Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi,
am about to have a system on the internet with a dedicated public ip address. i want all ports and services closed except the following ports and services.
port 22 or 7777 for tcp/ip for ssh
80 for http
100-200 for NTP
5555 for udp
How do i go about this using iptables? thanks.
Thanks for your reply hangdog42. assuming i dont want to use the default ssh 22 port but some other port, how do i go about that? i notice that your distro is slackware and am actually going to be doing this with a slackware box. how to i make login GUI default for slackware?
assuming i dont want to use the default ssh 22 port but some other port, how do i go about that?
For the firewall, you just need to change the port after the --dport to match whatever port you are running SSH on. To run ssh on a different port, look at the Port directive in /etc/sshd_config.
By the way, moving the SSH port is NOT a security measure. The only thing it will do is cut down on the messages in your log file from the script kiddies. Make sure that you've properly configured SSH to not allow root login. You also might consider using key-based authentication instead of usernames/passwords. If you have a small number of users, using the AllowUsers directive is also a very good measure.
Quote:
how to i make login GUI default for slackware?
Edit your /etc/inittab file and look for this line (it is near the top)
Code:
id:3:initdefault:
Change the 3 to a 4 and Slackware will switch to a GUI login.
thanks again for your reply. i was actually of using redirect. to redirect traffic coming to port 22 to port 7777. would it have work this way?
Can I ask you to explain how your network is set up and a bit about why you are doing this? I'm not sure I understand why you would redirect traffic this way, but if you are then it could affect how you set up iptables.
ok. this is what i really want to do. i have been asked to configure a server that will be used to host WWLLN receiver at a site. the system will be online 24/7 so will require a dedicated ip. i have decided to use a dedicated public ip. the following ports will need to be opened. 22 or 7777 for tcp/ip ssh,80 for http, 100-200 for NTP and 5555 for udp to send data to WWLLN.for security, all interaction with this machine will be closed down except for a list of certain systems whose addreses i dont have yet. so you see this is what am working on.i just need to be sure am on the right course before i start the actual configuration.
Do you also know anything about configuring NTP on linux? most books i have consulted are not explainatory enough and how would the system be configured to allow communication with specific systems on the internet? thanks again for your help.
the following ports will need to be opened. 22 or 7777 for tcp/ip ssh
I'm still not sure why you are redirecting incoming 22 to 7777. If I were in your shoes, I would just run ssh on port 22 and make sure it is locked down. Or just run it on 7777 and not worry about the redirection, and again make sure it is locked down. The other ports should be easy to open by modifying the rule I posted earlier.
Quote:
all interaction with this machine will be closed down except for a list of certain systems whose addreses i dont have yet
Cool. Once you do have those addresses, I strongly suggest you use tcpwrappers to limit access to those addresses. Take a look at step 3 here for examples of how to do modify your hosts.allow and hosts.deny files. You could also do this in iptables, but I think using tcpwrappers is probably a bit easier to start.
Quote:
Do you also know anything about configuring NTP on linux? most books i have consulted are not explainatory enough and how would the system be configured to allow communication with specific systems on the internet?
My understanding is that you use the server directive in your /etc/ntp.conf file to point to specific systems. Have a look here for an example. Now one thing to keep in mind is that pointing to a specific server is considered rude unless you have permission to do so. It is usually best to just use the ntp pool servers that are in your area. Unless you have some highly specific need, having 3 or 4 pool servers in your ntp.conf file should keep things on time.
thanks for your answer. lets say i dont want to use tcpwrappers, how to i achieve the same with iptables? could u pls write out the code using arbituary ip address.and also hw do i run ssh on 7777 instead of the default? is that change done in ssh.config file or with iptables?
The better approach is to close ALL ports and only open the ones you need. So you ports with the table defaults:
Code:
iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
Blocking outbound traffic is pointless. And just dropping packets will cause problems with some clients (eg IPsec BTN), and cause confusion when debugging network problems. And as this is not a router you can ignore the FORWARD chain. Also don't forget IPv6.
Could you elaborate as to why you feel this way, please? That's the least you could do, considering your comment conflicts with virtually every network security book ever written.
I was thinking this system is dedicated server, with nothing which that will initiate unwanted outbound connections.
What if "unauthorized" software gets involved? However, given the rule I suggested for the OUTPUT chain, really any traffic could get out without an issue.
I was thinking this system is dedicated server, with nothing which that will initiate unwanted outbound connections.
Right, but a properly configured host-based firewall will be able to deny/limit any outbound connections from being made when the box gets a non-root user account cracked. Practically speaking, this means that a host-based firewall will reduce the risk of the attack spreading any further while you respond to the incident. This is one reason why it's a good idea to apply the same default deny methodology to outbound traffic. Personally, I start by allowing only outbound packets in states RELATED and ESTABLISHED – then I make any necessary exceptions.
Quote:
BTW, you would want to allow outbound DNS and FTP to allow software updates.
Agreed, and this would be a good example of the exceptions I'm referring to. Additionally, the more specific you make them, the better. For example, don't just allow all outbound UDP packets with destination port 53 – specify which destination IPs these packets will need to have in order to be allowed.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.