Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
I am running Mandrake 9.1 and currently the IPtables that I have below here is placed in '/etc/rc.local' directory. Should it be placed somewhere else? I did a ports security scan and it came up all stealthed. So I dont know.
Plus, even if I have this code placed on there, should I leave the 'iptables' Services ON or OFF??? As I recall, when I did this security test, I had the service not running and still came up as stealth. (As I could remember).
So, my question is, in what directory should this firewall code be placed in? Or, is the 'rc.local' directory OK??? And, should I leave the IPtables under Services left running or not running?
Heres the code:
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts #Block pings to broadcast IP (smurf)
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians #Log non-routable IPs
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route #Block source-routed packets
iptables -t nat -F
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
#DROP BAD PACKETS
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP #DROP NEW NOT SYN
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #DROP SYN-FIN SCANS
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP #DROP SYN-RST SCANS
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP #DROP X-MAS SCANS
iptables -A INPUT -p tcp --tcp-flags ALL FIN -j DROP #DROP NMAP FIN SCAN
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP #DROP NULL SCANS
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP #DROP ALL/ALL SCANS
#LOG AND DROP IANA RESERVED/BOGONS
iptables -A INPUT -i ppp0 -s 0.0.0.0/8 -m limit --limit 5/m -j LOG --log-prefix "WARN: INVALID IP"
iptables -A INPUT -i ppp0 -s 0.0.0.0/8 -j DROP
iptables -A INPUT -i ppp0 -s 127.0.0.0/8 -m limit --limit 5/m -j LOG --log-prefix "WARN: INVALID IP"
iptables -A INPUT -i ppp0 -s 127.0.0.0/8 -j DROP
iptables -A INPUT -i ppp0 -s 10.0.0.0/8 -m limit --limit 5/m -j LOG --log-prefix "WARN: INVALID IP"
iptables -A INPUT -i ppp0 -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i ppp0 -s 192.168.0.0/16 -m limit --limit 5/m -j LOG --log-prefix "WARN: INVALID IP"
iptables -A INPUT -i ppp0 -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i ppp0 -s 172.16.0.0/12 -m limit --limit 5/m -j LOG --log-prefix "WARN: INVALID IP"
iptables -A INPUT -i ppp0 -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
some people like to use rc.local for firewall scripts, but it's not a very good idea IMHO... i don't know about mandrake, but on slackware rc.local is one of the last startup scripts run - so there would be a "window" between when the network is brought-up and when the firewall kicks-in if you put your firewall script there... it may or may not be like this on mandrake... the optimal thing is to have te rules active before the network is up... that way you're always covered...
i believe you could manually put your rules in /etc/sysconfig/iptables if you want... but take a look at it after running the "service iptables save" command cuz i don't think the file is shell-script formatted...
i'm sorry i can't give you better answers, as you can see i don't use mandrake and i don't have access to a mandrake box to see for myself...
as for your box being stealthed: if you're not allowing any incoming connections on any port then "stealthed" is actually what you want... ;-)
Originally posted by wardialer I got the service iptables save command. Ok....
But what do I have to do after that?
not much... that's basically it... once you execute your firewall script and you've checked that it's all working the way you want it to, you run the "service iptables save" and the firewall configuration is *saved*... if you wanna make changes just edit your script, execute it, and do the save again...
And where does this Chmod 755 firewall.txt come into action? When do I have to type that command?
"chmod 755" makes any file executable... my point was that if you wanted to execute your firewall script you'd need to make sure the file was executable first... the name "firewall.txt" is just an example, you could call your firewall script anything you like, but make sure there's a shebang at the top...
let's say i have my firewall script in a file called wardialer_firewall.sh... to make it executable and then execute it i would do this:
then i can use whatever method i use to check if everything is fine and when i'm sure then i can save the firewall configuration using the "service iptables save" command to make it "permanent"... if you don't do the "save" after running the script the configuration will be gone upon reboot...
So, do I have to really have this script in the (rc.local) or the one you mentioned (/etc/sysconfig/iptables)???
you really don't need to put the script anywhere in particular... run it from anywhere you want - when you do the "service iptables save" your configuration will be properly saved to /etc/sysconfig/iptables... as i mentioned before, using rc.local for a firewall script is not a good idea...
And you posted a script.... can you confirm that it uses Stateful Packet Inspection? or does mine uses Stateful Packet Inspection???
yeah, it basically does the same thing your script does, except i removed stuff i found useless and added a thing or two... yes, it uses stateful packet filtering - any firewall that can recognize what NEW, ESTABLISHED, and RELATED packets are is using stateful packet filtering - it's a fundamental part of netfilter, which is what you are using...
remember that iptables is only the tool that is used to configure netfilter... technically speaking, your iptables script isn't a "firewall", it's just the script with the instructions to "configure" your firewall... the "service iptables save" thing does nothing but save the configuration in such a manner that it will be there when you reboot...
IT HAS TO BE STATEFUL PACKET INSPECTION IPTABLES**** Thats it, nothing else.
any decent iptables script is like this nowadays... in yours, for example, you are blocking all incoming packets to your computer, except those that are determined to have a *state* of ESTABLISHED/RELATED... in other words, you are only allowing input packets that are related to connections you have established yourself (from inside) - none that are starting connections from the outside are allowed...
I would like to start from scratch with this explaination: Please exlain the whole thing from scratch, because Im still lost.
Do I have to do the service iptables save first, or the Chmod 755 firewall.txt??? I dont understand why I can't just Cut/Paste it into the other mentioned directory without doing these commands??? What do mean by "Executing" the script??? Thats really has me confused, and I appologize.
Ok, I have my current script in the 'rc.local' directory. What should I do with this once I boot into Linux? Please explain the commands in order of importance. What do you mean I have to execute it? Its just a written script, not an application. So, your saying I have to run the execute command everytime I boot??? So where is my actual firewall if the script is not a firewall? And what should I use as an actual firewall if this script is not a firewall??
So my question is, what command do I have to do first in order for this to work the whole time??? The Chmod 755 command or the other one?
Do I have to it like this: chmod 755 /etc/sysconfig/iptables
And the iptables service under Services, should I leave that running or turned off?
Ok, I have my current script in the 'rc.local' directory. What should I do with this once I boot into Linux?
NOTHING... if you use the rc.local method, then the iptables rules will be run from there every boot... using your own INDIVIDUAL script and the "service iptables save" thing is the proper ALTERNATIVE... you don't do both...
in other words, putting your iptables rules in rc.local will "work", but it's not the "kosher" way of doing things... rc.local is mainly used for other types of things... for something security-oriented like iptables it's better to do it the right way...
by using rc.local for your iptables rules there would be a window of opportunity between the time your network card is brought-up and the time your rules take effect - that sucks...
What do you mean I have to execute it? Its just a written script, not an application.
scripts get executed also, not just applications... the rc.local file is executed at startup time... so the commands you put in there are run when the file is executed... think about it: your rc.local file isn't an application either, yet it gets executed at startup... check this out:
So, your saying I have to run the execute command everytime I boot???
no, just once... but this is if you choose to do the firewall thing by using an individual iptables script as i suggested... you create the script with all your iptables rules and stuff, and then you execute it (which configures your firewall)... after that you do the "save" thing and the firewall configuration is stored... you could even delete the iptables script after that, for example...
remove the iptables rules you have in rc.local... then save the script i posted to a text file, make it executable, and then execute it... now do the "service iptables save" thing and you're done... when you wanna make changes to your firewall configuration simply edit the script and execute it, and when you've checked it's fine you do the save thing... if you screwed-up and the new script sucked you'd stil be okay cuz you hadn't saved it yet... so upon reboot you'd be back to your latest "known-good" configuration...
So where is my actual firewall if the script is not a firewall?
the actual firewall is part of the linux kernel... it's called netfilter...
netfilter and iptables are building blocks of a framework inside the Linux 2.4.x and 2.6.x kernel. This framework enables packet filtering, network addresss [and port] translation (NA[P]T) and other packet mangling. It is the re-designed and heavily improved successor of the previous Linux 2.2.x ipchains and Linux 2.0.x ipfwadm systems.
netfilter is a set of hooks inside the Linux kernel that allows kernel modules to register callback functions with the network stack. A registered callback function is then called back for every packet that traverses the respective hook within the network stack.
iptables is a generic table structure for the definition of rulesets. Each rule within an IP table consists out of a number of classifiers (iptables matches) and one connected action (iptables target).
netfilter, iptables and the connection tracking as well as the NAT subsystem together build the whole framework.
your iptables script simply "tells" netfilter how you want it to work... the "service iptables save" command simply tells iptables to "remember" the instructions that you've given it, so that you don't have to execute the script yourself everytime you boot...
by putting the iptables rules in rc.local you aren't using iptables' "save" feature, you're just running the rules at startup everytime, much like if you would do it manually after the network is up...
And the iptables service under Services, should I leave that running or turned off?
leave it turned-on cuz you're using it... ;-)
And this time, I am so mad at myself that starting from now, ITS A MUST that I will learn Linux. Its just a whole different OS and I MUST learn it.
i know what you're going through, i've been there... i'm an ex-windows user... what i can tell you is that it's important for you to READ... i had to read quite a few iptables tutorials before i grasped the "general concept" properly... once i had the concept down, learning the ins and outs wasn't so painful... i know you haven't read the documentation i gave you yet, but it's important that you do read lots of it if you really wanna understand iptables...
also, do some research about shell scripts, make sure you check out the link about shell scripts i posted above... it's important that you know how to make files executable, how to execute them, and what shell scripts are...
1. Did a service iptables save command and was told me OK.
2. Went into the /etc/sysconfig/iptables and it showed my script.
3. Then I went to Mandrake Sysem services I started iptables as RUNNING. Now its running.
4. Whats next???
Whats next??? I still have the same script in my rc.local. Should I remove that?
yes, if you want to do it the right way then remove any iptables stuff from your rc.local...
once you've done that, then save the example script i posted to a text file, make the text file executable, and then execute it... then do the save again... then reboot your computer and do a "iptables -L" and post the output on this thread....
But I want to use the script what I posted above. Could I do that??? And which textfile program does Mandrake use?I just feel comfortable with my script. So your saying its not really secure? I may use yours but could I please use mine for now. I just feel comfortable with it.
Ok, how would I make the script executable???? This what confuses me. How can I make the text file executable??
Suppose I use Kwrite, after Pasting my script in there, then how can I make it executable?