SlackwareThis Forum is for the discussion of Slackware Linux.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Ok what im having trouble with is iptables-firewall by arno anyways i downloaded this and installed it and followed his directions and then opend the manualy page for it and i still couldnt find out how to block certian ports like it says that all ports are blocked by default but i did nmap localhost and like all the ports that shouldnt be are open suchs as:
21,22,111,37,57..etc like all of them the only major ones im worried about is like the finger and ssh and ftp because i was looking i nthe proftd.log file and i noticed that someone was trying to log on i guess they werent to successfull b/c they couldnt find a valid user but it says ftp session opened. I went into /etc/iptables-firewall.conf and edited that i made sure under block_tcp i put port 20,21,22 then i did /etc/rc.d/rc.iptables restart so it would flush all ther rules and bring them back up but i guess i did it wrong b/c i tried nmap localhost and i still got the same response wiht all these ports open. Any suggestions?? Thanx
I may be wrong about this, but I think that if you are running nmap on the machine you're scanning (nmap localhost), you're going to get a different answer than if you scanned your machine from the outside. The reason I think this way is that most iptables rule sets have a line that allows localhost complete access to itself. So something like:
iptable -A INPUT -i lo -j ACCEPT
So all the fancy rules about blocking various ports look like they don't work because the nmap packets match the localhost rule.
Now if you are scanning your firewall from another computer and it is showing blocked ports as being open, THEN you've got a problem.
I also use Arno's iptables on my Slack box. I'm a sole home user - no network, services, etc - which enables me to stealth all ports and disable/uninstall services. A firewall is, I think only one part of the solution to security. I'd suggest that you serious weigh up which services you need and which you don't. That depends obviously on your usage.
1. Please post more details about your installation (e.g. full/newbie or customised), what have you changed from the vanilla install - if anything - and you usage needs. It's hard to know much about anything without some specs.
2. Strong recommendation that you try to google on "arno's iptables" - I found over four pages on that search string Anyway, my personal recommendation is Jay's great site at http://simplylinux.punted.net (parent) or more specifically for Arno's iptables go to http://simplylinux.punted.net/Usingiptables.html .
3. Read the rest of Jay's material and let him know if you like it. He's put a lot of effort into it and it was a great resource for me.
Ok thanx Hangdog42 for ur help, I ended up just asking a friend to do a port scan for me and guess what there were all blocked!!!
Ok tireseas hmm i use ftp and ssh and im running a httpd server so i would need them open and with this if i need to use ftp i just gotta shut down the iptables and boom its usable same wtih ssh im hoping i havnt tried this theory out yet. But i think it will work hehe anyways.
Azmeen, i have a few questions about this script first of all would what do i have to do to use this. Meaning would i have to del or remove arno's firewall??? or just change rc.iptables?? Second of all i have a cable i dunno if im like totally out of it but i think it noticed "lo" meaning like phone line i think would i change that to eth0??? also do i need the proxy scan in there and whats the unix scan??? sorry about all the questions??
Thanx for replys
Originally posted by matt3333 Azmeen, i have a few questions about this script first of all would what do i have to do to use this. Meaning would i have to del or remove arno's firewall??? or just change rc.iptables?? Second of all i have a cable i dunno if im like totally out of it but i think it noticed "lo" meaning like phone line i think would i change that to eth0??? also do i need the proxy scan in there and whats the unix scan??? sorry about all the questions??
Thanx for replys
First of all, I don't use arno's and I don't know whether it's a complete ruleset or some sort of rule generator.
What I do know is that markus' script is that you can stick it in a text file, save it as rc.firewall and chmod +x it... and bam, you have a full-fledged and stable firewall... with some minor tweaking, it'll be perfect.
lo does not mean phone line... it's local connection... loopback to be precise. You shouldn't block loopback connections unless you want to see your whole network setting go down the drain.
If you look closely, you can see that eth0 is inside the script... actually you need not bother about that at all, just enable/disable the services you need/don't need.
well i dont know much bout arno but you could set this rule at the top of ur input chain (and imho is what happened)
you have a rule like
iptables -I INPUT -j DROP
to make ur firewall a mostly closed system by default. Now when you use nmap on another puter to scan what was prolly happening is ur box was dropping all the connection request without sending a RST (tcp-reset) packet. So nmap was waiting and since no reset packet was received it assumed the port was "open" (which is typical of linux)
Ok sorry Azmeen i mixed u and tireseas up sorry guys. Thanx kahpeetan i think i either understand more or just mor confused but i think i know whats going on.
One more question which firewall should i use??? Im all confused now like should i stick with arno's or drop it and go to markus's script like which would benafit me mostly?? I was thinking that if i went to Markus's script i could try to play with iptables and actually learn what does what. Am i just like totally outa it again?? or would this not work hehe? Anyways thanx for ur help!!!
Im all confused now like should i stick with arno's or drop it and go to markus's script like which would benafit me mostly??
My 2 cents:
Scripts like arno's or markus's are very fine pieces of work, BUT they do tend to be complicated beasties because of the number of things they are trying to do and that can get in the way of learning what iptables is doing. Personally, I prefer a simple approach of setting all your table defaults to DROP, then adding as few rules as needed to open the ports you want. Toss in some state matching so ESTABLISHED and RELATED packets are accepted on the INPUT chain and NEW, ESTABLISHED and RELATED packets are accepted on the OUTPUT chain and top it off by accepting everything on loopback. Bingo, a simple, reasonably secure firewall. Then you can sit back and take the time to understand what markus has written and add the rules you want.
Of course don't stop there. If someone was probing your FTP port, you're gonna want to have the stuff you need to watch for future attempts. Look into an intrusion detection system like Snort and add a file monitor like Aide. And be sure to shut down ALL services you aren't using. I mean really, who needs finger running on their personal box? It's just a security breach waiting to happen.
Ok thanx Hangdog42. Im really a real newbie to iptables. How should i start off a project like this?? Should i like start off bare?? or should i just like find another one??? I dunno and about snort where would i download this?? whats the website for this or anyother good program? Thanx for ur help!!!
That's really up to you. Do you want to learn iptables? Then the iptables tutorial is a great place to start. If you just want a solid firewall, and you don't care about the details, then arno's or markus's scripts are great. Or you could use a graphical front end like firestarter.
The simplest useful script I can think of would be this;
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -i lo -j ACCEPT
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
Basically this restricts traffic to that originating within the machine. In other words, anyone trying to get in from the outisde would be dropped.
Now if you want to act as a server for something like SSH or Apache, you'll need to open those ports like this
Just remember that the chains are executed in order and the packet is handled according to the first chain it matches.
My own firewall isn't much more complicated than this. Scripts like markus's really do a much more thorough job of examinining a packet and coming up with a more specific reason for accepting or dropping it. Personally, I didn't feel I needed that level of detail, so I kept mine simple.
As for the other programs, probabaly the best place to find info is right here at LQ in the Security forum. unSpawn has done a tremendous job at gathering links and explanations together and you'll find the links to programs like Snort or Aide there.