Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
So basically to me this says, do not allow any icmp packets in, do not allow any udp or tcp packets on ports 0 - 1023, accept all traffic from the loopback device, and accept all related/established traffic. Also, drop any icmp output.
Why then, do I still get nearly every single port open in my first 1056 on ShieldsUp!??!? (www.grc.com)
I've spent hours and hours trying to write a simple friggen firewall, I want to know if it works or not....leaving half of my first 1056 ports open is not working for me....
Shouldn't my policy, in theory, stealth or close ports 0 - 1023?
Oh....so what do I do about that line? I had it in there because that's what in told me to do....to put an ACCEPT policy on all traffic going to the loopback device - what should I do instead? do I not need that line?
I don't really use a script per se, I just go in and add these lines manually into the terminal, and then save them...it goes to /etc/sysconfig/iptables which is this:
# Generated by iptables-save v1.2.9 on Mon Sep 20 16:41:59 2004
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [1:46]
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Mon Sep 20 16:41:59 2004
I changed it to match the given one from the other thread
It didn't help at all.....ALL PORTS FROM 0 - 1056 ARE OPEN EXCEPT FOR 21, 23, 179, and 443.....Am i retarded or something?
Post the output of: iptables -vnL
Also how are you entering the rules?
Btw, please don't start anymore threads on this topic. Keeping them all in one thread will make things much easier. Having numerous threads all discussing the same thing is redundant and going to get confusing.
That set of rules will close all ports (I actually just tried them on my test LAN and all ports come back as filtered, not open). In fact, those rules are actually too restrictive and will cause X to freeze because you're not allowing any loopback traffic. So the problem isn't with the rules...
First try using a different security scanner just to make sure this isn't something on their end or some kind of network funkiness with your ISP. Ideally if you have a second system, you can nmap it directly, but that might not be an option for you. Off the top of my head, I think sygate and firewalls.com offer free online security scans as well. Make sure that the IP address being scanned is actually yours.
In one of your other threads, you said you were using guarddog. If you're not going to use it, then remove it entirely just to be sure it isn't causing any problems. Probably a good idea to do a reboot as well. Make sure the iptables service is running and that the iptables modules are loaded (lsmod). Normally you'd get errors with either if those 2 problems, but it's worth checking.
Btw, what does the GRC report actually say? Are the ports reported as "open" , "filtered" or "closed" ? Having almost everything "open" from ports 0-1056 is virtually impossible. You'd need to have a server/daemon listening for connections on every single one of those ports. I'm pretty sure that FC2 doesn't even come with that many daemons on the installation disks, so I'm fairly sure this is an artifact of some sort.
I've made a discovery.....I think that the scan is scanning the IP address of my modem, and not my computer......ifconfig gives me an IP starting with 192.168 while the scans are all scanning a number that starts with 66 or 67 - comments?
I've made a discovery.....I think that the scan is scanning the IP address of my modem, and not my computer......ifconfig gives me an IP starting with 192.168 while the scans are all scanning a number that starts with 66 or 67 - comments?
I have a DW6000 Satellite modem (all the configuration software and everything is right on the modem) that connects to a wireless router and eth1 is my wireless card that I use to go online.
Normally the 192.168 address is the internal (LAN) address that the wireless router will assign to your linux box. The 66. address is the external IP that is being assigned as the external interface of the router by your ISP. When one of these scans is preformed, it will be scanning the router.
Depending on the type of router you're using, some have built in packet filter capability and will block these scans. Make sure that any firewall or similar option (like "block WAN requests" on a Linksys) is selected. If your router is misconfigured or is simply forwarding traffic into the LAN that might be causing problems, though it still shouldn't be reporting ports as "open".
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.