Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
Then main problem likely has to do with DNS traffic or DHCP. If you are only allowing http traffic, then you are not going to be able to send or receive DNS packets and won't be able to resolve host names.
Also I would recommend against filtering based on source ports. The reason is that an attacker could easily configure his port scanner to use port 80 as the source port and would be able to scan/connect to any port on your system. IPtables has statefull filtering capability, so go ahead and use it. For all of your rules, you can replace them with:
iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED
It's probably a good idea to post your entire firewall ruleset here as well because you are going to need other things as well, like allowing local traffic over the loopback interface otherwise things like X will break.
- thanks fot the tip. actually my only firewall ruleset is the one i posted. i am still trying to create configuration that would only allow web browsing, ftp, emails, and IM. and a security configuration that could prevent hackers from poking to our network.i am new to iptables and i would appreciate your help
I believe Yahoo messenger uses port 80 as well, so the OUTPUT rules allowing dport 80 should allow it. Passive FTP can be a bit more tricky due to the nature of the protocol itself. The easiest and most effective is to allow outbound traffic on the FTP control channel (dport 21), then the data channel is opened and allowed because it's related to the initial FTP connection. The problem is that it's not an easy thing for the connection tracking module to follow, so there is a specific iptables module designed for that purpose: ip_conntrack_ftp. It should already be installed, just load with 'modprobe ip_conntrack_ftp'. You can add it to your script at the top.
so the meaning of this code is to only allow replies to request from out network and wont allow anything else.
It will allow replies and related traffic, like certain ICMP packets used for error handling an connection negotiation (e.g. "ICMP fragmentation needed" messeges), but again those are *only* allowed for a connection that you have initiated and once the connection is closed then the packets will be denied again.
Originally Posted by SBN
do i have to allow udp?
As I posted it above, it would cover any protocol (tcp, udp, icmp, etc) but only for connections that are initiated by you.
Originally Posted by SBN
what would be the effect if i block it?
All of those services use tcp ports so I don't believe they would be problematic, but hostname resolution would be affected as it uses udp.
Note: After looking at some docs, Yahoo IM uses port 5050 by default, but if that's blocked it will try port 80 next.
Last edited by Capt_Caveman; 11-13-2006 at 10:36 PM.