Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I want to be able to browse the Internet (HTTP?, HTTPS?)
Check my Mail using Thunderbird (POP3 SSL, SMTP)
Download Files using qBittorrent (ports x-x)
And let Ubuntu connect to the Internt for Updates.
I don't need anything else.
How do I configure Firestarter to do this?
Currently I have HTTP, HTTPS, POP3 SSL, SMTP and Bittorrent ports in the exception list for outbound and inbound connections whitelisted (allowed, only). Because of annoying alerts for blocked connections of my own IP address I whitelisted that (x.x.x.x). But it hasn't done anything. How do I configure Firestarter properly to protect my computer and let me do those things?
I'm a newbie at IP tables so please use Plain English so I can understand. I'm really confused? Thanks Much LQ. Most appreciated.
I'm a newbie at IP tables so please use Plain English so I can understand.
I'm sorry to give in to this but Please describe your problem adequately so that the rest of us have a chance of helping.
The information that you give with all of the addresses obfuscated is basically non-information after you have obscured all of the IP information (it makes sense to obscure the external IP given to you by your ISP, but I can't see why the rest would be at issue provided that you use an adress range that isn't routable on the internet - eg, 192.168.x.y or 10.x.y.z). Oh, and use code tags with anything like that, for readability.
I want to know what kind of connection this is (wired ethernet, wireless, USB, other) to what kind of device (does it have ethernet ports, is it a modem/router, is it a USB thumb device, does it have an internal firewall), and how is it configured (is it using DHCP, for example) what kind of internet connection this is (ADSL, wireless, ISDN, fibre, dial-up), what distribution you are using.
Whether you want to use plain English, fancy English, Esperanto, Klingon or binary is up to you, but one selection from the above will make the helpful kind of help more likely than others.
You could post your iptables rule set (use iptables-save to get it into a text file) and that might help.
General Information:
I am using a Wireless Connection (wlan0). I also use an Ethernet connection as well (eth0). My Internet connection is cable, which goes through some type of "modem", and then from there: a Linksys G router. I am Using Ubuntu Karmic Koala 9.10.
I was too naive in my thinking this problem was trivial; I appreciate your reply.
Here is the information Ubuntu Network Manager reports (less obscured and in code tags):
I want to be as secure as possible; All I want to be able to do is:
Browse the Internet and download stuff (like programs) in Firefox.
Send/receive mail using Mozilla Thunderbird + Lightning.
Use qBittorrent and Transmission Bittorrent clients to download torrents off the Internet.
Allow Ubuntu to get and download updates.
And, use all of the repositories.
Here's my current firewall configuration, to make it easier:
I have the Firestarter firewall configuration front-end/program, that I downloaded using Ubuntus' repositories.
I configured it to allow inbound/outbound access to: HTTP, HTTPS, POP3, SMTP and qBittorrent.
Allowed my IP Address x.x.x.x inbound/outbound access.
Enabled ICMP filtering with nothing allowed.
I have enabled DHCP. See Note in parentheses: (I don't know If I have DHCP or not, because Ubuntu doesn't say anything about it, but in Microsoft Windows. when I go to my connection info it says "IP Address: assigned by DHCP", which is why I enabled it.)
Preferred method of rejecting packets: Drop Silently.
And lastly, Blocked traffic broadcasts from external network.
As for iptables-save, it completed but I didn't know where it saved and I couldn't define my own path where to save it so I gave up. Instead I typed iptable --help and found iptables --list command, so here it is (x.x.x.x is my IP address, ISP is my internet service provider):
Sorry about the vague first post, I hope this one is better.
And to repeat my general problem with that configuration:
Firestarter keeps blocking connections from my IP Address, before I allowed it as an exception. Now I can't connect to the Internet with my firewall ON at all! [I'm not sure why]
So my main question is:
Whats is the best firewall configuration to allow me to do the things listed above, with maximum security?
Last edited by lupusarcanus; 12-20-2009 at 09:49 PM.
nothing really bad, its just not a good idea to tell people 'this is how you will respond' and then not doing a good job of providing the info they will need. Anyway, you subsequent post was a model of good information providing.
[QUOTE]
As for iptables-save, it completed but I didn't know where it saved and I couldn't define my own path where to save it so I gave up. Instead I typed iptable --help and found iptables --list [QUOTE]
that's fine:
My suspicion is immediately drawn to the lines like:
What exactly were you hoping to achieve by the flag combination specifically?
Quote:
Sorry about the vague first post, I hope this one is better.
Much.
Quote:
So my main question is:
Whats is the best firewall configuration to allow me to do the things listed above, with maximum security?
Sorry that the rest of this answer isn't about your firewall rules, but:
I think that you are overcomplicating this and concentrating on the wrong risk: assuming everything is ethernet or ethernet-like (eg, wireless, but not a USB dongle) you will get all your traffic from your modem or modem/router and all the traffic will be packets that come from that device, but have the information encapsulated in them that say the are originally from somewhere else.
So, assuming that you have some level of control at your modem/router or modem, firstly take whatever control you can there. Usually there is some kind of simple firewall or access control system there and you should use it. At that point, with wired ethernet, if everything that you get comes from your modem/router that should cover the absolute basics.
For wireless, there is an additional risk. Someone local to you can send you packets (this might also apply to wired, if you don't have physical control of the location, but I assume that you do have that control, but if you turn out to be an enterprise that would be a bad assumption) and those packets could be crafted to do you harm.
So, you would like to ensure that you only get packets to your box from your m/r. Filtering to ensure that should be easy to get you head around. And you want to ensure that you have a good level of encryption on traffic between your box and the m/r (and WEP, rather than WPA, isn't that...I know that you haven't commented on that but you could get that wrong).
Also, ensure that your box only has the services that you really want to use listening: netstat -l will probably show up processes with which you are unfamiliar, but a combination of netstat -lt and netstat -lu should all be clear to you. Packets sent to ports for which there is no listening process should just be ignored; it does no harm to explicitly drop them in the firewall, but the big danger is that there is some process that you haven't thought about which will react to unwanted packets and that reactions might be 'bad'.
If you have services running that you know that you don't need, stop them. If you have services that you don't understand, start by understanding them.
What exactly were you hoping to achieve by the flag combination specifically?
I have no idea, the firewall configuration is done by Firestarter. A GUI tool.
Quote:
So, assuming that you have some level of control at your modem/router or modem, firstly take whatever control you can there. Usually there is some kind of simple firewall or access control system there and you should use it. At that point, with wired ethernet, if everything that you get comes from your modem/router that should cover the absolute basics.
I have implemented the best firewall I can there. For my router, there is only four check boxes under the firewall tab that I can implement. Currently, I implement all of them.
Quote:
For wireless, there is an additional risk. Someone local to you can send you packets (this might also apply to wired, if you don't have physical control of the location, but I assume that you do have that control, but if you turn out to be an enterprise that would be a bad assumption) and those packets could be crafted to do you harm.
So, you would like to ensure that you only get packets to your box from your m/r. Filtering to ensure that should be easy to get you head around. And you want to ensure that you have a good level of encryption on traffic between your box and the m/r (and WEP, rather than WPA, isn't that...I know that you haven't commented on that but you could get that wrong).
I have tried my hardest to ensure maximum wireless protection on my router, since it is usually how I connect to the internet. I use WPA2 TKIP+AES and a very complicated password, and MAC filtering. My router itself uses HTTPS and a strong login password to access, so I have paid much attention to this area.
Quote:
Also, ensure that your box only has the services that you really want to use listening: netstat -l will probably show up processes with which you are unfamiliar, but a combination of netstat -lt and netstat -lu should all be clear to you. Packets sent to ports for which there is no listening process should just be ignored; it does no harm to explicitly drop them in the firewall, but the big danger is that there is some process that you haven't thought about which will react to unwanted packets and that reactions might be 'bad'.
This is something I will be looking into more. I use my box solely for internet browsing, and downloading programs and stuff via Bittorrent, repositories, and Firefox.
I'm just very unsure in this area of what to do.
Quote:
If you have services running that you know that you don't need, stop them. If you have services that you don't understand, start by understanding them.
Finding & Defining what services I don't need is the tough part for me.
Also I have confirmed I connect to the internet using DHCP.
Although you have been a tremendous help salasi, the original question/topic remains as unsolved. I still can't figure out how to configure the firewall correctly.
Although you have been a tremendous help salasi, the original question/topic remains as unsolved. I still can't figure out how to configure the firewall correctly....I have no idea, the firewall configuration is done by Firestarter. A GUI tool.
One of the disadvantages of a GUI tool; you don't necessarily know the detail of what it is trying to do for you as a result of the instructions that you give it.
You should, however, be able to get it to something simple, which is just get it to accept all of the packets that come from your router's IP address, without any of this messing around with what state the connection is in. You may subsequently want to elaborate things by doing something different with 'new' (packets/connections) than 'established' or 'related' ones, but it isn't necessarily needed, and certainly not trying to do any 'showboating', if I can call it that, is going to be the way to start - start simple and build up.
Quote:
I have implemented the best firewall I can there. For my router, there is only four check boxes under the firewall tab that I can implement. Currently, I implement all of them.
Good, because once packets start coming from that, it gets more difficult to do clever things with them. And once you've done that, you've done most of what can be done.
Quote:
I use WPA2 TKIP+AES and a very complicated password, and MAC filtering.
That (wpa2, plus strong password) covers most things.
Quote:
This is something I will be looking into more. I use my box solely for internet browsing, and downloading programs and stuff via Bittorrent, repositories, and Firefox.
I'm just very unsure in this area of what to do.
Any internet browsing is likely to use
port 80 (HTTP)
port 8080 (HTTP)
port 3128 (HTTP, if using an external cache)
port 443/tcp/udp/sctp # HTTPS
so just opening those ports up should allow browsing (nearly). depending on what you are doing with DNS, you'll probably have to open up port 53 (use dig to check whether DNS is working, as DNS is a pre-requisite for browsing-by-human-readable name, rather than by ip port).
You can find what port numbers are associated with a particular service from /etc/services
(eg 'cat /etc/services | grep - i domain', to search on the word domain, which (rather than DNS, apparently) is likely to be in any reference to DNS services)
Quote:
Finding & Defining what services I don't need is the tough part for me.
Also I have confirmed I connect to the internet using DHCP.
That's DHCP between your ISP and your modem (that is my interpretation; tell me if I have misunderstood), used for giving an ip to the internet side of the modem, and so is no concern for what goes on on your side of the modem. (You could also be using DHCP to hand out ip addresses on your side of the m/r, probably in the 192.168.x.y range, and that would be a different matter.)
Quote:
Although you have been a tremendous help salasi, the original question/topic remains as unsolved. I still can't figure out how to configure the firewall correctly.
I have the problem that I don't use that GUI (or any GUI) for firewall configuration, so I can't give you direct instructions on the use of the GUI tool.
Alas, I must admit that when it comes to iptables and firewalls, I'm not much use on the old CLI. Firestarter seems to be the most comprehensive in terms of options.
Anyway, which IP addresses should I allow? I'm guessing the IP address that is assigned by DHCP, but is there another one I should allow?
I do appreciate your help salasi, I honestly do. Sorry if I sound too critical or rude.
Anyway, which IP addresses should I allow? I'm guessing the IP address that is assigned by DHCP, but is there another one I should allow?
I go back to:
Quote:
That's DHCP between your ISP and your modem (that is my interpretation; tell me if I have misunderstood), used for giving an ip to the internet side of the modem, and so is no concern for what goes on on your side of the modem. (You could also be using DHCP to hand out ip addresses on your side of the m/r, probably in the 192.168.x.y range, and that would be a different matter.)
Interfaces have IP addresses. The external interface of your modem has an IP address assigned by dhcp (which is one of the options, but it doesn't really matter which one your ISP uses; they need to know the IP of your modem and deal with this by assigning it from their pool of IPs; the point is that however they have done it, they have done it and it is of little more concern to you unless and until you want to access your system from the outside world).
The internal interface has an IP. This is of concern to you, as this is the interface from which packets come. It is probably a 192.168.x.y and it is probably set up in a screen in the web interface of the modem/router box. You need to allow packets from that IP address, otherwise you will have nothing, as all the internet stuff comes from there.
The internal interface has an IP. This is of concern to you, as this is the interface from which packets come. It is probably a 192.168.x.y and it is probably set up in a screen in the web interface of the modem/router box. You need to allow packets from that IP address, otherwise you will have nothing, as all the internet stuff comes from there.
Why would any packets coming from the Internet side have the gateway's IP address on them when they reach leopard's box on the LAN? There is no need to specify the gateway address in any iptables rules meant to deal with Internet packets on LAN boxes. FWIW, this is what the INPUT chain on my PC looks like right now:
Code:
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
28793 22M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `INPUT DROP: '
As you can see, it's just three iptables rules. The first one allows packets in states RELATED and ESTABLISHED; the second one allows all traffic on the loopback interface; and the last one just logs all other packets right before they are filtered.
Last edited by win32sux; 12-23-2009 at 02:26 PM.
Reason: There was a glitch in the matrix.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.