LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-17-2004, 06:05 AM   #1
Boby
Member
 
Registered: Feb 2004
Posts: 781

Rep: Reputation: Disabled
Question Build Firewall


Hello!

I am connected now on a LAN and want to build my own firewall. Before going to read all that books out there and take my own decisions, I want to ask someone who is xperienced with this.
What is the best firewall option?
I think first blocking all ports and than opening just the one I want is the best way.
How do I see what ports are now open, this is just to know what's running?
How do I close them all? Maybe how do I close one port?
How do I open one port?

Usually I need HTTP [port 80], FTP [20,21], SMTP [port ??], Yahoo Messenger [port ??]

What else do I have to do for building my firewall?
I am running Fedora Core 2 with kernel 2.6.8.1

Thank you!
Boby
 
Old 10-17-2004, 08:16 AM   #2
qwijibow
LQ Guru
 
Registered: Apr 2003
Location: nottingham england
Distribution: Gentoo
Posts: 2,672

Rep: Reputation: 47
the linux firewall is "iptables"
there arte many GUI programs that do much work for you. but if you want to write the firewall yourself like many advanced users do, then you will be using iptables directly.

first, make sure you understand whats going on behind the scenes in networks.
then read "man iptables"

all the info is there.
 
Old 10-17-2004, 08:21 AM   #3
hitesh_linux
Member
 
Registered: Dec 2001
Location: /root
Distribution: FreeBSD,NETBSD,redhat
Posts: 472

Rep: Reputation: 30
Boby,

Your question's answers:

1) What is the best firewall option?

The best firewall option is "iptables" which is inbuild with fedora.

2) How do I see what ports are now open, this is just to know what's running?

you can use "nmap localhost" to check port which are open on localhost.

3) How do I close them all? Maybe how do I close one port?

you will need to setup some INPUT & OUTPUT rules to block ports & open one port.

4) The best way to learn about iptables (firewall) you can visit the following link.

http://www.yo-linux.com/TUTORIALS/Li...rkGateway.html

Also, visit the the Home Page of "iptables"

http://www.iptables.org/

You can check the iptables staus by running following commands on console:

# iptables -nL

Also, check "man pages" for iptables with "man iptables".

Best of Luck.

-/Hitesh
 
Old 10-17-2004, 10:01 AM   #4
qwijibow
LQ Guru
 
Registered: Apr 2003
Location: nottingham england
Distribution: Gentoo
Posts: 2,672

Rep: Reputation: 47
Quote:
1) What is the best firewall option?

The best firewall option is "iptables" which is inbuild with fedora.
iptables isnt an option, every linux distro with a 2.4 or later kernel uses iptables.
its built into all the distro's kernels... the options you have, is wether to use it directly, or though a GUI that will write rules for you.

Quote:
2) How do I see what ports are now open, this is just to know what's running?

you can use "nmap localhost" to check port which are open on localhost.
its completely pointless port scanning yourself. most firewall rules will allow your computer to talk to itself without restriction.

portscanning yourself will show many more ports to be open than they actually are.

you must run the portscan from a defferent machine on your network, ORuse the online portscanning service SOS (google for "SOS portscan").

but the best way is probably to just read your firewall rules, or the output from "iptables -vL"
 
Old 10-17-2004, 11:27 PM   #5
predator.hawk
Member
 
Registered: Aug 2004
Location: USA
Distribution: FreeBSD-5.4-STABLE
Posts: 252

Rep: Reputation: 30
If you want to, you can also study my iptables script, predatorwall. It has alot of stuff most basic scripts don't. www.dcaf-security.org/predwall.html also, a guide i really like is http://www.siliconvalleyccie.com/lin...les-intro.htm.
 
Old 10-20-2004, 11:57 AM   #6
Boby
Member
 
Registered: Feb 2004
Posts: 781

Original Poster
Rep: Reputation: Disabled
Hello!

Thank you so far for all your replies!

I have read some tutorials and maked some ideea about iptables and firewalling. I'm not sure if everything is OK.

So I want to ask you if this is good what I wanna do:
First I disabled the firewall from the GUI in KDE [Security level]. Then
Code:
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A OUTPUT -o lo -p all -j ACCEPT
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --tcp-option ! 2 -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp -i eth0 --dport 21 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --dport 21 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 25 -j ACCEPT
iptables -P INPUT DROP
This will close everythig and grant connection to HTTP, FTP and SMTP [local chat]. Should I also open just the needed ports for OUTPUT? Where can I find out what port Yahoo Messenger uses and DC++ ? Maybe a link with a list of many many ports used by services.
Do I have to open a port for my MySQL server too? INPUT and OUTPUT? I'm using it only on the local machine.

@ qwijibow
I can not use SOS Portscan because I'm connected trought a LAN. I will get an real IP adress only next month maybe or later

Instead of this SOS portscan I used nmap. once with localhost and once with my IP adress. This is the result:
Code:
nmap localhost

Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-10-20 18:52 UTC
Interesting ports on localhost.localdomain (127.0.0.1):
(The 1654 ports scanned but not shown below are in state: closed)
PORT     STATE SERVICE
80/tcp   open  http
111/tcp  open  rpcbind
1025/tcp open  NFS-or-IIS
1027/tcp open  IIS
3306/tcp open  mysql

Nmap run completed -- 1 IP address (1 host up) scanned in 1.463 seconds
and
Code:
nmap 172.17.23.21

Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-10-20 18:53 UTC
Interesting ports on space.tarnita.net (172.17.23.21):
(The 1655 ports scanned but not shown below are in state: closed)
PORT     STATE SERVICE
80/tcp   open  http
111/tcp  open  rpcbind
1025/tcp open  NFS-or-IIS
3306/tcp open  mysql

Nmap run completed -- 1 IP address (1 host up) scanned in 1.221 seconds
So what are these:
"111/tcp open rpcbind" , "1025/tcp open NFS-or-IIS" and "1027/tcp open IIS" ?

Also I found this code good. It was written for an older redhat but I thing it can be used. What do you thing?
Code:
Comment: "This chain logs, then DROPs "Xmas" and Null packets which might indicate a port-scan attempt"

iptables -N ScanD
iptables -A ScanD -p tcp -m limit --limit 1/s -j LOG --log-prefix "[TCP Scan?] "
iptables -A ScanD -p udp -m limit --limit 1/s -j LOG --log-prefix "[UDP Scan?] "
iptables -A ScanD -p icmp -m limit --limit 1/s -j LOG --log-prefix "[ICMP Scan?] "
iptables -A ScanD -f -m limit --limit 1/s -j LOG --log-prefix "[FRAG Scan?] "
iptables -A ScanD -j DROP

Comment: "This chain limits the number of new incoming connections to preventing DDoS attacks"

iptables -N DDoS
iptables -A DDoS -m limit --limit 12/s --limit-burst 24 -j RETURN
iptables -A DDoS -j LOG --log-prefix "[DDos Attack?] "
iptables -A DDoS -j DROP

Comment: "Disallow packets frequently used by port-scanners"

#All of the bits are cleared
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j ScanD
# SYN and FIN are both set
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j ScanD
# SYN and RST are both set
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j ScanD
# FIN and RST are both set
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j ScanD
# FIN is the only bit set, without the expected accompanying ACK
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j ScanD
# PSH is the only bit set, without the expected accompanying ACK
iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j ScanD
# URG is the only bit set, without the expected accompanying ACK
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j ScanD
# SYN-Flood 
# (Request for new connection; large number indicate possible DDoS-type attack; 
#  same as --syn)
iptables -A INPUT -p tcp --tcp-flags SYN,RST,ACK SYN -j DDoS
I will search and try to make my HTTP Webserver secure and MySQL server also.
Please tell me what else can I do to secure my PC. Links to pages that contain prevention methods are also good. For what attacs should I be prepaired.
I ask you because I don't know what to search for.
All this blah blah with the firewall is just because there are many script-kiddies in our LAN and they can do pretty much bad things. And then I will get an real IP adress so I won't be secured by the server anymore, and the admin told me about some other PC's here that had been hacked.

Thank you very much for all that help!
Boby

Last edited by Boby; 10-20-2004 at 11:58 AM.
 
Old 10-20-2004, 12:30 PM   #7
hitesh_linux
Member
 
Registered: Dec 2001
Location: /root
Distribution: FreeBSD,NETBSD,redhat
Posts: 472

Rep: Reputation: 30
Well Boby, it seems you have done good work

Here is the link for all ports & services you are looking for.

http://www.neohapsis.com/neolabs/neo...neo-ports.html

About sevices [ "111/tcp open rpcbind" , "1025/tcp open NFS-or-IIS" and "1027/tcp open IIS" ?]

it looks like "rpcbind" is running and with port num: 111/tcp (protocal) it same for all other services.

you can check which services are running on localhost by following commands at console and GUI tool.

ntsysv or redhat-config-services [GUI tool]

Also, you can run 'tcpdump' or 'ip traffic'(http://iptraf.seul.org/) at console to monitoring network.[ Tcpdump is a command-line tool for monitoring network traffic.]

you can download from following link:
download.fedora.redhat.com/pub/fedora/linux/core/2/i386/os/Fedora/RPMS/tcpdump-3.8.2-3.i386.rpm

-/Hitesh

Last edited by hitesh_linux; 10-20-2004 at 12:31 PM.
 
Old 10-20-2004, 06:26 PM   #8
mrcheeks
Senior Member
 
Registered: Mar 2004
Location: far enough
Distribution: OS X 10.6.7
Posts: 1,690

Rep: Reputation: 52
i use shorewall on any linux and i am very happy with it,
*flexible,
*enough simple,
*doesn't need a gui(for linux servers for example)
*and i never had to learn iptables config files although i understand them now.

i would suggest a gui like guarddog or firestarter,... if you are a X user and if you need something more powerful, go and mess up with iptables scripts.
 
Old 10-25-2004, 06:19 AM   #9
Boby
Member
 
Registered: Feb 2004
Posts: 781

Original Poster
Rep: Reputation: Disabled
Quote:
i would suggest a gui like guarddog or firestarter
I don't want to use a GUI. Want to write my own firewall

Some more questions:
1. Do I have to open a port for my MySQL server too? INPUT and OUTPUT? I'm using it only on the local machine. Or does it work by the localhost loopback??

2. I wrote a simple script that will do all the job for me, cause I don't wanna write all rules every time.
The problem is that the opened ports won't work Can you please tell me what's the error? Especially HTTP doesn't works. Do I have to write somewhere in the firewall that I'm using a gateway, DNS and subnet?
Code:
echo "Stopping firewall"
echo "-----------------------"
/etc/init.d/iptables stop
echo "-----------------------"
echo "Building firewall rules"
echo "-----------------------"
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A OUTPUT -o lo -p all -j ACCEPT
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --tcp-option ! 2 -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp -i eth0 --dport 21 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --dport 21 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 25 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --dport 25 -j ACCEPT
iptables -N ScanD
iptables -A ScanD -p tcp -m limit --limit 1/s
iptables -A ScanD -p udp -m limit --limit 1/s
iptables -A ScanD -p icmp -m limit --limit 1/s
iptables -A ScanD -f -m limit --limit 1/s
iptables -A ScanD -j DROP
iptables -N DDoS
iptables -A DDoS -m limit --limit 12/s --limit-burst 24 -j RETURN
iptables -A DDoS
iptables -A DDoS -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j ScanD
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j ScanD
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j ScanD
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j ScanD
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j ScanD
iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j ScanD
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j ScanD
iptables -A INPUT -p tcp --tcp-flags SYN,RST,ACK SYN -j DDoS
echo "Firewall rules aplied !"
echo "-----------------------"
echo "Saving rules !"
echo "-----------------------"
iptables-save > /etc/sysconfig/iptables
echo "Saved !"
echo "-----------------------"
echo "Starting Firewall !"
/etc/init.d/iptables start
I tought that with this rules, first I block everything and then open HTTP, FTP and SMTP but it won't work.
Also if I use
Code:
-j LOG --log-prefix "Are you scanned"
I get an error with "iptables-restore"

Thank you in advance!
Boby
 
Old 10-25-2004, 08:32 AM   #10
qwijibow
LQ Guru
 
Registered: Apr 2003
Location: nottingham england
Distribution: Gentoo
Posts: 2,672

Rep: Reputation: 47
lol.. you are gonna kick yourself for not spotting this....
you set the output policy like so....

Code:
iptables -P OUTPUT DROP
then you dont set one single accept rule for the output chain....
every single output packet is droped.
no internet traffic is getting out of your machine.

you need to either let output run unrestricted with
[
Code:
iptables -P  OUTPUT ACCEPT
or add some output accept rules like
Code:
iptables -A OUTPUT -m state -state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUPUT -p tcp --dport 80 -j ACCEPT
 
Old 03-10-2005, 09:09 PM   #11
kiko_manstah
LQ Newbie
 
Registered: Mar 2005
Location: philippines
Posts: 1

Rep: Reputation: 0
Question blocking port

my boss told me to block ports that is not beeing used in our internet laboratory..we are using redhat 9....i know how to block sites but i dont know how to block ports plls anyone there who can help me...i reaaly need some hand here...pls rply in details...tnx
 
Old 03-13-2005, 12:42 AM   #12
hitesh_linux
Member
 
Registered: Dec 2001
Location: /root
Distribution: FreeBSD,NETBSD,redhat
Posts: 472

Rep: Reputation: 30
which port number u want to lock?if you can post the port number on baord w'll try to solve ur problem.

-/Hitesh
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
build linux firewall for home ADSL ah_man04 Linux - Networking 7 05-06-2005 04:30 AM
running applications from one Linux build in another Linux build bcottam Linux - Distributions 2 04-13-2004 12:08 AM
Firewall Builder sample firewall policy file ? (.xml) nuwanguy Linux - Networking 0 09-13-2003 12:32 PM
Looking to build a firewall with specific requiremnets jayglate Linux - Networking 0 03-19-2003 10:46 PM
Kazaa lite 2.0 build 2 and 2.02 build 5 walterw Linux - General 1 02-04-2003 04:12 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:54 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration