Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
If you could comment out a line containing what is needed for a bittorrent client, with like "xxxxx" in place of the port number so I when I know what my client uses I can put that in. I used to use qtorrent, but I don't have qt. Probably going with a text-based client this time.
If you could comment out a line containing what is needed for a bittorrent client, with like "xxxxx" in place of the port number so I when I know what my client uses I can put that in. I used to use qtorrent, but I don't have qt. Probably going with a text-based client this time.
Thanks for the help!
This rc.firewall script should be enough to get you started (you can always tighten it down further):
Code:
#!/bin/sh
IPT="/usr/sbin/iptables"
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P FORWARD ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT
$IPT -t raw -P PREROUTING ACCEPT
$IPT -t raw -P OUTPUT ACCEPT
$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -F -t raw
$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
$IPT -X -t raw
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -p TCP -i eth0 --dport 6881 --syn -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
$IPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p UDP -o eth0 --dport 53 -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -p TCP -o eth0 -m multiport --dports 21,22,80,443,5050,5190,6667 \
-m state --state NEW -j ACCEPT
A couple things to think about: It's a good idea to specify the IPs of the DNS server(s) instead of just allowing all outbound UDP packets with destination port 53. To do that, just replace the UDP/53 rule with a couple rules like (for example):
Code:
$IPT -A OUTPUT -p UDP -o eth0 --dport 53 -d 208.67.222.222 \
-m state --state NEW -j ACCEPT
$IPT -A OUTPUT -p UDP -o eth0 --dport 53 -d 208.67.220.220 \
-m state --state NEW -j ACCEPT
Also, keep in mind that restricting the outbound connections to the set of ports you posted would likely hinder BitTorrent. BTW, as you can see this doesn't use the "start|stop" thing but if you need that it can be easily added.
I just tired to run the above script sh script.sh, nothing!! not even any complain, or any thing.. being a user I should know what is wrong:-). I added some guide lines to a bigger like me..
Are these settings useful for me?
I don't want any connection form out side world on eth0 and want to share everything with eth1(I have two LAN Cards ) please help me out.
Code:
#! /bin/bash
clear
if [ $# -ne 1 ];then
echo
echo "Usage is(e.g): sh script.sh start or stop. "
exit 1
else
echo
echo "Type in your iptables path: e.g: /usr/sbin/iptables or /sbin/iptables"
read IPT
fi
start() {
echo "Now starting your firewall..."
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P FORWARD ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT
$IPT -t raw -P PREROUTING ACCEPT
$IPT -t raw -P OUTPUT ACCEPT
$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -F -t raw
$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
$IPT -X -t raw
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -p TCP -i eth1 --dport 6881 --syn -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
$IPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -p UDP -o eth0 --dport 53 -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -p TCP -o eth0 -m multiport --dports 21,22,80,443,5050,5190,6667 -m state --state NEW -j ACCEPT
echo
$IPT -L
echo
echo
echo "Firewall Started Successfully"
}
stop() {
echo "Stopping firewall"
$IPT -F
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -L
echo "Firewall stoped."
echo
}
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
esac
And in my case /user/sbin/iptables not found.. /sbin/iptables found.
Thank you hope you will respond on this thank you guys
Drpeter, don't ever hijack a fellow member's thread like this again. It's insanely rude and completely unacceptable. You already had a thread asking this when you posted, which makes it even worse. If you have any questions or comments regarding this matter, you are welcome to contact me via email - do NOT use this thread. @Everyone: Please don't let this throw you off-topic.
I'm surprised no one mentioned alienBob's firewall script maker. Which can be found here. The best firewall 'option' for Slackware (imo) without having to learn ALL about IPtables.
I'm surprised that none of the rules in this entire thread use ESTABLISHED,RELATED flags for ports you don't need open all the time, I know it's not the best method but it works. Here s an example of mean.
Quake 3 needs certain ports open to talk to the master server, if you make first contact then the ports open, if you don't make any attempt to contact the master server then the ports are closed until you make first contact.
Also for a more secure setup you could setup a port knocking system for "hot" ports such as 22, 23..etc
You could reduce the tcp timeouts, enable syn flooding to slow down DoSing just make sure that you don't touch anything to do ACK, if you are running a desktop and don't care about server daemons then you can change the ACK settings as well.
You can fine tune the tcp/ip settings a lot more, but these are just some basic examples.
I'm surprised that none of the rules in this entire thread use ESTABLISHED,RELATED flags for ports you don't need open all the time, I know it's not the best method but it works. Here s an example of mean.
Quake 3 needs certain ports open to talk to the master server, if you make first contact then the ports open, if you don't make any attempt to contact the master server then the ports are closed until you make first contact.
Not sure what you mean, the script I posted used RELATED and ESTABLISHED matches for both inbound and outbound packets. Could you elaborate?
No if you reduce the TCP timeouts you can reduce DoSing, if you see that there is a comma and not a period you realize you are only to referring to one option I suggested.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
