LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 11-05-2003, 11:07 PM   #1
matt3333
Member
 
Registered: Dec 2002
Location: Winnipeg, Manitoba, Canada
Distribution: Slackware
Posts: 371

Rep: Reputation: 30
Iptables with iptables-firewall.conf arno's


Ok what im having trouble with is iptables-firewall by arno anyways i downloaded this and installed it and followed his directions and then opend the manualy page for it and i still couldnt find out how to block certian ports like it says that all ports are blocked by default but i did nmap localhost and like all the ports that shouldnt be are open suchs as:

21,22,111,37,57..etc like all of them the only major ones im worried about is like the finger and ssh and ftp because i was looking i nthe proftd.log file and i noticed that someone was trying to log on i guess they werent to successfull b/c they couldnt find a valid user but it says ftp session opened. I went into /etc/iptables-firewall.conf and edited that i made sure under block_tcp i put port 20,21,22 then i did /etc/rc.d/rc.iptables restart so it would flush all ther rules and bring them back up but i guess i did it wrong b/c i tried nmap localhost and i still got the same response wiht all these ports open. Any suggestions?? Thanx


Matt3333
 
Old 11-06-2003, 07:34 AM   #2
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,785
Blog Entries: 1

Rep: Reputation: 414Reputation: 414Reputation: 414Reputation: 414Reputation: 414
I may be wrong about this, but I think that if you are running nmap on the machine you're scanning (nmap localhost), you're going to get a different answer than if you scanned your machine from the outside. The reason I think this way is that most iptables rule sets have a line that allows localhost complete access to itself. So something like:

iptable -A INPUT -i lo -j ACCEPT

So all the fancy rules about blocking various ports look like they don't work because the nmap packets match the localhost rule.

Now if you are scanning your firewall from another computer and it is showing blocked ports as being open, THEN you've got a problem.
 
Old 11-06-2003, 07:49 AM   #3
Azmeen
Senior Member
 
Registered: May 2003
Location: Malaysia
Distribution: Slackware, LFS, CentOS
Posts: 1,307

Rep: Reputation: 46
Hangdog is right, most sane iptables rulesets would allow localhost connection doing whatever.
 
Old 11-06-2003, 03:03 PM   #4
tireseas
Member
 
Registered: Jun 2003
Location: London, UK
Distribution: Slackware 10 & 10.1
Posts: 149

Rep: Reputation: 15
Matt3333:
I also use Arno's iptables on my Slack box. I'm a sole home user - no network, services, etc - which enables me to stealth all ports and disable/uninstall services. A firewall is, I think only one part of the solution to security. I'd suggest that you serious weigh up which services you need and which you don't. That depends obviously on your usage.
1. Please post more details about your installation (e.g. full/newbie or customised), what have you changed from the vanilla install - if anything - and you usage needs. It's hard to know much about anything without some specs.
2. Strong recommendation that you try to google on "arno's iptables" - I found over four pages on that search string Anyway, my personal recommendation is Jay's great site at http://simplylinux.punted.net (parent) or more specifically for Arno's iptables go to http://simplylinux.punted.net/Usingiptables.html .
3. Read the rest of Jay's material and let him know if you like it. He's put a lot of effort into it and it was a great resource for me.
Good luck

- Andy
 
Old 11-06-2003, 05:32 PM   #5
Azmeen
Senior Member
 
Registered: May 2003
Location: Malaysia
Distribution: Slackware, LFS, CentOS
Posts: 1,307

Rep: Reputation: 46
You might also want to look at other iptables configs... one that I've found here on LQ is this excellent one by marcus.
 
Old 11-06-2003, 09:32 PM   #6
matt3333
Member
 
Registered: Dec 2002
Location: Winnipeg, Manitoba, Canada
Distribution: Slackware
Posts: 371

Original Poster
Rep: Reputation: 30
Ok thanx Hangdog42 for ur help, I ended up just asking a friend to do a port scan for me and guess what there were all blocked!!!

Ok tireseas hmm i use ftp and ssh and im running a httpd server so i would need them open and with this if i need to use ftp i just gotta shut down the iptables and boom its usable same wtih ssh im hoping i havnt tried this theory out yet. But i think it will work hehe anyways.

Azmeen, i have a few questions about this script first of all would what do i have to do to use this. Meaning would i have to del or remove arno's firewall??? or just change rc.iptables?? Second of all i have a cable i dunno if im like totally out of it but i think it noticed "lo" meaning like phone line i think would i change that to eth0??? also do i need the proxy scan in there and whats the unix scan??? sorry about all the questions??
Thanx for replys


Matt3333
 
Old 11-07-2003, 02:03 AM   #7
Azmeen
Senior Member
 
Registered: May 2003
Location: Malaysia
Distribution: Slackware, LFS, CentOS
Posts: 1,307

Rep: Reputation: 46
Quote:
Originally posted by matt3333
Azmeen, i have a few questions about this script first of all would what do i have to do to use this. Meaning would i have to del or remove arno's firewall??? or just change rc.iptables?? Second of all i have a cable i dunno if im like totally out of it but i think it noticed "lo" meaning like phone line i think would i change that to eth0??? also do i need the proxy scan in there and whats the unix scan??? sorry about all the questions??
Thanx for replys


Matt3333
First of all, I don't use arno's and I don't know whether it's a complete ruleset or some sort of rule generator.

What I do know is that markus' script is that you can stick it in a text file, save it as rc.firewall and chmod +x it... and bam, you have a full-fledged and stable firewall... with some minor tweaking, it'll be perfect.

lo does not mean phone line... it's local connection... loopback to be precise. You shouldn't block loopback connections unless you want to see your whole network setting go down the drain.

If you look closely, you can see that eth0 is inside the script... actually you need not bother about that at all, just enable/disable the services you need/don't need.
 
Old 11-07-2003, 02:12 AM   #8
kahpeetan
LQ Newbie
 
Registered: Nov 2003
Distribution: redhat
Posts: 17

Rep: Reputation: 0
well i dont know much bout arno but you could set this rule at the top of ur input chain (and imho is what happened)

you have a rule like

iptables -I INPUT -j DROP

to make ur firewall a mostly closed system by default. Now when you use nmap on another puter to scan what was prolly happening is ur box was dropping all the connection request without sending a RST (tcp-reset) packet. So nmap was waiting and since no reset packet was received it assumed the port was "open" (which is typical of linux)
 
Old 11-07-2003, 07:03 AM   #9
matt3333
Member
 
Registered: Dec 2002
Location: Winnipeg, Manitoba, Canada
Distribution: Slackware
Posts: 371

Original Poster
Rep: Reputation: 30
Ok sorry Azmeen i mixed u and tireseas up sorry guys. Thanx kahpeetan i think i either understand more or just mor confused but i think i know whats going on.

One more question which firewall should i use??? Im all confused now like should i stick with arno's or drop it and go to markus's script like which would benafit me mostly?? I was thinking that if i went to Markus's script i could try to play with iptables and actually learn what does what. Am i just like totally outa it again?? or would this not work hehe? Anyways thanx for ur help!!!


matt3333
 
Old 11-07-2003, 07:35 AM   #10
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,785
Blog Entries: 1

Rep: Reputation: 414Reputation: 414Reputation: 414Reputation: 414Reputation: 414
Quote:
Im all confused now like should i stick with arno's or drop it and go to markus's script like which would benafit me mostly??
My 2 cents:

Scripts like arno's or markus's are very fine pieces of work, BUT they do tend to be complicated beasties because of the number of things they are trying to do and that can get in the way of learning what iptables is doing. Personally, I prefer a simple approach of setting all your table defaults to DROP, then adding as few rules as needed to open the ports you want. Toss in some state matching so ESTABLISHED and RELATED packets are accepted on the INPUT chain and NEW, ESTABLISHED and RELATED packets are accepted on the OUTPUT chain and top it off by accepting everything on loopback. Bingo, a simple, reasonably secure firewall. Then you can sit back and take the time to understand what markus has written and add the rules you want.

Of course don't stop there. If someone was probing your FTP port, you're gonna want to have the stuff you need to watch for future attempts. Look into an intrusion detection system like Snort and add a file monitor like Aide. And be sure to shut down ALL services you aren't using. I mean really, who needs finger running on their personal box? It's just a security breach waiting to happen.
 
Old 11-07-2003, 10:12 AM   #11
matt3333
Member
 
Registered: Dec 2002
Location: Winnipeg, Manitoba, Canada
Distribution: Slackware
Posts: 371

Original Poster
Rep: Reputation: 30
Ok thanx Hangdog42. Im really a real newbie to iptables. How should i start off a project like this?? Should i like start off bare?? or should i just like find another one??? I dunno and about snort where would i download this?? whats the website for this or anyother good program? Thanx for ur help!!!


Matt3333
 
Old 11-07-2003, 01:22 PM   #12
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,785
Blog Entries: 1

Rep: Reputation: 414Reputation: 414Reputation: 414Reputation: 414Reputation: 414
Quote:
How should i start off a project like this??
That's really up to you. Do you want to learn iptables? Then the iptables tutorial is a great place to start. If you just want a solid firewall, and you don't care about the details, then arno's or markus's scripts are great. Or you could use a graphical front end like firestarter.

The simplest useful script I can think of would be this;

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -i lo -j ACCEPT
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

Basically this restricts traffic to that originating within the machine. In other words, anyone trying to get in from the outisde would be dropped.

Now if you want to act as a server for something like SSH or Apache, you'll need to open those ports like this

iptables -A INPUT -p tcp --dport 22 -j ACCEPT #Accepts ssh traffic
iptables -A INPUT -p tcp --dport 80 -J ACCEPT #Accepts httpd traffic

Just remember that the chains are executed in order and the packet is handled according to the first chain it matches.

My own firewall isn't much more complicated than this. Scripts like markus's really do a much more thorough job of examinining a packet and coming up with a more specific reason for accepting or dropping it. Personally, I didn't feel I needed that level of detail, so I kept mine simple.

As for the other programs, probabaly the best place to find info is right here at LQ in the Security forum. unSpawn has done a tremendous job at gathering links and explanations together and you'll find the links to programs like Snort or Aide there.
 
Old 11-09-2003, 10:13 PM   #13
kahpeetan
LQ Newbie
 
Registered: Nov 2003
Distribution: redhat
Posts: 17

Rep: Reputation: 0
i have heard of incidents where your loopback or local host address can be spoofed. So as a super-paranoid check...you could add the following rule to your iptables too (if you have enabled lo)

iptables -A INPUT -i ppp0 -s lo -j DROP
iptables -A INPUIT -i ppp0 -s 127.0.0.1 -j DROP

**replacing ppp0 with your internet interface

snort can be had at www.snort.org
just click and download the pre-compiled binaries
 
Old 06-10-2004, 09:37 AM   #14
kennedy01
LQ Newbie
 
Registered: Nov 2003
Location: Georgia
Distribution: Slackware 10.1
Posts: 28

Rep: Reputation: 15
Another strong IPTABLES config

Thought this might be useful as it worked GREAT for my install.

http://www.e-infomax.com/ipmasq/howt...2.4.X-STRONGER

Its an IPTABLES strong firewall for 2.4.x
 
Old 06-26-2004, 06:22 PM   #15
dingo_aus
LQ Newbie
 
Registered: May 2004
Distribution: Mandriva 2005 LE
Posts: 16

Rep: Reputation: 0
I'm just a newbie but you are too then I suggest http://www.simonzone.com/software/guarddog/ for a great, easy to use firewall configurator
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables firewall ninjaz Linux - Networking 2 10-20-2005 10:19 AM
iptables vs. rc.firewall FiveFlat Linux - Security 2 08-13-2004 03:39 PM
Problem with Arno's IPTables ruleset? slacquer Slackware 1 01-26-2004 09:06 AM
Firewall/iptables brentos Linux - Security 14 11-25-2003 05:47 PM
rc.firewall vs iptables dunmarie Linux - Security 2 10-09-2003 02:00 PM


All times are GMT -5. The time now is 06:46 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration