Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Originally posted by ujotne 1) How does one manually start/stop iptables on Debian 3.1 sarge?
What I am after is something like "/service iptables start" on Mandrake.
2) Which TCP port do I need to open to allow APT to fetch packetc vua ftp?
1) The general idea in Debian is that you either write your own script that uses iptables or install one of the packages that do it for you like Guarddog, Bastille or Firestarter among others.
2) None you should be able to access a ftp site without opening any ports. Are you behind some kind of proxy server?
Originally posted by HappyTux 1) The general idea in Debian is that you either write your own script that uses iptables or install one of the packages that do it for you like Guarddog, Bastille or Firestarter among others.
I have written my own script and it is very useful to be able to manually start and stop iptables for debygging purposes.
Quote:
[i]
2) None you should be able to access a ftp site without opening any ports. Are you behind some kind of proxy server? [/B]
Obviously I have to open either port 20 or 21 to allow ftp trafic. What I am not sure about is whether apt uses active or passive ftp.
Originally posted by ujotne I have written my own script and it is very useful to be able to manually start and stop iptables for debygging purposes.
Well do you have start, stop, restart sections in your script that actually does the proper things when shutting down/starting/restarting iptables to make sure everything gets reset correctly? If so then you should be able to put the script in the /etc/init.d/ directory then use update-rc.d name_of_script defaults and it will create links for the script to be started and stopped in the proper directories. Then to start you would /etc/init.d/name_of_script start of course to stop you would put that on the end of the command.
Quote:
Obviously I have to open either port 20 or 21 to allow ftp trafic. What I am not sure about is whether apt uses active or passive ftp.
No you do not that is only if you want to allow ftp traffic into your server you would be looking for if I recall correctly loading the ip_conntrack_ftp module of iptables to allow for connection tracking when going through the firewall of course making sure that you have enabled the NAT and ip forwarding if needed as well.
There is a script /etc/init.d/skeleton which you can use as a template to make SysV init scripts. I use this one to run my firewall script. Put the firewall script in /etc/rc.firewall. You may need to edit some paths to fit your system.
Code:
#! /bin/sh
#
# This file should be placed in /etc/init.d.
#
#
#
set -e
PATH=/sbin:/bin:/usr/sbin:/usr/bin
DESC="Use this script to start /etc/rc.firewall script"
if [ ! -f /etc/rc.firewall ]; then
echo "Unable to start iptables firewall - /etc/rc.firewall does not exist"
exit 1
fi
if [ ! -f /sbin/iptables ]; then
echo "Cannot find /sbin/iptables"
exit 1
fi
case "$1" in
restart|reload)
echo "Restarting iptables firewall..."
$0 stop
/bin/bash /etc/rc.firewall
;;
start)
echo "Setting up iptables firewall..."
/bin/bash /etc/rc.firewall
;;
stop)
echo -n "Stopping iptables firewall..."
iptables -P OUTPUT ACCEPT
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F
iptables -X
echo "done."
exit 0;
;;
panic)
echo -n "Closing all ports..."
iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -F
iptables -X
echo "done."
exit 0;
;;
*)
echo "Usage: $0 {start|stop|restart|reload|panic}" >&2
exit 1
;;
esac
exit 0
Once you put the script in /etc/init.d you can use the SysV-Init Editor to make it run in the desired run levels.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
