Hello

I went to www.grc.com and I tested the File Sharing Probe and also tested the Common Ports.

The results were the following below.

File Sharing Results:
Cannot connect to NetBios or Port 139 (thats very good)

Common Ports Test Results:
ALL Ports were CLOSED instead of OPEN.

Now, all I need to do, is make these ports stealth. But, under Services/Shorewall, I selected START Shorewall and I was not able to view webpages.

So, how would I configure the security to make these ports all STEALTH??

Should I select the Security setting under DrakSec to "High" instead of "Standard"?

Im not using any of the Servers like Samba or Apache. Its just the Internet, email. Thats it.

I need to know how to configure the ports to make them Stealth.

shorewall is a security program desighed to do very complicated things like firewall servers / routers and all that kind of thing.....

you requirements are very very very very very basic... you dont need shorewall... just use the basic firewall script.. somthing like...

modprobe ip_conntrack_ftp
iptables -F
iptables -Z
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -A INPUT -i lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

done....
all your ports are stealthed...
your machine will not reply to pings...

but things like email, internet, instant messaging.. will work fine.

Yes, your right, its very basic. I DO NOT use any webservers, or anything hardcore like that. Just Internet and Email. Thats it. And offline stuff.

Now, to stealth all my ports EXCEPT Internet, Email, how would I do that exactly. I saw the script that you posted above. Should I Copy/Paste to a text editor??? Or I dont know how this works.

Where in Linux is the Firewall Script Configs located in??? I see people posting IPTABLE Scripts but I do not know where to put these scripts in or where or how to configure them.

Or, if you dont mind, could you please post the script for my basic needs and then explain to me on where to put this script in ???

Im a real newbie in Linux security. I read sooooo many articles on Linux security and I still do not get the point.

Please explain the exact steps on doing this. Also I typed in "iptables -h" as a command and it came up with things that I do not understand.

I would very much appreciate it.

A few notes: Im using a Dial-up connection. With a dynamic IP address....I assume.

In the directory "/etc/shorewall" are two files: "rules" and "policy". Could you post the contents of those files here for us to take a look at? Note that there is a lot of comment (lines starting with #) in both these files, please skip that, it is not necessary and will clutter your post.

Jeroen

okay.. sorry, you sounded like you knew a little about firewalls when i landed that script on you...

ookay... a closed port will reply to an attempted connection with a "go away" messge.... a stealthed port will just drop the connection attempt.

the only rule that effects non local traffic in that rule, is the ESTABLISHED,RELATED rule...

this rule uses clever connection tracking to determine who started the connection.

if the connection was started by you machine... for example, your machine requestion a web-page from google... then the ESTABLISHED rule allows google to reply...

but if for example google sent you a message without you requesting the message, then the message will be totally ignore, and google assumes you are not online.

so, all your ports are stealthed.... EXCEPT for when anouther machine is replying to a connection you started.

ithe script i wrote has no restrictions on outgoing traffic... so you can use any clients... if you want to be untra-parranoid... add these rules...

iptables -A OUTPUT -o lo -s 127.0.0.1 -s 127.0.0.1 -j ACCEPT
iptables -A OUPTUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --dport http -j ACCEPT
iptables -A OUTPUT -p tcp --dport https -j ACCEPT
iptables -A OUTPUT -p tcp --dport ftp -j ACCEPT
iptables -A OUTPUT -p tcp --dport pop3 -j ACCEPT
iptables -A OUTPUT -p tcp --dport smtp -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -P OUTPUT DROP

with theseadditions, you machine will onlt be able to ..
* send and recieve email
* download files
* browse the internet
* browse the internet though encrypted connections
* ping other people, but not let other people ping you.

basically, to put the rules into effect.....

copy this text, and paste it at the bottom of your rc.local (which will be somewhere in your /etc/rc.d or /etc/init.d flder, depending on ourdistro) also, dissable shorewall.

Im using Mandrake 9.1.

Which Script do I have to use?? You gave me two.

iptables -A OUTPUT -o lo -s 127.0.0.1 -s 127.0.0.1 -j ACCEPT
iptables -A OUPTUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --dport http -j ACCEPT
iptables -A OUTPUT -p tcp --dport https -j ACCEPT
iptables -A OUTPUT -p tcp --dport ftp -j ACCEPT
iptables -A OUTPUT -p tcp --dport pop3 -j ACCEPT
iptables -A OUTPUT -p tcp --dport smtp -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -P OUTPUT DROP

Or this?

code:

modprobe ip_conntrack_ftp
iptables -F
iptables -Z
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -A INPUT -i lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

// optional, for over the top paranoid (and possibly limiting) security
iptables -A OUTPUT -o lo -s 127.0.0.1 -s 127.0.0.1 -j ACCEPT
iptables -A OUPTUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --dport http -j ACCEPT
iptables -A OUTPUT -p tcp --dport https -j ACCEPT
iptables -A OUTPUT -p tcp --dport ftp -j ACCEPT
iptables -A OUTPUT -p tcp --dport pop3 -j ACCEPT
iptables -A OUTPUT -p tcp --dport smtp -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -P OUTPUT DROP

This the way I did it. Please tell me if this is right.
Do I need to Restart the computer for this to take effect???
Look below:
This my (rc.local) file with the Pasted Script Rules:

Look below:

#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.

[ -f /etc/sysconfig/msec ] && source /etc/sysconfig/msec
[ -z "$SECURE_LEVEL" ] && SECURE_LEVEL=3

# Source functions
. /etc/init.d/functions

if [ -f /etc/mandrake-release -a $SECURE_LEVEL -lt 4 ]; then
R=$(cat /etc/mandrake-release)

arch=$(uname -m)
a="a"
case "_$arch" in
_a*) a="an";;
_i*) a="an";;
esac

NUMPROC=`egrep -c "^cpu[0-9]+" /proc/stat`
if [ "$NUMPROC" -gt "1" ]; then
SMP="$NUMPROC-processor "
[ "$NUMPROC" = "2" ] && \
SMP="Dual-processor "
if [ "$NUMPROC" = "8" -o "$NUMPROC" = "11" ]; then
a="an"
else
a="a"
fi
fi

# This will overwrite /etc/issue at every boot. So, make any changes you
# want to make to /etc/issue here or you will lose them when you reboot.

if [ -x /usr/bin/linux_logo ];then
/usr/bin/linux_logo -c -n -f | sed -e 's|\\|\\\\|g' > /etc/issue
echo "" >> /etc/issue
else
> /etc/issue
fi
echo "$R" >> /etc/issue
echo "Kernel $(uname -r) on $a $SMP$(uname -m) / \l" >> /etc/issue

if [ "$SECURE_LEVEL" -le 3 ];then
echo "Welcome to ${HOST}" > /etc/issue.net
echo "$R" >> /etc/issue.net
echo "Kernel $(uname -r) on $a $SMP$(uname -m)" >> /etc/issue.net
else
echo "Welcome to Mandrake Linux" > /etc/issue.net
echo "-------------------------" >> /etc/issue.net
fi
elif [ $SECURE_LEVEL -ge 4 ]; then
rm -f /etc/issue /etc/issue.net
fi

touch /var/lock/subsys/local

modprobe ip_conntrack_ftp
iptables -F
iptables -Z
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -A INPUT -i lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

// optional, for over the top paranoid (and possibly limiting) security
iptables -A OUTPUT -o lo -s 127.0.0.1 -s 127.0.0.1 -j ACCEPT
iptables -A OUPTUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --dport http -j ACCEPT
iptables -A OUTPUT -p tcp --dport https -j ACCEPT
iptables -A OUTPUT -p tcp --dport ftp -j ACCEPT
iptables -A OUTPUT -p tcp --dport pop3 -j ACCEPT
iptables -A OUTPUT -p tcp --dport smtp -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -P OUTPUT DROP

Please tell me if this is correct. Or do I need to restart???

the script will take effect next time rc.local runs....
you can run it without rebooting... but a re-boot is the most simple way....

afdter you re-boot... please post the output of the command
iptables -vL (as root)

just to be sure these set of rules are the only ones in place...
then have a play round, make sure everything you need to work still works.

OOPS.. just noticed somthing.... where i wriote // optional .... replace // with a hash '#' i was in c++ mode instead of bash, lol.

You mean like this???

# optional, for over the top paranoid (and possibly limiting) security


Also you did not tell me if the above actions in (Post #7) that I posted were correct or not. Please tell me if I Pasted the script in the right position. I would appreciate it.

And also you did not mention which script rule do I have paste foe maximum security.

Thanks

WHAT DID YOU DO TO MY SYSTEM!!!!!!!!!!!!!???????????????????/

IT TOTALLY CRASHED ON BOOT UP!!!!!!!!!!!!!!!!!!!!!

NOW I CANT EVEN OPEN UP GEDIT TO DELETE THE SCRIPT I PASTED.

WHEN I BOOT UP LINUX, IT SHOWS INITIALIZING SERVICES FOR ABOUT 5 MINUTES AND THEN IT STARTS TO LOAD UP THE APPLICATIONS AND ICONS ON THE DESKTOP VERY VERY SLOWLY.

NOW HOW COULD I FIX THIS PROBLEM???

OH............AND THANKS FOR DESTROYING MY SYSTEM!!!!!!!!!

If the only thing wrong with your system is some overly protective firewall rules, then your system is not destroyed. Just undo the rules.

I cant even go back to GEDIT to undo them

Does your system boot up? I would assume that it does since you only made firewall changes. When the system starts up, just jump over to a console screen, login as root, edit rc.local with vi, and reboot.

How about starting to actually read the man-pages and
excellent tutorials on the iptables homepage instead of
trying others to make sense of your postings and abusing
them when what they're trying doesn't quite pose what
you expect?

And more to the point, why don't you go and work through
Machtelt's guide to linux and the Rute Tutorial
before trying to use a linux-install in real-life?
People commonly don't start up a truck without having
used a motor vehicle in the past and then yell for support
and instructions at passing by people....


Cheers,
Tink