Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
Most of your rules will NEVER be evaluated because they come AFTER a -j block:
-A INPUT -i ppp0 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j DROP
-A INPUT -i ppp0 -m state --state INVALID,NEW -j DROP
-A FORWARD -i ppp0 -m state --state INVALID,NEW -j DROP
-A FORWARD -m limit --limit 3/hour -j LOG
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 1/sec -j ACCEPT
-A FORWARD -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j ACCEPT
-A FORWARD -p icmp -m limit --limit 1/sec -m icmp --icmp-type 8 -j ACCEPT
-A FORWARD -i ppp0 -m state --state INVALID,RELATED,ESTABLISHED -j DROP
Also, WHY are you dropping ESTABLISHED,RELATED traffic? Most rulesets have '-m state --state ESTABLISHED,RELATED -j ACCEPT' for stateful filtering.
I wonder why you are limiting matches to 1/sec on a lot of rules. Do consider that those packets will fall down to later rules, and you're likely to end up dropping important packets and giving you a headache later.
Also, the policies for INPUT and especially FORWARD are set to ACCEPT by default. So if a packet is not explicitly denied, it is accepted.
Perhaps this was done offline?
Not very freindly to folk following from a search...
Here's my favorite "Mad Dog" firewall.
'tis a basic, restrictive, firewall for a home system.
All security should start with some sort of policy statement.
1. Nothing gets in or out without permission.
2. Permission must be explicitly set
3. Internal systems are unlimited
4. Nothing gets in without my asking for it
5. Everything gets out.
## == mdh firewall =======
# remove existing rules
iptables -t nat --flush
# Set up a default DROP policy for the built-in chains.
iptables --policy INPUT DROP
iptables --policy FORWARD DROP
iptables --policy OUTPUT DROP
# Allow all traffic through the loopback interface
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow initiated traffic in
iptables -A INPUT -m state --state RELATED,EXISTING -j ACCEPT
# Uncomment to allow SSH connections
#iptables -A INPUT -t tcp -j ACCEPT -dport 22
# Allow all traffic out
# Any other output rule should go /before/ this one
iptables -A OUTPUT -m state --state NEW,RELATED,EXISTING -j ACCEPT
This makes things tricky but not impossible.
If you have a network, you'll need to make a hole for that too.
I am in the process of redoing the whole things. My current script in a true joke. I have been given no respect up until this point but that will change after I display my total overhaul of my new IPTABLES script. Give me a few and I will displaying it for criticism or for koodos. thanks
metallica1973: interesting - IMO you have been given nothing but respect. All criticism was phrased with the assumption you had valid reasons for wht you did - and you did invite criticism. Mind you, Matir did shout a bit ... but I don't think he meant to
I really did not mean to shout in any way. I'm sorry if it came across that way. I (unfortunately) sometimes use LQ as a place to wind down after work, and sometimes the line gets blurred. Sorry if you were offended, I truly did not mean it.
Back on topic -
Perhaps you could cast your eye over the mdh firewall and suggest modifications?
I'd especially like to know why it blocks internet in FC2 (not tried with FC4) but works like a charm in RH9.
Gentlemen I truly apprieciate all of your help especially MATIR and SIMON BRIDGE. My last post was not in disappointment, I was just simply saying that in order to get respect to must earn it and I was refering to my linux skills using IPTABLES. I am from the barrio and that is just a term of speech. LOL Everylast one of you that has responded to any of my post kicks but. I want to one day become a senior member and help out newbies like me. I classify myself as a newbie maybe an idiot but not a newbie LOL. thanks
Sometimes even I have to stop and think about the ordering and arrangement of iptables rules.
Don't fret. And you have gained my respect by showing yourself as someone who is willing to work and learn for answers, rather than expecting us to feed you the exact commands for your goal. I do hope you will answer the questions of those who are new to linux as you become more experienced with it yourself.
Well, those rules seem to assume a static IP address. For example, if your ip was 22.214.171.124, then your external network might be 126.96.36.199/255.255.255.0. It's the IP/network/broadcast related to the interface that goes out towards the internet.
Then how would you explain a dynamic address and opposed to a static address? and could I translate that $EXTERNAL_NETWORK or $EXTERNAL_IP and would it mean the same thing. The reason I ask this is because at home I use PPPOE from my ISP and it dynamically assigns my DSL modem an IP address. So to add that statement to my firewall would it work if I would to translate the $EXTERNAL_NETWORK or $EXTERNAL_IP with lets say ppp0 as my external_ network or external_ip? help. I am slowly working on my firewall. thanks