Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm a complete noob regarding iptables configuration, but reading some documentation and howtos, I ended up with this little script.
It should block all inbound and outbound connections unless sepcifically allowed, but testing the firewall indicates that a lot of ports are open which shouldn't.
I need advice on how to improve my firewall so I can only give access to those ports I really want to have connection.
Code:
# Generated by Hammett on Mon 10th Sep 2007
*filter
# Shut down all traffic
-P FORWARD DROP
-P INPUT DROP
-P OUTPUT DROP
# Clear all rules
-F
-X
# accept all from localhost
-A INPUT -s 127.0.0.1 -j ACCEPT
-A OUTPUT -o 127.0.0.1 -j ACCEPT
# Allow DNS
-A OUTPUT -p tcp --sport 0:65535 --dport 53:53 -j ACCEPT
-A OUTPUT -p udp --sport 0:65535 --dport 53:53 -j ACCEPT
# accept all previously established connections
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow HTTP,HTTPS
-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
# Allow ftp
-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 20:21 -j ACCEPT
# Allow rsync (for portage)
-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 873 -j ACCEPT
# Allow ping
-A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
# Allow Bit-torrent connections
-A INPUT -p tcp -m state --state NEW -m tcp --dport 6881:6889 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 6881:6999 -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 6881:6889 -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 2710 -j ACCEPT
#Allow Skype
-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 23399 -j ACCEPT
#Allow GIT
-A OUTPUT -p udp -m state --state NEW -m udp --dport 9418 -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 9418 -j ACCEPT
#Allow TitleTrading
-A OUTPUT -p udp -m state --state NEW -m udp --dport 19010 -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 19010 -j ACCEPT
#Allow World of Warcraft
-A OUTPUT -p udp -m state --state NEW -m udp --dport 3724 -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 3724 -j ACCEPT
# Allow MSN Messenger
-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 1863 -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 6891:6899 -j ACCEPT
-A OUTPUT -p udp -m state --state NEW -m udp --dport 6891:6899 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 6891:6899 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 6891:6899 -j ACCEPT
# Allow SoulSeek
-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 2240 -j ACCEPT
-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 2234:2239 -j ACCEPT
# Allow IRC
-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 6665:6669 -j ACCEPT
COMMIT
Firewall test done under GRC ShieldsUP! shows that:
Code:
Results from scan of ports: 0-1055
786 Ports Open
1 Ports Closed
269 Ports Stealth
---------------------
1056 Ports Tested
My first piece of advice is that you stop messing with the iptables configuration file. You should make yourself an iptables script, and the only thing editing the configuration file should be the iptables-save binary itself. Here's a script to get you started:
Code:
#!/bin/sh
IPT="/sbin/iptables"
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P FORWARD ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT
$IPT -t raw -P PREROUTING ACCEPT
$IPT -t raw -P OUTPUT ACCEPT
$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -F -t raw
$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
$IPT -X -t raw
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -p TCP -i eth0 --dport 6881 \
-m state --state NEW -j ACCEPT
$IPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
$IPT -A OUTPUT -p UDP -o eth0 --dport 53 \
-m state --state NEW -j ACCEPT
$IPT -A OUTPUT -p TCP -o eth0 --dport 443 \
-m state --state NEW -j ACCEPT
$IPT -A OUTPUT -p TCP -o eth0 --dport 80 \
-m state --state NEW -j ACCEPT
$IPT -A OUTPUT -p TCP -o eth0 --dport 21 \
-m state --state NEW -j ACCEPT
$IPT -A OUTPUT -p TCP -o eth0 --dport 6881:6999 \
-m state --state NEW -j ACCEPT
$IPT -A OUTPUT -p ICMP -o eth0 --icmp-type 8 \
-m state --state NEW -j ACCEPT
All you gotta do is follow the examples to add your own rules.
The only way for a port to be "open" is if there is something listening on it. I seriously doubt you have 786 things listening on your computer, so I would make sure the scanner you are using is not giving false positives. The script, as posted, only allows connections to one port (6881/TCP). So a port scanner should show that port as "closed" if you don't have anything listening on it, and "open" if you do (such as your BitTorrent application). All other ports should appear as "stealthed" or "filtered".
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.