Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
10-17-2004, 06:05 AM
|
#1
|
Member
Registered: Feb 2004
Posts: 781
Rep:
|
Build Firewall
Hello!
I am connected now on a LAN and want to build my own firewall. Before going to read all that books out there and take my own decisions, I want to ask someone who is xperienced with this.
What is the best firewall option?
I think first blocking all ports and than opening just the one I want is the best way.
How do I see what ports are now open, this is just to know what's running?
How do I close them all? Maybe how do I close one port?
How do I open one port?
Usually I need HTTP [port 80], FTP [20,21], SMTP [port ??], Yahoo Messenger [port ??]
What else do I have to do for building my firewall?
I am running Fedora Core 2 with kernel 2.6.8.1
Thank you!
Boby
|
|
|
10-17-2004, 08:16 AM
|
#2
|
LQ Guru
Registered: Apr 2003
Location: nottingham england
Distribution: Gentoo
Posts: 2,672
Rep:
|
the linux firewall is "iptables"
there arte many GUI programs that do much work for you. but if you want to write the firewall yourself like many advanced users do, then you will be using iptables directly.
first, make sure you understand whats going on behind the scenes in networks.
then read "man iptables"
all the info is there.
|
|
|
10-17-2004, 08:21 AM
|
#3
|
Member
Registered: Dec 2001
Location: /root
Distribution: FreeBSD,NETBSD,redhat
Posts: 472
Rep:
|
Boby,
Your question's answers:
1) What is the best firewall option?
The best firewall option is "iptables" which is inbuild with fedora.
2) How do I see what ports are now open, this is just to know what's running?
you can use "nmap localhost" to check port which are open on localhost.
3) How do I close them all? Maybe how do I close one port?
you will need to setup some INPUT & OUTPUT rules to block ports & open one port.
4) The best way to learn about iptables (firewall) you can visit the following link.
http://www.yo-linux.com/TUTORIALS/Li...rkGateway.html
Also, visit the the Home Page of "iptables"
http://www.iptables.org/
You can check the iptables staus by running following commands on console:
# iptables -nL
Also, check "man pages" for iptables with "man iptables".
Best of Luck.
-/Hitesh
|
|
|
10-17-2004, 10:01 AM
|
#4
|
LQ Guru
Registered: Apr 2003
Location: nottingham england
Distribution: Gentoo
Posts: 2,672
Rep:
|
Quote:
1) What is the best firewall option?
The best firewall option is "iptables" which is inbuild with fedora.
|
iptables isnt an option, every linux distro with a 2.4 or later kernel uses iptables.
its built into all the distro's kernels... the options you have, is wether to use it directly, or though a GUI that will write rules for you.
Quote:
2) How do I see what ports are now open, this is just to know what's running?
you can use "nmap localhost" to check port which are open on localhost.
|
its completely pointless port scanning yourself. most firewall rules will allow your computer to talk to itself without restriction.
portscanning yourself will show many more ports to be open than they actually are.
you must run the portscan from a defferent machine on your network, ORuse the online portscanning service SOS (google for "SOS portscan").
but the best way is probably to just read your firewall rules, or the output from "iptables -vL"
|
|
|
10-20-2004, 11:57 AM
|
#6
|
Member
Registered: Feb 2004
Posts: 781
Original Poster
Rep:
|
Hello!
Thank you so far for all your replies!
I have read some tutorials and maked some ideea about iptables and firewalling. I'm not sure if everything is OK.
So I want to ask you if this is good what I wanna do:
First I disabled the firewall from the GUI in KDE [Security level]. Then
Code:
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A OUTPUT -o lo -p all -j ACCEPT
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --tcp-option ! 2 -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp -i eth0 --dport 21 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --dport 21 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 25 -j ACCEPT
iptables -P INPUT DROP
This will close everythig and grant connection to HTTP, FTP and SMTP [local chat]. Should I also open just the needed ports for OUTPUT? Where can I find out what port Yahoo Messenger uses and DC++ ? Maybe a link with a list of many many ports used by services.
Do I have to open a port for my MySQL server too? INPUT and OUTPUT? I'm using it only on the local machine.
@ qwijibow
I can not use SOS Portscan because I'm connected trought a LAN. I will get an real IP adress only next month maybe or later
Instead of this SOS portscan I used nmap. once with localhost and once with my IP adress. This is the result:
Code:
nmap localhost
Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-10-20 18:52 UTC
Interesting ports on localhost.localdomain (127.0.0.1):
(The 1654 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
80/tcp open http
111/tcp open rpcbind
1025/tcp open NFS-or-IIS
1027/tcp open IIS
3306/tcp open mysql
Nmap run completed -- 1 IP address (1 host up) scanned in 1.463 seconds
and
Code:
nmap 172.17.23.21
Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-10-20 18:53 UTC
Interesting ports on space.tarnita.net (172.17.23.21):
(The 1655 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
80/tcp open http
111/tcp open rpcbind
1025/tcp open NFS-or-IIS
3306/tcp open mysql
Nmap run completed -- 1 IP address (1 host up) scanned in 1.221 seconds
So what are these:
"111/tcp open rpcbind" , "1025/tcp open NFS-or-IIS" and "1027/tcp open IIS" ?
Also I found this code good. It was written for an older redhat but I thing it can be used. What do you thing?
Code:
Comment: "This chain logs, then DROPs "Xmas" and Null packets which might indicate a port-scan attempt"
iptables -N ScanD
iptables -A ScanD -p tcp -m limit --limit 1/s -j LOG --log-prefix "[TCP Scan?] "
iptables -A ScanD -p udp -m limit --limit 1/s -j LOG --log-prefix "[UDP Scan?] "
iptables -A ScanD -p icmp -m limit --limit 1/s -j LOG --log-prefix "[ICMP Scan?] "
iptables -A ScanD -f -m limit --limit 1/s -j LOG --log-prefix "[FRAG Scan?] "
iptables -A ScanD -j DROP
Comment: "This chain limits the number of new incoming connections to preventing DDoS attacks"
iptables -N DDoS
iptables -A DDoS -m limit --limit 12/s --limit-burst 24 -j RETURN
iptables -A DDoS -j LOG --log-prefix "[DDos Attack?] "
iptables -A DDoS -j DROP
Comment: "Disallow packets frequently used by port-scanners"
#All of the bits are cleared
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j ScanD
# SYN and FIN are both set
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j ScanD
# SYN and RST are both set
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j ScanD
# FIN and RST are both set
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j ScanD
# FIN is the only bit set, without the expected accompanying ACK
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j ScanD
# PSH is the only bit set, without the expected accompanying ACK
iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j ScanD
# URG is the only bit set, without the expected accompanying ACK
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j ScanD
# SYN-Flood
# (Request for new connection; large number indicate possible DDoS-type attack;
# same as --syn)
iptables -A INPUT -p tcp --tcp-flags SYN,RST,ACK SYN -j DDoS
I will search and try to make my HTTP Webserver secure and MySQL server also.
Please tell me what else can I do to secure my PC. Links to pages that contain prevention methods are also good. For what attacs should I be prepaired.
I ask you because I don't know what to search for.
All this blah blah with the firewall is just because there are many script-kiddies in our LAN and they can do pretty much bad things. And then I will get an real IP adress so I won't be secured by the server anymore, and the admin told me about some other PC's here that had been hacked.
Thank you very much for all that help!
Boby
Last edited by Boby; 10-20-2004 at 11:58 AM.
|
|
|
10-20-2004, 12:30 PM
|
#7
|
Member
Registered: Dec 2001
Location: /root
Distribution: FreeBSD,NETBSD,redhat
Posts: 472
Rep:
|
Well Boby, it seems you have done good work
Here is the link for all ports & services you are looking for.
http://www.neohapsis.com/neolabs/neo...neo-ports.html
About sevices [ "111/tcp open rpcbind" , "1025/tcp open NFS-or-IIS" and "1027/tcp open IIS" ?]
it looks like "rpcbind" is running and with port num: 111/tcp (protocal) it same for all other services.
you can check which services are running on localhost by following commands at console and GUI tool.
ntsysv or redhat-config-services [GUI tool]
Also, you can run 'tcpdump' or 'ip traffic'( http://iptraf.seul.org/) at console to monitoring network.[ Tcpdump is a command-line tool for monitoring network traffic.]
you can download from following link:
download.fedora.redhat.com/pub/fedora/linux/core/2/i386/os/Fedora/RPMS/tcpdump-3.8.2-3.i386.rpm
-/Hitesh
Last edited by hitesh_linux; 10-20-2004 at 12:31 PM.
|
|
|
10-20-2004, 06:26 PM
|
#8
|
Senior Member
Registered: Mar 2004
Location: far enough
Distribution: OS X 10.6.7
Posts: 1,690
Rep:
|
i use shorewall on any linux and i am very happy with it,
*flexible,
*enough simple,
*doesn't need a gui(for linux servers for example)
*and i never had to learn iptables config files although i understand them now.
i would suggest a gui like guarddog or firestarter,... if you are a X user and if you need something more powerful, go and mess up with iptables scripts.
|
|
|
10-25-2004, 06:19 AM
|
#9
|
Member
Registered: Feb 2004
Posts: 781
Original Poster
Rep:
|
Quote:
i would suggest a gui like guarddog or firestarter
|
I don't want to use a GUI. Want to write my own firewall
Some more questions:
1. Do I have to open a port for my MySQL server too? INPUT and OUTPUT? I'm using it only on the local machine. Or does it work by the localhost loopback??
2. I wrote a simple script that will do all the job for me, cause I don't wanna write all rules every time.
The problem is that the opened ports won't work Can you please tell me what's the error? Especially HTTP doesn't works. Do I have to write somewhere in the firewall that I'm using a gateway, DNS and subnet?
Code:
echo "Stopping firewall"
echo "-----------------------"
/etc/init.d/iptables stop
echo "-----------------------"
echo "Building firewall rules"
echo "-----------------------"
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A OUTPUT -o lo -p all -j ACCEPT
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --tcp-option ! 2 -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp -i eth0 --dport 21 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --dport 21 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 25 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --dport 25 -j ACCEPT
iptables -N ScanD
iptables -A ScanD -p tcp -m limit --limit 1/s
iptables -A ScanD -p udp -m limit --limit 1/s
iptables -A ScanD -p icmp -m limit --limit 1/s
iptables -A ScanD -f -m limit --limit 1/s
iptables -A ScanD -j DROP
iptables -N DDoS
iptables -A DDoS -m limit --limit 12/s --limit-burst 24 -j RETURN
iptables -A DDoS
iptables -A DDoS -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j ScanD
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j ScanD
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j ScanD
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j ScanD
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j ScanD
iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j ScanD
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j ScanD
iptables -A INPUT -p tcp --tcp-flags SYN,RST,ACK SYN -j DDoS
echo "Firewall rules aplied !"
echo "-----------------------"
echo "Saving rules !"
echo "-----------------------"
iptables-save > /etc/sysconfig/iptables
echo "Saved !"
echo "-----------------------"
echo "Starting Firewall !"
/etc/init.d/iptables start
I tought that with this rules, first I block everything and then open HTTP, FTP and SMTP but it won't work.
Also if I use
Code:
-j LOG --log-prefix "Are you scanned"
I get an error with "iptables-restore"
Thank you in advance!
Boby
|
|
|
10-25-2004, 08:32 AM
|
#10
|
LQ Guru
Registered: Apr 2003
Location: nottingham england
Distribution: Gentoo
Posts: 2,672
Rep:
|
lol.. you are gonna kick yourself for not spotting this....
you set the output policy like so....
Code:
iptables -P OUTPUT DROP
then you dont set one single accept rule for the output chain....
every single output packet is droped.
no internet traffic is getting out of your machine.
you need to either let output run unrestricted with
[
Code:
iptables -P OUTPUT ACCEPT
or add some output accept rules like
Code:
iptables -A OUTPUT -m state -state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUPUT -p tcp --dport 80 -j ACCEPT
|
|
|
03-10-2005, 09:09 PM
|
#11
|
LQ Newbie
Registered: Mar 2005
Location: philippines
Posts: 1
Rep:
|
blocking port
my boss told me to block ports that is not beeing used in our internet laboratory..we are using redhat 9....i know how to block sites but i dont know how to block ports plls anyone there who can help me...i reaaly need some hand here...pls rply in details...tnx
|
|
|
03-13-2005, 12:42 AM
|
#12
|
Member
Registered: Dec 2001
Location: /root
Distribution: FreeBSD,NETBSD,redhat
Posts: 472
Rep:
|
which port number u want to lock?if you can post the port number on baord w'll try to solve ur problem.
-/Hitesh
|
|
|
All times are GMT -5. The time now is 05:54 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|