Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
With current iptables rules I used obfsproxy too but not worked. Your iptables rules are so simple. I like to block scanners like Nmap.
The above rules block scanners, in-so-far as scanners can be blocked. As you see the default is to block and only a few things are let in. If you block ICMP completely you break your network. If you want logging of some of the scans, then that is a different matter and you have a lot of choices but the logging would occur just before that last blocking rule.
The above rules block scanners, in-so-far as scanners can be blocked. As you see the default is to block and only a few things are let in. If you block ICMP completely you break your network. If you want logging of some of the scans, then that is a different matter and you have a lot of choices but the logging would occur just before that last blocking rule.
You don't have to answer external ping and it will not break your network.
If you are using the rules posted in #16, where the default policy for the OUTPUT is to accept packets, then I'm not sure where the problem lies since it is unlikely to be in iptables.
What method did you use to acquire and install the Tor Browser Bundle?
If you are using the rules posted in #16, where the default policy for the OUTPUT is to accept packets, then I'm not sure where the problem lies since it is unlikely to be in iptables.
What method did you use to acquire and install the Tor Browser Bundle?
Tor Browser Bundle is portable but not need any install. Can you write my rules on your system and test it?
I changed my iptables rules and used below rules too:
Code:
-A INPUT -p tcp -m tcp --dport 9150 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 9150 -j ACCEPT
But, not worked and TorBrowser Log say me:
Code:
12/09/2016 17:50:48.400 [NOTICE] Bootstrapped 5%: Connecting to directory server
12/09/2016 17:50:48.500 [NOTICE] Bootstrapped 10%: Finishing handshake with directory server
12/09/2016 17:53:14.300 [NOTICE] Closing no-longer-configured Socks listener on 127.0.0.1:9150
12/09/2016 17:53:14.300 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
12/09/2016 17:53:14.300 [NOTICE] Closing old Socks listener on 127.0.0.1:9150
12/09/2016 17:53:14.800 [NOTICE] Delaying directory fetches: DisableNetwork is set.
12/09/2016 17:53:19.800 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
12/09/2016 17:53:19.800 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
12/09/2016 17:53:19.800 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
12/09/2016 17:53:19.800 [NOTICE] Opening Socks listener on 127.0.0.1:9150
12/09/2016 17:53:56.100 [WARN] Proxy Client: unable to connect to 192.95.36.142:443 ("general SOCKS server failure")
12/09/2016 17:54:03.300 [WARN] Proxy Client: unable to connect to 154.35.22.11:443 ("general SOCKS server failure")
12/09/2016 17:54:04.100 [WARN] Proxy Client: unable to connect to 83.212.101.3:50001 ("general SOCKS server failure")
12/09/2016 17:54:09.000 [NOTICE] Closing no-longer-configured Socks listener on 127.0.0.1:9150
12/09/2016 17:54:09.000 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
12/09/2016 17:54:09.000 [NOTICE] Closing old Socks listener on 127.0.0.1:9150
Biggest flaw I'm seeing is you are not adding outbound connections to your ConnTracking DB. since your out bound connections are simply ACCEPT they are not being added to the DB. You should have a line like this to ensure they get added;
Code:
-A OUTPUT -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
This will add all your new connections to the DB so that the rule
Code:
-A INTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
Excuse me if I can't explain my goal. I like to have an iptables rules that block all incoming connections to my system and allow TorBrowser and also detect scanners like Nmap and block scanners IP.
I'm not able to duplicate the problem with my system. The rules I provided earlier work for me, as well as with the modification that lazydog provides. So I'm not sure what to look at next. Which distro do you have and which version is it?
As I said, I use Debian amd64. I sent an email to Tor mailing list and they told me:
Code:
You always need to allow some input as well in order for the Tor guard node to
talk to your computer. Stateful Inspection is used for this. Here's a complete
ruleset to accomplish what you asked for. All output is allowed, but no input,
except it belongs to some output your computer previously did.
# Stateful inspection for input and output
iptables -A INPUT -j ACCEPT -m state --state RELATED,ESTABLISHED
iptables -A OUTPUT -j ACCEPT -m state --state RELATED,ESTABLISHED
# Allow loopback traffic
iptables -A INPUT -i lo -j ACCEPT
# Reject any other input
iptables -A INPUT -j REJECT
# Accept all output
iptables -A OUTPUT -j ACCEPT
Note that you also want to accout for IPv6 using ip6tables. It depends on your
network though.
My current iptables rules are:
Code:
# Generated by iptables-save v1.4.21 on Fri Dec 9 17:25:25 2016
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -j ACCEPT -m state --state RELATED,ESTABLISHED
-A INPUT -i lo -j ACCEPT
#-A INPUT -d 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 180 --hitcount 4 --name DEFAULT --mask 255.255.255.255 --rsource -j DROP
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A INPUT -m recent --rcheck --seconds 86400 --name portscan --mask 255.255.255.255 --rsource -j DROP
-A INPUT -m recent --remove --name portscan --mask 255.255.255.255 --rsource
-A INPUT -p tcp -m tcp --dport 139 -m recent --set --name portscan --mask 255.255.255.255 --rsource -j LOG --log-prefix "portscan:"
-A INPUT -p tcp -m tcp --dport 139 -m recent --set --name portscan --mask 255.255.255.255 --rsource -j DROP
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 10.0.0.0/8 -j DROP
-A INPUT -s 169.254.0.0/16 -j DROP
-A INPUT -s 172.16.0.0/12 -j DROP
-A INPUT -s 127.0.0.0/8 -j DROP
-A INPUT -s 192.168.0.0/24 -j DROP
-A INPUT -s 224.0.0.0/4 -j DROP
-A INPUT -d 224.0.0.0/4 -j DROP
-A INPUT -s 240.0.0.0/5 -j DROP
-A INPUT -d 240.0.0.0/5 -j DROP
-A INPUT -s 0.0.0.0/8 -j DROP
-A INPUT -d 0.0.0.0/8 -j DROP
-A INPUT -d 239.255.255.0/24 -j DROP
-A INPUT -d 255.255.255.255/32 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 17 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 13 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 13 -m limit --limit 1/sec -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/sec --limit-burst 2 -j ACCEPT
-A INPUT -m recent --rcheck --seconds 86400 --name portscan --mask 255.255.255.255 --rsource -j DROP
-A INPUT -m recent --remove --name portscan --mask 255.255.255.255 --rsource
-A INPUT -p tcp -m tcp --dport 139 -m recent --set --name portscan --mask 255.255.255.255 --rsource -j LOG --log-prefix "portscan:"
-A INPUT -p tcp -m tcp --dport 139 -m recent --set --name portscan --mask 255.255.255.255 --rsource -j DROP
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -m recent --rcheck --seconds 86400 --name portscan --mask 255.255.255.255 --rsource -j DROP
-A FORWARD -m recent --remove --name portscan --mask 255.255.255.255 --rsource
-A FORWARD -p tcp -m tcp --dport 139 -m recent --set --name portscan --mask 255.255.255.255 --rsource -j LOG --log-prefix "portscan:"
-A FORWARD -p tcp -m tcp --dport 139 -m recent --set --name portscan --mask 255.255.255.255 --rsource -j DROP
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -m recent --rcheck --seconds 86400 --name portscan --mask 255.255.255.255 --rsource -j DROP
-A FORWARD -m recent --remove --name portscan --mask 255.255.255.255 --rsource
-A FORWARD -p tcp -m tcp --dport 139 -m recent --set --name portscan --mask 255.255.255.255 --rsource -j LOG --log-prefix "portscan:"
-A FORWARD -p tcp -m tcp --dport 139 -m recent --set --name portscan --mask 255.255.255.255 --rsource -j DROP
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -j ACCEPT
-A OUTPUT -m state --state INVALID -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -j ACCEPT -m state --state RELATED,ESTABLISHED
COMMIT
# Completed on Fri Dec 9 17:25:25 2016
I'd go with the simpler rules close to those proposed by the list:
Code:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -j ACCEPT -m state --state RELATED,ESTABLISHED
-A INPUT -i lo -j ACCEPT
-A INPUT -j REJECT
-A OUTPUT -j ACCEPT -m state --state NEW,RELATED,ESTABLISHED
COMMIT
The other rules you have contain a bunch of lines unnecessary for a regular desktop. See if those work. If they do, they can be adjusted but try them as-is first.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.