywhere            
ACCEPT     all  --  cdns1.ISP.net        anywhere            
ACCEPT     all  --  cdns6.ISP.net        anywhere            
ACCEPT     tcp  --  anywhere             anywhere            tcp dpts:6881:6889 
ACCEPT     udp  --  anywhere             anywhere            udp dpts:6881:6889 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:www 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:www 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:https 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:pop3 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:pop3 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtp 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:25 
LSI        all  --  anywhere             anywhere            

Chain LOG_FILTER (5 references)
target     prot opt source               destination         

Chain LSI (6 references)
target     prot opt source               destination         
LOG_FILTER  all  --  anywhere             anywhere            
LOG        tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5 LOG level info prefix `Inbound ' 
DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN 
LOG        tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5 LOG level info prefix `Inbound ' 
DROP       tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/RST 
LOG        icmp --  anywhere             anywhere            icmp echo-request limit: avg 1/sec burst 5 LOG level info prefix `Inbound ' 
DROP       icmp --  anywhere             anywhere            icmp echo-request 
LOG        all  --  anywhere             anywhere            limit: avg 5/sec burst 5 LOG level info prefix `Inbound ' 
DROP       all  --  anywhere             anywhere            

Chain LSO (1 references)
target     prot opt source               destination         
LOG_FILTER  all  --  anywhere             anywhere            
LOG        all  --  anywhere             anywhere            limit: avg 5/sec burst 5 LOG level info prefix `Outbound ' 
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable 

Chain OUTBOUND (1 references)
target     prot opt source               destination         
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     udp  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     all  --  anywhere             X.X.X.X.      
ACCEPT     all  --  anywhere             192.168.1.255       
ACCEPT     all  --  anywhere             255.255.255.0       
ACCEPT     all  --  anywhere             192.168.1.1         
ACCEPT     all  --  anywhere             cdns1.ISP.net       
ACCEPT     all  --  anywhere             cdns6.ISP.net       
ACCEPT     tcp  --  anywhere             anywhere            tcp dpts:6881:6889 
ACCEPT     udp  --  anywhere             anywhere            udp dpts:6881:6889 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:www 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:www 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:https 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:https 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:pop3 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:pop3 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtp 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:25 
LSO        all  --  anywhere             anywhere
Here is a slow comprehensive scan of the localhost in nmap:
Code:
Starting Nmap 5.00 ( http://nmap.org ) at 2009-12-22 02:23 CST
NSE: Loaded 59 scripts for scanning.
Warning: Hostname localhost resolves to 2 IPs. Using 127.0.0.1.
Initiating SYN Stealth Scan at 02:23
Scanning localhost (127.0.0.1) [1000 ports]
Completed SYN Stealth Scan at 02:23, 0.14s elapsed (1000 total ports)
Initiating UDP Scan at 02:23
Scanning localhost (127.0.0.1) [1000 ports]
Completed UDP Scan at 02:23, 1.27s elapsed (1000 total ports)
Initiating Service scan at 02:23
Scanning 2 services on localhost (127.0.0.1)
Service scan Timing: About 50.00% done; ETC: 02:25 (0:00:55 remaining)
Completed Service scan at 02:24, 55.06s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against localhost (127.0.0.1)
Retrying OS detection (try #2) against localhost (127.0.0.1)
NSE: Script scanning 127.0.0.1.
NSE: Script Scanning completed.
Host localhost (127.0.0.1) is up (0.00014s latency).
Interesting ports on localhost (127.0.0.1):
Not shown: 1998 closed ports
PORT     STATE         SERVICE  VERSION
68/udp   open|filtered dhcpc
5353/udp open|filtered zeroconf
Too many fingerprints match this host to give specific OS details
Network Distance: 0 hops

Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 59.19 seconds
           Raw packets sent: 2014 (73.724KB) | Rcvd: 3020 (142.504KB)
Please give any advice, recommendations, or otherwise. I'm a newbie at this sort of stuff, so help me out on what's needed, if anything is needed.

Last edited by lupusarcanus; 12-22-2009 at 02:38 AM. Reason: Grammar
 
Old 12-22-2009, 05:45 AM   #2
lupusarcanus
Senior Member
 
Registered: Mar 2009
Location: USA
Distribution: Arch
Posts: 1,022
Blog Entries: 19

Original Poster
Rep: Reputation: 146Reputation: 146
When I disabled ICMP packet filtering and ran a comprehensive scan, I have my security where it needs to be.
 
  


Reply

Tags
firestarter, firewall, gui, iptables, nmap, ports


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Suse Firewall configuration& related questions Valkyrie_of_valhalla Suse/Novell 0 07-24-2006 06:53 AM
AOL UK && BT Voyager 100 && Slackware 10.2 && RP-PPPoE pitt0071 Linux - Networking 3 01-17-2006 06:10 AM
VSFTPD Configuration & Firewall Problem rcrosoer Linux - Software 2 01-14-2006 05:48 AM
Japanese canna won't work : Warning: かな漢字変&am OrganicOrange84 Debian 3 06-30-2005 02:28 PM
Phục hồi dữ liệu bị mất???, cứ pollsite General 1 06-27-2005 12:39 PM


All times are GMT -5. The time now is 12:47 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration