LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 01-29-2005, 11:24 PM   #1
wardialer
Member
 
Registered: Sep 2004
Distribution: SUSE Linux Pro 9.3
Posts: 375

Rep: Reputation: 30
IPTABLES Firewall (Good enough????)


I am using a DSL-modem on Mandrake Linux 9.1. All I'm doing with the computer is emails and Internet, and maybe using my Telnet to connect to other UNIX shell servers. Thats all. I am not running Samba or other services and I am on a stand-alone PC. Thats all.

I would appreciate it if someone could tell me if the firewall script which is in my rc.local directory, is sufficient enough. I am using this right now and I probed my computer for common ports and the results were all ports STEALTHED. My question is though, is this sufficient enough for my only emails and Internet computing? Please look below. If its not very secure, than please if someone here could provide me with a more secure code than this.

Code:
#PROC SETTINGS 
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts    #Block pings to broadcast IP (smurf)
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians          #Log non-routable IPs
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route   #Block source-routed packets

iptables -F
iptables -t nat -F
iptables -X
iptables -Z
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP

#DROP BAD PACKETS
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP      #DROP NEW NOT SYN
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP       #DROP SYN-FIN SCANS
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP       #DROP SYN-RST SCANS
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP       #DROP X-MAS SCANS
iptables -A INPUT -p tcp --tcp-flags ALL FIN -j DROP               #DROP NMAP FIN SCAN
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP              #DROP NULL SCANS
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP               #DROP ALL/ALL SCANS

#LOG AND DROP IANA RESERVED/BOGONS
iptables -A INPUT -i ppp0 -s 0.0.0.0/8 -m limit --limit 5/m -j LOG --log-prefix "WARN: INVALID IP"
iptables -A INPUT -i ppp0 -s 0.0.0.0/8 -j DROP
iptables -A INPUT -i ppp0 -s 127.0.0.0/8 -m limit --limit 5/m -j LOG --log-prefix "WARN: INVALID IP"
iptables -A INPUT -i ppp0 -s 127.0.0.0/8 -j DROP
iptables -A INPUT -i ppp0 -s 10.0.0.0/8 -m limit --limit 5/m -j LOG --log-prefix "WARN: INVALID IP"
iptables -A INPUT -i ppp0 -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i ppp0 -s 192.168.0.0/16 -m limit --limit 5/m -j LOG --log-prefix "WARN: INVALID IP"
iptables -A INPUT -i ppp0 -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i ppp0 -s 172.16.0.0/12 -m limit --limit 5/m -j LOG --log-prefix "WARN: INVALID IP"
iptables -A INPUT -i ppp0 -s 172.16.0.0/12 -j DROP

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Last edited by wardialer; 01-29-2005 at 11:26 PM.
 
Old 01-29-2005, 11:41 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
There are always more things you can add to a firewall in order to make it more secure (egress filtering, added spoofing protection,etc), but I think the one you're using is reasonably secure for your needs.
 
Old 01-29-2005, 11:46 PM   #3
wardialer
Member
 
Registered: Sep 2004
Distribution: SUSE Linux Pro 9.3
Posts: 375

Original Poster
Rep: Reputation: 30
Ok, thanks then I'll go ahead and stick with this one as I probed for ports and resulted in all ports stealthed. That should indicate that it is working.

I am totally off on how to create iptable or ipchains. Everyone here tells me to go read, but even reading this I do not understand. Its very confusing.

Now, what is the real and actual name of the script I have??? Is it called IPTABLES or IPChains???
 
Old 01-30-2005, 01:45 AM   #4
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
I am totally off on how to create iptable or ipchains. Everyone here tells me to go read, but even reading this I do not understand. Its very confusing.
The frozentux tutorial is one of the better written and more detailed guides that I really recommend reading, so that is a good place to start. If you have any specific questions though, feel free to ask.

Now, what is the real and actual name of the script I have??? Is it called IPTABLES or IPChains???
IPTables. IPChains was the older linux firewall used in the 2.2 series kernels.
 
Old 01-30-2005, 02:00 AM   #5
wardialer
Member
 
Registered: Sep 2004
Distribution: SUSE Linux Pro 9.3
Posts: 375

Original Poster
Rep: Reputation: 30
Could I call it a Firewall or Linux firewall??? Does it really matter?

So, just to confirm, IPTables is actually considered a firewall? Am I right?

Last edited by wardialer; 01-30-2005 at 02:05 AM.
 
Old 01-30-2005, 03:12 PM   #6
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Could I call it a Firewall or Linux firewall??? Does it really matter?
Either one. IPTables is a firewall that runs on the Linux platform and I don't believe it's been ported to any other operating systems, so you can use the two names pretty much interchangably.

So, just to confirm, IPTables is actually considered a firewall? Am I right?
Technically iptables is just the user interface and scripting language for configuring "Netfilter" which is the actual firewalling code present in the linux kernel. However, pretty much everyone just calls it iptables when refering to either one. In fact if you call it Netfilter, people may not know what your talking about. But to get back to your question, yes, iptables/netfilter is a firewall.
 
Old 02-28-2005, 10:51 PM   #7
wardialer
Member
 
Registered: Sep 2004
Distribution: SUSE Linux Pro 9.3
Posts: 375

Original Poster
Rep: Reputation: 30
How can I add IP Spoofing protection to the script above??? Please let me know where to add the IP spoofing protection??? On which line? If I need one....that is... I dont know if this one already has it or not...

Do you think this script will provide me stealth???

Last edited by wardialer; 02-28-2005 at 10:54 PM.
 
Old 02-28-2005, 11:01 PM   #8
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Quote:
Originally posted by wardialer
How can I add IP Spoofing protection to the script above??? Please let me know where to add the IP spoofing protection??? On which line? If I need one....that is... I dont know if this one already has it or not...
That's what this is:
Code:
#LOG AND DROP IANA RESERVED/BOGONS
iptables -A INPUT -i ppp0 -s 0.0.0.0/8 -m limit --limit 5/m -j LOG --log-prefix "WARN: INVALID IP"
iptables -A INPUT -i ppp0 -s 0.0.0.0/8 -j DROP
iptables -A INPUT -i ppp0 -s 127.0.0.0/8 -m limit --limit 5/m -j LOG --log-prefix "WARN: INVALID IP"
iptables -A INPUT -i ppp0 -s 127.0.0.0/8 -j DROP
iptables -A INPUT -i ppp0 -s 10.0.0.0/8 -m limit --limit 5/m -j LOG --log-prefix "WARN: INVALID IP"
iptables -A INPUT -i ppp0 -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i ppp0 -s 192.168.0.0/16 -m limit --limit 5/m -j LOG --log-prefix "WARN: INVALID IP"
iptables -A INPUT -i ppp0 -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i ppp0 -s 172.16.0.0/12 -m limit --limit 5/m -j LOG --log-prefix "WARN: INVALID IP"
iptables -A INPUT -i ppp0 -s 172.16.0.0/12 -j DROP
If you have a static IP, you can add it to this block of rules as well.


Do you think this script will provide me stealth???
Yes. Using the DROP target results in 'stealth'. If you open up any ports in that firewall then it's not so stealth.
 
Old 02-28-2005, 11:06 PM   #9
wardialer
Member
 
Registered: Sep 2004
Distribution: SUSE Linux Pro 9.3
Posts: 375

Original Poster
Rep: Reputation: 30
I have a Dynamic IP service so I do not have to add nothing then. So I could just leave it alone...

Thats all I wanted to ask..
 
Old 03-01-2005, 01:40 AM   #10
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
you could also (or instead) set the kernel parameter for reverse path source validation:

Code:
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
 
Old 03-01-2005, 09:29 AM   #11
wardialer
Member
 
Registered: Sep 2004
Distribution: SUSE Linux Pro 9.3
Posts: 375

Original Poster
Rep: Reputation: 30
Win32sux -- Whats up my friend -

Yes, dont worry, I have your codes on CD too. I burnt the Capt_Caveman's and yours onto a CD-R. (The shell script) So I have two scripts...

Both of them I tested and they both give me stealth...thanks guys.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Iptables with iptables-firewall.conf arno's matt3333 Slackware 16 06-28-2007 07:20 AM
Is this a good firewall? Mega Man X Linux - Networking 9 09-04-2004 03:15 AM
Good Firewall roiboy Linux - Security 5 05-31-2004 08:40 PM
A good firewall? UnknownDarkness Linux - Software 1 02-12-2003 12:54 AM
What's a good firewall? Wynd Linux - Security 7 08-07-2001 01:06 AM


All times are GMT -5. The time now is 11:44 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration