SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Here's my firewall rules, seems to do the job.......
Code:
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -N INBOUND
iptables -A INPUT -j LOG
iptables -A INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -p tcp -m tcp --sport 1:65535 --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
iptables -A INPUT -s 127.0.0.1/32 -i wlan0 -j DROP
iptables -A INPUT -s 192.168.122.1/32 -i virbr0 -j DROP
iptables -A INPUT -p icmp -m icmp --icmp-type any -j DROP
iptables -A INPUT -p tcp -m tcp --dport 43 -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags ALL URG,PSH,FIN -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags ALL URG,ACK,PSH,RST,SYN,FIN -j DROP
iptables -A INPUT -p all -f -j DROP
iptables -A INPUT -p udp -m udp -m multiport --dports 513,33434:33524 -j DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
iptables -A INPUT -d 224.0.0.251/32 -p udp -m udp --sport 5353 --dport 5353 -j ACCEPT
iptables -A INPUT -d 224.0.0.1/32 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 19301 -m state --state NEW -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 19301 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p gre -j ACCEPT
iptables -A INPUT -m set --match-set lan src -j ACCEPT
iptables -A INPUT -m set --match-set intruders src -j DROP
iptables -A INPUT -p tcp -m tcp -j DROP
iptables -A INPUT -p udp -m udp -j DROP
iptables -A INPUT -j DROP
iptables -A INBOUND -j DROP
iptables -N OUTBOUND
iptables -A OUTPUT -j LOG
iptables -A OUTPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -p gre -j ACCEPT
iptables -A OUTPUT -p igmp -j ACCEPT
iptables -A OUTPUT -p ah -m ah -j ACCEPT
iptables -A OUTPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 123 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 631 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 853 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 873 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 1723 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 3690 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 9418 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 19300 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 19301 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p udp -m udp --sport 19301 -j ACCEPT
iptables -A OUTPUT -d 185.193.27.46/32 -p tcp -m tcp -m multiport --dports 20,21,1024:65535 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp -m multiport --dports 25,110,143,465,587,993,995 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp -m multiport --dports 80,443 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p udp -m udp -m multiport --dports 137,138 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp -m multiport --dports 139,445 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p udp -m udp -m multiport --dports 500,1701,4500 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp -m multiport --dports 6667,6668,6697,7000 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -m set --match-set ports src -j ACCEPT
iptables -A OUTPUT -d 127.0.0.1/32 -j DROP
iptables -A OUTPUT -d 192.168.122.1/32 -j DROP
iptables -A OUTPUT -p tcp -m tcp -j DROP
iptables -A OUTPUT -p udp -m udp -j DROP
iptables -A OUTPUT -j DROP
iptables -A OUTBOUND -j DROP
iptables -N FORWARDING
iptables -A FORWARD -j LOG
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -o lo -j ACCEPT
iptables -A FORWARDING -j DROP
iptables -N PREROUTE
iptables -t nat -A PREROUTING -j LOG
iptables -N POSTROUTE
iptables -t nat -A POSTROUTING -j LOG
Someone mentioned Shorewall and i used that, aron's, a custom set and what you get from webmin.
It was on an small "enterprise" mail server.
My conclusion (project ended long time ago):
1. Slackware 15.0 will really benefit from PAM so future mail servers can have virtual users instead of real ones.
2. Shorewall was nice, webmin was a solution, but alas, being popular known and ill maintained was a huge security hole/risk, arno's was a good start but had to be tweaked to fit.
3. No generic firewall will make you Linux box more secure - and that is a fact.
4. There is no "generic Slackware" box/laptop out there and that is good (mono culture weakens security)
BUT:
A. The instant you configure and have sshd, samba, NFS or any other services up and running on your PC/box/laptop and have to travel and be a guess on a foreign network (be it GSM, WiFi, unknown LAN or whatever) You better have something that's filtering traffic!
So: rc.firewall hook is excellent move in that direction
and:
I. I see no harm for an generic rc.firewall script shipped with Slackware alongside that
II. A script people could begin with and build their own custom tailored firewall
III. Post it here for IDK a contest, thread or just sheer idea exchange and brain storming (like we do ricing on the "This is my Slackware Desktop" thread)
IV. One day we have a well tested set of scripts to choose from or edit by commenting out as many other things in /etc already are (rc.firewall.sample ?)
V. Meanwhile people can make that firewall doc page there too?
We do it the Slackware way?
Last edited by SCerovec; 11-19-2021 at 11:15 AM.
Reason: typos, tons of typos :-[
Here's my firewall rules, seems to do the job.......
Code:
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -N INBOUND
iptables -A INPUT -j LOG
iptables -A INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -p tcp -m tcp --sport 1:65535 --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
iptables -A INPUT -s 127.0.0.1/32 -i wlan0 -j DROP
iptables -A INPUT -s 192.168.122.1/32 -i virbr0 -j DROP
iptables -A INPUT -p icmp -m icmp --icmp-type any -j DROP
iptables -A INPUT -p tcp -m tcp --dport 43 -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags ALL URG,PSH,FIN -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags ALL URG,ACK,PSH,RST,SYN,FIN -j DROP
iptables -A INPUT -p all -f -j DROP
iptables -A INPUT -p udp -m udp -m multiport --dports 513,33434:33524 -j DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j ACCEPT
iptables -A INPUT -d 224.0.0.251/32 -p udp -m udp --sport 5353 --dport 5353 -j ACCEPT
iptables -A INPUT -d 224.0.0.1/32 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 19301 -m state --state NEW -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 19301 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p gre -j ACCEPT
iptables -A INPUT -m set --match-set lan src -j ACCEPT
iptables -A INPUT -m set --match-set intruders src -j DROP
iptables -A INPUT -p tcp -m tcp -j DROP
iptables -A INPUT -p udp -m udp -j DROP
iptables -A INPUT -j DROP
iptables -A INBOUND -j DROP
iptables -N OUTBOUND
iptables -A OUTPUT -j LOG
iptables -A OUTPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -p gre -j ACCEPT
iptables -A OUTPUT -p igmp -j ACCEPT
iptables -A OUTPUT -p ah -m ah -j ACCEPT
iptables -A OUTPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 123 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 631 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 853 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 873 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 1723 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 3690 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 9418 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 19300 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 19301 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p udp -m udp --sport 19301 -j ACCEPT
iptables -A OUTPUT -d 185.193.27.46/32 -p tcp -m tcp -m multiport --dports 20,21,1024:65535 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp -m multiport --dports 25,110,143,465,587,993,995 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp -m multiport --dports 80,443 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p udp -m udp -m multiport --dports 137,138 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp -m multiport --dports 139,445 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p udp -m udp -m multiport --dports 500,1701,4500 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp -m multiport --dports 6667,6668,6697,7000 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -m set --match-set ports src -j ACCEPT
iptables -A OUTPUT -d 127.0.0.1/32 -j DROP
iptables -A OUTPUT -d 192.168.122.1/32 -j DROP
iptables -A OUTPUT -p tcp -m tcp -j DROP
iptables -A OUTPUT -p udp -m udp -j DROP
iptables -A OUTPUT -j DROP
iptables -A OUTBOUND -j DROP
iptables -N FORWARDING
iptables -A FORWARD -j LOG
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -o lo -j ACCEPT
iptables -A FORWARDING -j DROP
iptables -N PREROUTE
iptables -t nat -A PREROUTING -j LOG
iptables -N POSTROUTE
iptables -t nat -A POSTROUTING -j LOG
Now if the networks (sources, targets and netmasks) where put in meaningful variables,
Same for commands with full paths (hardening)
It's a good start...
Now if the networks (sources, targets and netmasks) where put in meaningful variables,
Same for commands with full paths (hardening)
It's a good start...
You mean like this?
iptables -A OUTPUT -p tcp -m tcp -m multiport --dports 80,443 -m state --state NEW -j ACCEPT -m comment --comment "HTTP,HTTPS"
I have been using Alien Bob's Easy Firewall Generator since Slack 13.0 and it has always worked nicely. After generating a basic firewall you can always tune it according to your needs.
This newest release of liveslak brings something that was recently discussed on linuxquestions.org. What about adding a basic firewall configuration to the freshly installed Slackware system? A new Slackware Linux computer may have several ports open already and some people are paranoid about any prying from the outside."
"But in particular I want people to test the dialog-based configurator and give me feedback. You’ll notice that the configurator allows you to go back and forth in the various dialog windows. I also want to know what you think of the questions and the level of simplicity. Also look at the installed rc.firewall script. Does it do what you need it to do?" https://alien.slackbook.org/blog/fre...asic-firewall/
Ever used a laptop in public place? ever used it to connect to an open hotspot?
Ever joined an install fest or a lan party?
Internet caffee?
Yep. I use a VPN on a sketchy network along with a firewall. I like using PF on my BSD installations. I like UFW on Linux. The good people at SBo have an install script for UFW.
and renamed them myfwconf and rc.firewall respectively.
For the test run i had them both reside on ~/bin/ and i noticed the myfwconf fails to run as normal user, Once i became root it ran fine and completed with few selected ports and three (3) interfaces configured.
The scripts generated seemed fine, however i would gladly see one minor thing changed:
The line 240 (or so) where the interfaces are listed into the DEV_LIST var to be used in the dialog could use a space between the adjacent interface names:
Code:
240c240
< DEV_LIST=$(for INDEV in ${!NETDEVARR[@]} ; do if [ "${NETDEVARR[$INDEV]}" = "on" ]; then echo -n $INDEV ; fi ; done)
---
> DEV_LIST=$(for INDEV in ${!NETDEVARR[@]} ; do if [ "${NETDEVARR[$INDEV]}" = "on" ]; then echo -n $INDEV" " ; fi ; done)
ip6tables v1.8.7 (legacy): can't initialize ip6tables table `filter': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.7 (legacy): can't initialize ip6tables table `filter': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.7 (legacy): can't initialize ip6tables table `filter': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.7 (legacy): can't initialize ip6tables table `mangle': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.7 (legacy): can't initialize ip6tables table `mangle': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.7 (legacy): can't initialize ip6tables table `filter': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.7 (legacy): can't initialize ip6tables table `mangle': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.7 (legacy): can't initialize ip6tables table `filter': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.7 (legacy): can't initialize ip6tables table `mangle': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.7 (legacy): can't initialize ip6tables table `filter': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.7 (legacy): can't initialize ip6tables table `filter': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.7 (legacy): can't initialize ip6tables table `filter': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.7 (legacy): can't initialize ip6tables table `filter': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.7 (legacy): can't initialize ip6tables table `filter': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.7 (legacy): can't initialize ip6tables table `filter': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.7 (legacy): can't initialize ip6tables table `filter': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.7 (legacy): can't initialize ip6tables table `filter': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.7 (legacy): can't initialize ip6tables table `filter': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.7 (legacy): can't initialize ip6tables table `filter': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
Could not open socket to kernel: Address family not supported by protocol
ip6tables v1.8.7 (legacy): can't initialize ip6tables table `filter': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.7 (legacy): can't initialize ip6tables table `filter': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
Could not open socket to kernel: Address family not supported by protocol
Could not open socket to kernel: Address family not supported by protocol
Could not open socket to kernel: Address family not supported by protocol
Could not open socket to kernel: Address family not supported by protocol
Could not open socket to kernel: Address family not supported by protocol
Could not open socket to kernel: Address family not supported by protocol
Could not open socket to kernel: Address family not supported by protocol
ip6tables v1.8.7 (legacy): can't initialize ip6tables table `filter': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
Could not open socket to kernel: Address family not supported by protocol
Could not open socket to kernel: Address family not supported by protocol
Could not open socket to kernel: Address family not supported by protocol
ip6tables v1.8.7 (legacy): can't initialize ip6tables table `filter': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
Could not open socket to kernel: Address family not supported by protocol
Could not open socket to kernel: Address family not supported by protocol
Could not open socket to kernel: Address family not supported by protocol
ip6tables v1.8.7 (legacy): can't initialize ip6tables table `filter': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.7 (legacy): can't initialize ip6tables table `filter': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
Could not open socket to kernel: Address family not supported by protocol
ip6tables v1.8.7 (legacy): can't initialize ip6tables table `filter': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.7 (legacy): can't initialize ip6tables table `filter': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.7 (legacy): can't initialize ip6tables table `filter': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.7 (legacy): can't initialize ip6tables table `filter': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
Could not open socket to kernel: Address family not supported by protocol
ip6tables v1.8.7 (legacy): can't initialize ip6tables table `filter': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.7 (legacy): can't initialize ip6tables table `filter': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.7 (legacy): can't initialize ip6tables table `filter': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
Could not open socket to kernel: Address family not supported by protocol
Could not open socket to kernel: Address family not supported by protocol
Could not open socket to kernel: Address family not supported by protocol
ip6tables v1.8.7 (legacy): can't initialize ip6tables table `filter': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.7 (legacy): can't initialize ip6tables table `filter': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
ip6tables v1.8.7 (legacy): can't initialize ip6tables table `filter': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
Could not open socket to kernel: Address family not supported by protocol
root@darkstar:/home/michael/bin#
I am running current, and have no idea what this means. I had an append in lilo to disable ipv6, but I removed that line, rebooted, and tried again. I am not running any other firewall.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.