Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Most of your rules will NEVER be evaluated because they come AFTER a -j block:
Code:
-A INPUT -i ppp0 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j DROP
-A INPUT -i ppp0 -m state --state INVALID,NEW -j DROP
and
Code:
-A FORWARD -i ppp0 -m state --state INVALID,NEW -j DROP
-A FORWARD -m limit --limit 3/hour -j LOG
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 1/sec -j ACCEPT
-A FORWARD -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j ACCEPT
-A FORWARD -p icmp -m limit --limit 1/sec -m icmp --icmp-type 8 -j ACCEPT
-A FORWARD -i ppp0 -m state --state INVALID,RELATED,ESTABLISHED -j DROP
Also, WHY are you dropping ESTABLISHED,RELATED traffic? Most rulesets have '-m state --state ESTABLISHED,RELATED -j ACCEPT' for stateful filtering.
I wonder why you are limiting matches to 1/sec on a lot of rules. Do consider that those packets will fall down to later rules, and you're likely to end up dropping important packets and giving you a headache later.
Also, the policies for INPUT and especially FORWARD are set to ACCEPT by default. So if a packet is not explicitly denied, it is accepted.
Perhaps this was done offline?
Not very freindly to folk following from a search...
Here's my favorite "Mad Dog" firewall.
'tis a basic, restrictive, firewall for a home system.
All security should start with some sort of policy statement.
Security Policy:
1. Nothing gets in or out without permission.
2. Permission must be explicitly set
3. Internal systems are unlimited
4. Nothing gets in without my asking for it
5. Everything gets out.
Basic Rules:
Code:
## == mdh firewall =======
#!/bin/sh
# remove existing rules
iptables --flush
iptables -t nat --flush
iptables --delete_chain
iptables --zero
# Set up a default DROP policy for the built-in chains.
iptables --policy INPUT DROP
iptables --policy FORWARD DROP
iptables --policy OUTPUT DROP
# Allow all traffic through the loopback interface
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow initiated traffic in
iptables -A INPUT -m state --state RELATED,EXISTING -j ACCEPT
# Uncomment to allow SSH connections
#iptables -A INPUT -t tcp -j ACCEPT -dport 22
# Allow all traffic out
# Any other output rule should go /before/ this one
iptables -A OUTPUT -m state --state NEW,RELATED,EXISTING -j ACCEPT
This makes things tricky but not impossible.
If you have a network, you'll need to make a hole for that too.
I am in the process of redoing the whole things. My current script in a true joke. I have been given no respect up until this point but that will change after I display my total overhaul of my new IPTABLES script. Give me a few and I will displaying it for criticism or for koodos. thanks
metallica1973: interesting - IMO you have been given nothing but respect. All criticism was phrased with the assumption you had valid reasons for wht you did - and you did invite criticism. Mind you, Matir did shout a bit ... but I don't think he meant to
I really did not mean to shout in any way. I'm sorry if it came across that way. I (unfortunately) sometimes use LQ as a place to wind down after work, and sometimes the line gets blurred. Sorry if you were offended, I truly did not mean it.
No trouble Matir: just in case someone searching into this forum dosn't know what I was talking about... I was refferring to the following line:
Quote:
Most of your rules will NEVER be evaluated because they come AFTER a -j block:
... when words are capitalised like that (unless they must be like that - like with the iptables "policy" statements) it looks like shouting.
If you intend boldface or emphasised you can use vb codes like this or this. For example, Matir's statement is best with italics for emphasis like this:
Quote:
Most of your rules will never be evaluated because they come after a -j block:
I point out that Matir very clearly did not intend to shout - this was clear because of the calm-measured tones of the rest of the post.
Back on topic -
Perhaps you could cast your eye over the mdh firewall and suggest modifications?
I'd especially like to know why it blocks internet in FC2 (not tried with FC4) but works like a charm in RH9.
Gentlemen I truly apprieciate all of your help especially MATIR and SIMON BRIDGE. My last post was not in disappointment, I was just simply saying that in order to get respect to must earn it and I was refering to my linux skills using IPTABLES. I am from the barrio and that is just a term of speech. LOL Everylast one of you that has responded to any of my post kicks but. I want to one day become a senior member and help out newbies like me. I classify myself as a newbie maybe an idiot but not a newbie LOL. thanks
Sometimes even I have to stop and think about the ordering and arrangement of iptables rules.
Don't fret. And you have gained my respect by showing yourself as someone who is willing to work and learn for answers, rather than expecting us to feed you the exact commands for your goal. I do hope you will answer the questions of those who are new to linux as you become more experienced with it yourself.
iptables -A INPUT -i $EXTERNAL_INTERFACE -d $EXTERNAL_NETWORK -j DROP
iptables -A INPUT -i $EXTERNAL_INTERFACE -d $BROADCAST_NET -j DROP
and this for spoofing
iptables -A INPUT -i $EXTERNAL_INTERFACE -s $EXTERNAL_IP -j LnD
my questions is on the variable $EXTERNAL_NETWORK. What does that mean. Do they mean the nic card that goes out to the internet?
and the variable $EXTERNAL_IP what does that mean. Does it also mean the nic that goes to the internet. Are they the same. I need a little clarification.
also
# Refuse malformed broadcast packets.
iptables -A INPUT -i $EXTERNAL_INTERFACE -s $BROADCAST_DEST -j LnD
iptables -A INPUT -i $EXTERNAL_INTERFACE -d $BROADCAST_SRC -j LnD
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -s $BROADCAST_DEST -j LnD
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -d $BROADCAST_SRC -j LnD
Does the variable $BROADCAST_DEST mean your lan broadcast address like 192.168.2.255
Does the variable $BROADCAST_SRC mean broadcast address like 255.255.225.255
Please translate!
Last edited by metallica1973; 09-08-2005 at 09:42 PM.
Well, those rules seem to assume a static IP address. For example, if your ip was 99.99.99.99, then your external network might be 99.99.99.0/255.255.255.0. It's the IP/network/broadcast related to the interface that goes out towards the internet.
Then how would you explain a dynamic address and opposed to a static address? and could I translate that $EXTERNAL_NETWORK or $EXTERNAL_IP and would it mean the same thing. The reason I ask this is because at home I use PPPOE from my ISP and it dynamically assigns my DSL modem an IP address. So to add that statement to my firewall would it work if I would to translate the $EXTERNAL_NETWORK or $EXTERNAL_IP with lets say ppp0 as my external_ network or external_ip? help. I am slowly working on my firewall. thanks
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.