Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
After reading others post right here on these forums who are having the exact same problems with CentOS, it appears this behavior is the default one.
In some of their cases they were able to get the restorecon working after uninstalling and reinstalling policycoreutils, but that didn't work for me (EDIT: Yes it did. It installed the needed link to "setfiles") (at least not with the way I did it--without uninstalling first, and with no reboot--which I can't do without getting locked out).
So what do these links mean above?
I'm wondering if this is the setup used because this is a virtual server running in a Parallels Virtuozzo container?? Do they change how this is set up when it's running virtualized?
Well, I just tried saving iptables again after noticing that the "restorecon -> setfiles" link had a date and time of today at the same time I installed policycoreutils again (and thus I thought it might be worth trying to save my script again), and it worked!!
Code:
# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
So never mind about the above posts, I guess I don't need restorecon itself, only the link "restorecon -> setfiles" to be present.
I was just typing: "locate restorecon". But that is actually irrelevant.
Thanks for your help again! I can save the rules now!
No you are not going to have any problem at all. You didn't run any command that need to be saved somewhere, you just install a new package, so nothing to do further.
I'm asking if the iptables rules I saved by typing "service iptables save" are permanent and won't be overwritten on reboot or by the system. (Not whether the newly reinstalled policycoreutils package is permanent--though that's good to know also).
I noticed that most of your examples do not even have anything in the mangle section. I read in some of the hoto's that "mangle" is rarely needed or used.
Also, why do the numbers in brackets (e.g. [434:24948]) change every time I save my rules? (when I open up the saved file in a text editor to see what it saved)
These are the packet counter details (Packets and bytes) and RH-firewall-1-INPUT is the user defined chain in the filter table provided by Redhat. Mangle table is using to modify the TCP packet quality of service bits before routing occurs.
Ah, I understand. Thanks bijo505. That clarifies things nicely.
I just finished reading every word of the different references you guys all posted. I'm really starting understand this stuff much better now.
UnSpawn, I've used the rules you posted, with some modifications. The generated logfile has been extremely helpful.
In case anyone finds it helpful, this is what I ended up using (so far):
Code:
*mangle
:PREROUTING ACCEPT [84532:4867976]
:INPUT ACCEPT [84532:4867976]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [90211:23224227]
:POSTROUTING ACCEPT [90211:23224227]
COMMIT
# Completed on Mon Jan 14 22:59:17 2013
# Generated by iptables-save v1.4.7 on Mon Jan 14 22:59:17 2013
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [5:596]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p tcp -m state --state NEW -m tcp -m multiport --dports 20:22,53,80,110,143,443,989,990,993,995,8443 -j ACCEPT
-A INPUT -m state --state NEW -m limit --limit 1/sec -j LOG --log-prefix "IN_denied "
-A INPUT -m state --state NEW -j REJECT --reject-with icmp-host-prohibited
COMMIT
If you guys aren't tired of answering my questions, I do have a few more that I'm not sure of the answer to:
#1 Do I need: "-A INPUT -p icmp --icmp-type any -j ACCEPT" in my rules? Some examples had that, and some didn't.
#2 Now that I'm using the above rules, and looking at the logfiles, I'm seeing hundreds of entries like this (note: possibly sensitive numbers masked to protect the innocent):
In the case of a dedicated virtual server, is "eth0" an interface that is leading to the Internet side? (the IPs I masked-out above are indeed from Internet located machines) Do I need to unblock something? Or are these denials alright? (I can already browse to my website just fine)
#3 My server is running a DNS server on port 53. Does that need to be open to the Internet (I opened it above, for now. Though only on TCP, not UDP), or is it just needing localhost (which is already open in my rules). The server is only providing DNS for it's own domain names for it's own website right now, but I may resell webspace at some point (If I become knowledgeable enough to admin a server for others). Will that make it necessary to have it open externally to the Internet?
#4 What's the best way to re-map a port like the SSH port 22? Is there anything I need to be aware of? (Perhaps I should open another thread for asking that. Is there already a good thread about that? I've been looking.)
I'm really starting understand this stuff much better now.
Do keep reading though.
Quote:
Originally Posted by j118
In case anyone finds it helpful, this is what I ended up using (so far):
Code:
*mangle
:PREROUTING ACCEPT [84532:4867976]
:INPUT ACCEPT [84532:4867976]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [90211:23224227]
:POSTROUTING ACCEPT [90211:23224227]
COMMIT
# Completed on Mon Jan 14 22:59:17 2013
# Generated by iptables-save v1.4.7 on Mon Jan 14 22:59:17 2013
Hmm. You could leave the above out. It's only counters and no rules.
Quote:
Originally Posted by j118
Do I need: "-A INPUT -p icmp --icmp-type any -j ACCEPT" in my rules?
There's certain types of messages you shouldn't answer to but generally speaking think of ICMP as an "error message protocol", it provides diagnostics.
Quote:
Originally Posted by j118
Now that I'm using the above rules, and looking at the logfiles, I'm seeing hundreds of entries like this (note: possibly sensitive numbers masked to protect the innocent):
In the case of a dedicated virtual server, is "eth0" an interface that is leading to the Internet side? (the IPs I masked-out above are indeed from Internet located machines) Do I need to unblock something? Or are these denials alright? (I can already browse to my website just fine)
The log entry shows somebody trying to connect to your mail server. IN=eth0 is your network-facing ethernet device, how traffic routing and naming works depends on what virtual ethernet devices dom0 provides. If you don't want people to spam your mail server then keep the port shielded. As precaution maybe make it listen on localhost only and implement an anti-spam filter?
Quote:
Originally Posted by j118
My server is running a DNS server on port 53. Does that need to be open to the Internet
If you run an authoritative Name Server (remote domain name lookups not ending up at your providers but at your machines) then you should have UDP/53 (majority of traffic) and TCP/53 open. Be aware that if you run an authoritative NS you also need a backup NS in a different network and you need to tune its configuration.
Quote:
Originally Posted by j118
What's the best way to re-map a port like the SSH port 22?
You shouldn't need to:
- deny root access to any login over the 'net (that's the default for OpenSSH BTW),
- always use pubkey auth,
- maybe constrain access to "trusted" accounts ('man sshd_config': AllowUsers / AllowGroups), and
- do use fail2ban or an equivalent (but not DenyHosts set to /etc/hosts.{allow,deny}).
You shouldn't need to:
- deny root access to any login over the 'net (that's the default for OpenSSH BTW),
- always use pubkey auth,
- maybe constrain access to "trusted" accounts ('man sshd_config': AllowUsers / AllowGroups), and
- do use fail2ban or an equivalent (but not DenyHosts set to /etc/hosts.{allow,deny}).
What unSpawn said above is a must-do in order to secure your system.
Do you have a hardware firewall in your network? If yes, then it would be easy to use mapped ports.
- Yes, I'll definitely keep reading! Thanks. I know I'm only starting to grasp these things.
- Regarding ICMP, you said "There's certain types of messages you shouldn't answer..." What kinds? I'm trying to research this, but if you want to, an example that lets only good ICMP messages through would be most welcome. If not, no problem.
- "The log entry shows somebody trying to connect to your mail server" Oops! My email accounts are using unsecure port 25 for outgoing SMTP! (*slaps forehead*) They couldn't send email out (hence the log entries). So it's good this was clarified. I have temporarily opened port 25, and will get them set up using port 456 and SSL and close port 25 again pronto! (The log file shows its worth once again!)
- "If you run an authoritative Name Server then you should have UDP/53 and TCP/53 open" I do indeed use my own server as the authoritative DNS (as far as I can tell). So I've added the following to my rules (right after the line opening the TCP ports): "-A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT". Does that look sane and acceptable?
- In regard to SSH: I'm setting it up with pubkey auth and fail2ban immediately.
To LeoPap:
No hardware firewall, though I could pay extra to have one. Right now I'm not thinking I really need one too bad. But perhaps I'm wrong?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.