Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
If this is just for a personal desktop... then try the following script:
Code:
# mdh firewall
# jon (maddog) hall
#! /bin/sh
# Load appropriate modules
modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# Remove Existing Rules
iptables --flush
iptables -t nat --flush
#iptables --delete_chain
#iptables --zero
# Definitions
MYNET=192.168.1.0/24
LANFACE=eth0
WEBFACE=eth0
### Rules ###
# Set up default drop policy for all chains
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# Allow unlimited traffic on the loopback interface
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow initiated traffic in
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow SSH Connections (Comment to disallow)
iptables -A INPUT -t tcp -j ACCEPT -dport 22
# Allow LAN traffic (but only from LAN)
iptables -A INPUT -i $LANFACE -s $MYNET -j ACCEPT
# Allow all traffic out
iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
This gives you a default "drop" policy so all ports are switched off by default. The rest makes sure nothing can get in unless you ask it to.
The above assumes you have a LAN giving boradband access via NAT Router/xDSL Modem. If you have dialup, then WEBFACE=ppp0 and the LAN entries can be deleted.
Last edited by Simon Bridge; 04-09-2007 at 01:20 AM.
I think frostwire listens on port 6346 by default. If you want frostwire to accept packets on that port without you having to send anything out first, then you will want another input rule (put it after the ssh rule).
# Allow Frostwire to receive uninitiated packets
iptables -A INPUT -t tcp -i $WEBFACE -j ACCEPT -dport 6346
... something like that.
However, you will likely find that the above firewall will meet your needs as is.
Last edited by Simon Bridge; 04-09-2007 at 01:30 AM.
iptables -A INPUT -p tcp --dport 0:1023 -j REJECT
[...]
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT
You'd need the second rule (accept incoming packets on port 80) if you were running a web server. (Are you?) But it wouldn't get that far, because the first one would already have matched and rejected the packet. Same applies doubly for the last rule.
You could re-order to put the more specific rule first.
You'd need the second rule (accept incoming packets on port 80) if you were running a web server. (Are you?) But it wouldn't get that far, because the first one would already have matched and rejected the packet. Same applies doubly for the last rule.
You could re-order to put the more specific rule first.
Quigi
thanks can you give me an example thanks
I'm not running a web server no and I'm on a wireless
and
Simon Bridge I dont know what your script is all about I got to look into it I saved it thank you
I just want to download music I don't want to shut off my firewall so I spent a few days learning iptables in witch is the best thing I have ever did and guard dog will not let me access frostwire even if I open the port locale and the internet I don't know what is going on their
The example was from your configuration, which you since deleted.
As you're not running a web server, don't accept packets coming in to your box on port 80, i.e., just delete the two relevant rules. If you had a web server, you'd need to put the more specific rule further up, so it would get considered first:
Code:
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 0:1023 -j REJECT
I don't understand why you'd add an even more specific rule for interface eth0, with the same target.
That is a very complete firewall there. You are best to keep it simple - you won't want most of the stuff in that. For future, I'll explain the one I posted.
# mdh firewall
# jon (maddog) hall
... this was suggested to me by maddog. I guess it is GPL.
# Load appropriate modules
... probably not needed these days - makes sure the firewall works.
# Remove Existing Rules
... start with a clean slate so there are no rogue rules floating around we don't know about.
# Definitions
... this is so that you can change your machine and just edit a few lines. It is also good practise to put easy-to-understand labels on things so the rules will read clearer.
### Rules ###
# Set up default drop policy for all chains
... with everything set to drop by default, all the ports are closed. However, it means we have to specifically open ports we want to use.
# Allow unlimited traffic on the loopback interface
... The loopback interface (127.0.0.0) is needed for the different parts of the computer to talk to each other. Without this, the computer won't work.
# Allow initiated traffic in
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
... this is a stateful filter - it means that if we have asked for it already, we can get it. This way, ports get opened as we need them.
# Allow SSH Connections (Comment to disallow)
iptables -A INPUT -t tcp -j ACCEPT -dport 22
... This allows secure shell connections. You won't need this.
# Allow LAN traffic (but only from LAN)
iptables -A INPUT -i $LANFACE -s $MYNET -j ACCEPT
... My computer is on a 4-port switch (+router+dsl modem). Here, all hosts on the LAN are trusted. OK for a home LAN. If you don't have a LAN, you won't need this.
# Allow all traffic out
iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
... since we can only receive what we ask for, this step lets us ask for anything. Since I trust myself, I let myself ask for whatever I like.
Now look how simple this is.
State filtering is very effective and more flexible that the simple on/off thing you were doing. So far the only thing to get through this firewall was Skype doing a file transfer (which found and used an "established" internet connection). If I hadn't opened that port, even skype wouldn't have got through.
The only difference is what you do when you decide you want less permissive output filtering (i.e. any filtering at all).
The point of writing the script this way is to allow ease in customizing to different situations. It also teaches good habits, and makes the security plan follow a clear logical progression.
General rule: always set policy = drop for everything. Even if you go and just accept everything later: it means you have to explicitly and deliberately accept.
Similarly, I could have saved typing by using the actual device names instead of variable names. I didn't because this way allows me to write a clearer script which is more easily configurable.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.