Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
i have a box right now that im thinking of using as a router/firewall. i currently use a dlink router, but that's not as much fun as this could be
currently im using this box as an ftp server and samba file server. would it be okay to keep the same services running (still use it as an ftp and file server) but include a firewall script and use it as a firewall/router ? my main concern is that someone gets in through the running services somehow, but i was thinking last nite that this might actually be possible.
any input is appreciated - thanks !
if youre not an expert at configuring linux firewalls than i would keep your samba/ftp server BEHIND a real firewall until your confident in your firewalling skills. misconfiguring your firewall would compromise your fileserver and potentially put your entire network at risk.
if you want to have fun with linux, just setup your linux box as a proxy server behind your dlink router. that way you'll still have the security from the dlink, but you can have fun configuring your proxy settings and traffic logging with linux. its win-win
ex:
INTERNET --> DLINK --> LINUX SERVER --> NETWORK SWITCH --> THE REST OF YOUR NETWORK
thats a good idea, i think i'll try that this weekend.
another question - i have a 10mb 4 port hub, and a 16port switch. i have a laptop, desktop, and server (which would actually end up being the proxy server) - would it be worth it to use the switch, or should i stick with the hub ?
Do you need to allow access to samba file server and FTP only from inside your network? If so, you can configure iptables to allow this while blocking access to these services from the outside world
Example -
# Flush all previous iptables chains
iptables -F
# The first rule sets the default policy, i.e. what to do if a packet doesn't match any
# other rule, to drop any packet coming into (INPUT) through your box.
iptables -P INPUT DROP
# The next rule is added (-A) to the INPUT chain. This rule allows
# response packets from any connections established from within your system..
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Thist rule allows packets through the loopback interface.
iptables -A INPUT -i lo -j ACCEPT
# Allow internal network to function freely
iptables -A INPUT -j ACCEPT -p all -s 192.168.0.0/16 -i eth1
# Allow internal network machines to access internet and masquerade IP addresses
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# Allow access to FTP and SMB requests ONLY from within the internal network
iptables -A INPUT -p tcp -m multiport --destination-port 21,137,139 -s 192.168.0.0/16 -j ACCEPT
# Allow internal machines ONLY to make SMB requests (UDP)
iptables -A INPUT -p udp -m multiport --destination-port 137,139 -s 192.168.0.0/16 -j ACCEPT
if i were to make a rule to drop all packets coming in from outside, would web browsing still work ?
Yes it would, because 'iptables' is a stateful packet filter. What this means is that iptables is smart enough to know if a packet arriving on the firewall is a response to a packet sent from your box originally. This is demonstrated by this rule, in April's example script above:
Code:
# The next rule is added (-A) to the INPUT chain. This rule allows
# packets from any previously established connections.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Originally posted by bulliver Yes it would, because 'iptables' is a stateful packet filter. What this means is that iptables is smart enough to know if a packet arriving on the firewall is a response to a packet sent from your box originally. This is demonstrated by this rule, in April's example script above:
Code:
# The next rule is added (-A) to the INPUT chain. This rule allows
# packets from any previously established connections.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
oh, ok. i read that, but i thought it meant that if there was a network connection already established when the script was run, it would leave it alone.
Woops! I just noticed that the syntax of the last rule was incorrect. So just in case you tryed this and had problems epoo, I corrected it above.
So if you need access to FTP from outside, then remove port 21 from the following rule in the example script
# Allow access to FTP and SMB requests ONLY from within the internal network
iptables -A INPUT -p tcp -m multiport --destination-port 21,137,139 -s 192.168.0.0/16 -j ACCEPT
and add a new rule below that one
# Allow access to FTP from outside the network
iptables -A INPUT -p tcp --destination-port 21 -j ACCEPT
BTW, you can save this script as (for example) rc.firewall, chmod 755 and place it in your /etc/rc.d folder, and the firewall will automatically load on boot.
Do some reading regarding iptables and you can expand this script to accomodate any future needs you may have.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.