[SOLVED] Checking Linux firewall security

angelo.c · 03-06-2012, 07:44 PM

Hello,everyone.

I've just adjusted my linux firewall (iptables) and would like to know what program can I use to check whether the firewall is functioning.I mean,whether the firewall is protecting my computer from attack.

I hope you guys can give me some hints on this.

anomie · 03-06-2012, 07:53 PM

A common utility for host scanning (confirming TCP/UDP ports are open or filtered) is nmap. It should be available in your distro's repositories.

angelo.c · 03-06-2012, 08:48 PM

anomie,thanks for your prompt reply.

Actually,my home server is behind my router so it actually blocks all incoming connection except those I open (e.g.http,ssh).However,I am curious to know whether I know which port(s) the server is opening for connection when the router doesn't exist?I've tried like nmap localhost and it lists the port which is open but I don't know whether it's accessible to outsider(Outside the LAN) or not.

Sorry for bothering you with yet another dumb question.

anomie · 03-06-2012, 09:46 PM

Scanning localhost doesn't provide any info of real value.

Can you scan your host from another device (e.g. a laptop) on your same, private subnet? That would be best.

From the host itself, you can see which TCP / UDP sockets are listening with:

Code:

# netstat -ltunp

(Those options are, in order, "l"istening_sockets + "t"cp + "u"dp + "n"o_resolve + "p"rogram_listening.)

And you can of course see your netfilter ruleset with:

Code:

# iptables-save

But a scan of the host is the true test.

angelo.c · 03-06-2012, 10:46 PM

anomie,thanks again for the help.

After issuing the netstat as specified by you,I got the following result:

Click image for larger version

Name: Capture.JPG
Views: 24
Size: 60.3 KB
ID: 9203

But the question is,which one is opening to outsider?I did open these ports but not sure they are opened to outsider.

Thanks.

leslie_jones · 03-07-2012, 01:50 AM

You could try: http://nmap-online.com/

Use a 'custom scan' like: -sS -PN <your_public_ip>

Don't bother with the 'email me results', just leave it running in the background.

I've had mixed results with it myself, it has been known to contradict itself at times.

angelo.c · 03-07-2012, 03:02 AM

leslie_jones,thanks for replying me.

What's the different between your website besides the nmap on my server? I guess they are more or less the same.

Thanks.

leslie_jones · 03-07-2012, 05:44 AM

The online version is on the public side of the router/gateway, whereas if your server, and testing client, is behind it on your lan - the view may be very different.

anomie · 03-07-2012, 11:57 AM

Quote:

Originally Posted by angelo.c

But the question is,which one is opening to outsider?I did open these ports but not sure they are opened to outsider.

The way to interpret that output is - check the "Local Address" column:

0.0.0.0 -- listening on all interfaces over IPv4
::: -- listening on all interfaces over IPv6
192.168.1.201 -- listening on that particular IPv4 address / interface
127.0.0.1 -- listening on localhost

In cases where you have 0.0.0.0, :::, or 192.168.x.y, you should be aware that you're listening for connections from the outside world. (Well, 192.168.1/24 is RFC 1918 private IP space, but you said you're forwarding connections from your router.)

So if there are any of those services you don't want to be potentially serving up to the 'net, then be sure your netfilter ruleset is protecting them. Or - if you're not using it - disable and/or uninstall the service.

brak44 · 03-10-2012, 08:29 PM

Try the ShieldsUP! application at https://www.grc.com
The objective here is to get a PASS on All Service Ports in Stealth (all green).
To be able to pass you need to suppress ICMP Echo Request (ping) which you may not want to do.

angelo.c · 03-11-2012, 12:56 AM

Thanks for the detailed replies from anomie and brak44. Those are very informative knowledge which I should have.

Quote:

In cases where you have 0.0.0.0, :::, or 192.168.x.y, you should be aware that you're listening for connections from the outside world. (Well, 192.168.1/24 is RFC 1918 private IP space, but you said you're forwarding connections from your router.)

So if there are any of those services you don't want to be potentially serving up to the 'net, then be sure your netfilter ruleset is protecting them. Or - if you're not using it - disable and/or uninstall the service.

anomie,I use my router to forward some specific service like web or ssh only.As I used the ShieldUp which is recommended by brak44,they can only scan the port 80 as open.So I think I am protected against intrusion other than attack from port 80.

I think if time is allowed for the experiment,I have to connect my web server directly with the outside world to see whether the iptable rules are activated.