Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
- hey guys hope you can help me here.
- i block all incoming and outgoing connections in my iptables configuration. at firts i just to allow web browsing so i tried this configuration:
at first it work then when i tried it again it nolonger works. i tried a little more reading and i think that configuration is wrong but it work before. so i narrow it down to this.
Then main problem likely has to do with DNS traffic or DHCP. If you are only allowing http traffic, then you are not going to be able to send or receive DNS packets and won't be able to resolve host names.
Also I would recommend against filtering based on source ports. The reason is that an attacker could easily configure his port scanner to use port 80 as the source port and would be able to scan/connect to any port on your system. IPtables has statefull filtering capability, so go ahead and use it. For all of your rules, you can replace them with:
iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED
It's probably a good idea to post your entire firewall ruleset here as well because you are going to need other things as well, like allowing local traffic over the loopback interface otherwise things like X will break.
- thanks fot the tip. actually my only firewall ruleset is the one i posted. i am still trying to create configuration that would only allow web browsing, ftp, emails, and IM. and a security configuration that could prevent hackers from poking to our network.i am new to iptables and i would appreciate your help
I believe Yahoo messenger uses port 80 as well, so the OUTPUT rules allowing dport 80 should allow it. Passive FTP can be a bit more tricky due to the nature of the protocol itself. The easiest and most effective is to allow outbound traffic on the FTP control channel (dport 21), then the data channel is opened and allowed because it's related to the initial FTP connection. The problem is that it's not an easy thing for the connection tracking module to follow, so there is a specific iptables module designed for that purpose: ip_conntrack_ftp. It should already be installed, just load with 'modprobe ip_conntrack_ftp'. You can add it to your script at the top.
so the meaning of this code is to only allow replies to request from out network and wont allow anything else.
It will allow replies and related traffic, like certain ICMP packets used for error handling an connection negotiation (e.g. "ICMP fragmentation needed" messeges), but again those are *only* allowed for a connection that you have initiated and once the connection is closed then the packets will be denied again.
Quote:
Originally Posted by SBN
do i have to allow udp?
As I posted it above, it would cover any protocol (tcp, udp, icmp, etc) but only for connections that are initiated by you.
Quote:
Originally Posted by SBN
what would be the effect if i block it?
All of those services use tcp ports so I don't believe they would be problematic, but hostname resolution would be affected as it uses udp.
Note: After looking at some docs, Yahoo IM uses port 5050 by default, but if that's blocked it will try port 80 next.
Last edited by Capt_Caveman; 11-13-2006 at 09:36 PM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.