Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
01-26-2005, 07:10 AM
|
#1
|
Senior Member
Registered: Jan 2003
Location: Malaysia
Posts: 1,210
Rep:
|
block m$ related ports using iptables
Hi!
I know there is tons of docs about iptables out there. But I need a quick and dirty iptables command to block netbios and samba ports from the Internet at my firewall. Both incoming and outgoing.
I already have basic rc.firewall script downloaded from somewhere in the Internet. Configured to be NAT and eanble all outgoing but only related incoming.
Oh, yuh, explanation of the command flags would be helpful. Thanks.
|
|
|
01-26-2005, 08:42 AM
|
#2
|
LQ Veteran
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
|
Rather than shut down those ports specifically, the better approach is to shut down ALL ports with the default table properties and then open up only those you need. So your defaults should look something like
INPUT -P DROP
OUTPUT -P DROP
FORWARD -P DROP
Then for each daemon you want to be able to listen, add a line opening that port. So say you want to run Apache with SSL. You'll need to open two ports
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
You would also need to open up outbound traffic, and I like to use state matching to do this.
iptables -A OUTPUT -p tcp -m state --state NEW, ESTABLISHED, RELATED -j ACCEPT
So as long as you don't open the netbios or Samba ports, the table defaults will block them. This also means that you are only opening the ports you absoluetly need to have.
|
|
|
01-26-2005, 12:19 PM
|
#3
|
Senior Member
Registered: Jan 2003
Location: Malaysia
Posts: 1,210
Original Poster
Rep:
|
Will I have problem with bittorrent if I use this method?
Does bittorrent connection initiated (NEW) by me? Or it is both ways?
|
|
|
01-26-2005, 12:20 PM
|
#4
|
Senior Member
Registered: Jan 2003
Location: Malaysia
Posts: 1,210
Original Poster
Rep:
|
This is how my INPUT chain looks like for now
Code:
Chain INPUT (policy ACCEPT)
target prot opt source destination
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:445 LOG flags 0 level 4
LOG udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:445 LOG flags 0 level 4
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:445
LOG udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:137 LOG flags 0 level 4
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:137
LOG udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:138 LOG flags 0 level 4
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:138
LOG udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:139 LOG flags 0 level 4
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:139
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 LOG flags 0 level 4
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:139
Does this look correct for blocking those ports? Where is the log store? I know this is bad policy, but let me learn please
|
|
|
01-26-2005, 03:34 PM
|
#5
|
LQ Veteran
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
|
Quote:
Will I have problem with bittorrent if I use this method?
|
I think you do have to open up some additional ports to use bittorrent. Unless I'm mistaken, incoming bittorrent connections are NEW and you really don't want to allow state matches to NEW on your INPUT chain. It kinda defeats the purpose of a firewall. However, if you are using state matches on OUTPUT, you can safely use NEW and probably want to. I'm not at my linux box, but tonight I'll post how I allow bittorrent through my firewall.
Quote:
Does this look correct for blocking those ports? Where is the log store?
|
Yeah, it looks like the ports are blocked. As for the log entries look in /var/log/syslog. If there is nothing there check /var/log/messages.
|
|
|
01-26-2005, 05:44 PM
|
#6
|
LQ Veteran
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
|
OK, for bittorrent I allow port 6881 through the firewall and that works just fine.
|
|
|
01-28-2005, 10:08 AM
|
#7
|
Senior Member
Registered: Jan 2003
Location: Malaysia
Posts: 1,210
Original Poster
Rep:
|
Is that the only port which is used by bittorrent? I mean, I can have hundreds of connection using that port?
|
|
|
01-28-2005, 10:51 AM
|
#8
|
Senior Member
Registered: Jan 2003
Location: Malaysia
Posts: 1,210
Original Poster
Rep:
|
Ok as a follow up to bittorrent,
does this netstat looks ok?
Code:
root@carboncopy:/var/log# netstat --numeric-hosts
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 1462 XXX.XXX.200.97:42291 82.168.82.183:64998 ESTABLISHED
tcp 0 1867 XXX.XXX.200.97:42624 82.168.82.183:64998 ESTABLISHED
tcp 0 0 XXX.XXX.200.97:42187 82.41.73.197:6881 ESTABLISHED
tcp 0 2002 XXX.XXX.200.97:39367 71.32.19.170:6881 ESTABLISHED
<internal connection>
tcp 0 0 XXX.XXX.200.97:43106 201.8.193.63:23918 ESTABLISHED
tcp 0 1984 XXX.XXX.200.97:42118 82.35.242.218:10001 ESTABLISHED
tcp 0 3807 XXX.XXX.200.97:42169 80.202.218.52:6881 ESTABLISHED
tcp 0 5534 XXX.XXX.200.97:42864 80.202.218.52:6881 ESTABLISHED
|
|
|
01-28-2005, 01:30 PM
|
#9
|
LQ Veteran
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
|
Quote:
Originally posted by carboncopy
Is that the only port which is used by bittorrent? I mean, I can have hundreds of connection using that port?
|
It is the only port that bittorrent listens on, it can actually send on any number of ports, so as long as you allow inbound traffic on 6881 and then allow outbound traffic on any number of ports, you should be fine. So the two rules in my firewall that apply here are:
iptables -A INPUT -i eth0 -p tcp --dport 6881 -j ACCEPT
iptables -A OUTPUT -i eth0 -p tcp -m state --state NEW, RELATED, ESTABLISHED -j ACCEPT.
The first rule allow all inbound traffic on 6881 and the second rule allow all outbound traffic regardless of what port it originates from.
I guess I don't see anything wrong with the netstat output either. However, you may want to try slightly different output (see man netstat for options) to make sure that all of the connections are from programs you recognize.
|
|
|
All times are GMT -5. The time now is 06:39 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|