Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
You could use the ! (not) in your rules. So get rid of the following two lines:
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j DROP
-A RH-Firewall-1-INPUT -m state --state NEW -s 192.168.100.158 -m tcp -p tcp --dport 22 -j ACCEPT
And replace them with
iptables -A INPUT -s !192.168.100.158 -p tcp --dport 22 -j DROP
Essentially, any IP address that is NOT 192.168.100.158 isn't allowed to connect to port 22.
By the way, your original set of rules probably didn't work because they were in the wrong order. The packet hit the rule to drop all new traffic heading for port 22 and was dropped. It never saw the rule to accept from your IP address. Remember, iptables executes the rules in order and stops once it has a rule that matches the packet.
You know Krister, that really isn't much of a firewall. If I'm reading it correctly, the ONLY things that don't get through are packets heading to port 22 and anything matching the --icmp-host-prohibited rule. It is a much better idea to DROP everything and then open only the ports you need.
Well, the biggest weakness in your original firewall is that the defaults are set to ACCEPT. Set them to DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
Now that everything is locked down, start allowing the stuff you want. For starters, allow loopback
iptables -A INPUT -i lo -j ACCEPT
Then allow specific ports to be open
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
Decorate these rules with any limitations you need, such as -s flags
Also allow ESTABLISHED and RELATED packets
iptables -A INPUT -m state --state ESTABLISHED,RELATED - j ACCEPT
Then on your ouptut chain, you can allow NEW as well as ESTABLISHED and RELATED
iptables -A OUTPUT -m state --state NEW,ESTABLISHED, RELATED - j ACCEPT
You are going to want to all some logging rules so you can see what things are being dropped.
Please note that this is a very simple firewall. You certainly need to do a more reading in the security forum and get a good understanding of what else may be useful to have. You are also going to want to install an IDS like Snort and a file monitor like Aide or Tripwire.
Hangdog - I'm an extreme novice when it comes to security but I'm trying to read up on it and I definitely appreciate your clear descriptive comments on this topic. I know I have a long way to go and a lot of reading still to do, but posts such as yours definitely are a huge assist. Thanks -- J.W.
Thanks for the compliment J.W. Of course, people like unSpawn, chort and Capt. Caveman have forgotten more about security than I'll ever know so don't take my musings as anything more than another newbie trying to learn......
Thanks for your help I will try it as soon as possible. As I said in the beginnig I am a beginner with IPtables, I have better understand now than before. But I have no know idea what IDS, Snort, Aide or Tripwire is. Do you know where I could get some information so I don't fly in the dark.
One of the best starting points is unSpawn's sticky thread at the top of the forum. The amount of information he's collected there is amazing.
But just to define a few terms for you
Snort is an Intrusion Detection System (IDS). Basically it monitors your network interface for traffic that looks like an attack. It won't stop the attack, but it can warn you and (hopefully) preserve a record of what happened in case a hacker got through.
Both Aide and Tripwire are programs that monitor file integrity. If I understand them correctly, they take a "snapshot" of the files on your disk and then can use that snapshot at later times to see if any of the files have been altered. Again, if the worst happens, these programs could tell you what files were changed.