Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
|
07-31-2006, 04:28 AM
|
#16
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by MrSako
im trying to close all ports except for the ones needed for my servers, which at this time are ports 21 (ftp), 22 (ssh), 25 (SMTP), 80 (http), 110 (POP3), and 10000 (Webmin)
|
then all you need to do is add one rule to the script i posted:
Code:
#!/bin/sh
IPT="/sbin/iptables"
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD DROP
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -p TCP -i eth0 -m multiport --dports \
21,22,25,80,110,10000 -m state --state NEW -j ACCEPT
after executing this script, do a:
Code:
/sbin/service iptables save
and then you should be good to go, AFAICT...
http://kbase.redhat.com/faq/FAQ_44_954.shtm
to check that the rules are "sticking", just reboot and then do a: you should see something like this:
Code:
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 multiport dports 21,22,25,80,110,10000 state NEW
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Last edited by win32sux; 07-31-2006 at 06:44 AM.
|
|
|
07-31-2006, 01:41 PM
|
#17
|
Member
Registered: May 2006
Distribution: CentOS 4.4
Posts: 185
Original Poster
Rep:
|
i beleive my network interface is venet0
i have two IPs (venet0:0 and venet0:1) so i guess my interface would be just venet0
|
|
|
07-31-2006, 11:52 PM
|
#18
|
Member
Registered: May 2006
Distribution: CentOS 4.4
Posts: 185
Original Poster
Rep:
|
i want to try this script out but i think my external hardware might be venet0 (or venet0:0) and i dont wanna lcok myself out. (this is on a VPS im rneting i dont have physical access to the server only via shell and webmin)
|
|
|
08-01-2006, 08:40 AM
|
#19
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by MrSako
i want to try this script out but i think my external hardware might be venet0 (or venet0:0) and i dont wanna lcok myself out. (this is on a VPS im rneting i dont have physical access to the server only via shell and webmin)
|
what i would do then is cron a script to clear all my rules and chains like in 20 minutes just in case... so if i lock myselft out i know i'll just have to wait 20 minutes before i can get back in... it's just a suggestion and if you use it make sure you test it beforehand...
Code:
#!/bin/sh
IPT="/sbin/iptables"
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
|
|
|
08-01-2006, 02:55 PM
|
#20
|
Member
Registered: May 2006
Distribution: CentOS 4.4
Posts: 185
Original Poster
Rep:
|
i created that cronjob but how do i know if it works?
|
|
|
08-01-2006, 03:06 PM
|
#21
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by MrSako
i created that cronjob but how do i know if it works?
|
run some pointless rules or whatever, and then check they are active with: then wait for the cronjob to kick-in, and again do a: there should be no rules and the policies should all be ACCEPT...
|
|
|
08-01-2006, 04:36 PM
|
#22
|
Member
Registered: May 2006
Distribution: CentOS 4.4
Posts: 185
Original Poster
Rep:
|
instead of your configuration for the iptables to test out the cronjob i did one where i had done it before and i knew i could still log into the server via ssh
anyway the cronjob didnt work but i used ssh to login to root and do this:
[root@vps ~]# iptables -P INPUT ACCEPT
[root@vps ~]# iptables -P OUTPUT ACCEPT
is it possible to do this in a cronjob? ie
su root
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
as the cronjob script
|
|
|
08-01-2006, 04:55 PM
|
#23
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by MrSako
instead of your configuration for the iptables to test out the cronjob i did one where i had done it before and i knew i could still log into the server via ssh
anyway the cronjob didnt work but i used ssh to login to root and do this:
[root@vps ~]# iptables -P INPUT ACCEPT
[root@vps ~]# iptables -P OUTPUT ACCEPT
is it possible to do this in a cronjob? ie
su root
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
as the cronjob script
|
yes, you can cron any script you want... but croning all scripts is the same procedure, so if you couldn't get mine to work it's fair to assume you won't get yours to work either... what does the line in your crontab look like??
EDIT: wait, i just noticed your "su root" thing... why are you doing that?? are you using your non-root crontab for this?? if so, that's likely why it won't work... you need to use root's crontab...
Last edited by win32sux; 08-01-2006 at 04:57 PM.
|
|
|
08-01-2006, 05:36 PM
|
#24
|
Member
Registered: May 2006
Distribution: CentOS 4.4
Posts: 185
Original Poster
Rep:
|
i did a chmod +x to the script file for the cronjob i got this though
[root@vps local]# /usr/local/cron-iptables
: bad interpreter: No such file or directory
i tried making a cronjob with the commands i described but i got this..
/bin/sh: iptables: command not found
/bin/sh: iptables: command not found
this is the command i set for being the cron job (i set it to run as root, i forgo about that so theres no need to be su)
iptables -P INPUT ACCEPT;iptables -P OUTPUT ACCEPT
id rather figure out whats not working about iptables -P INPUT ACCEPT;iptables -P OUTPUT ACCEPT becasue i know doing this in the SSH works fine (i typed it just like that into my SSH client with no error)
Last edited by MrSako; 08-01-2006 at 05:37 PM.
|
|
|
08-01-2006, 06:01 PM
|
#25
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by MrSako
i did a chmod +x to the script file for the cronjob i got this though
[root@vps local]# /usr/local/cron-iptables
: bad interpreter: No such file or directory
i tried making a cronjob with the commands i described but i got this..
/bin/sh: iptables: command not found
/bin/sh: iptables: command not found
this is the command i set for being the cron job (i set it to run as root, i forgo about that so theres no need to be su)
iptables -P INPUT ACCEPT;iptables -P OUTPUT ACCEPT
id rather figure out whats not working about iptables -P INPUT ACCEPT;iptables -P OUTPUT ACCEPT becasue i know doing this in the SSH works fine (i typed it just like that into my SSH client with no error)
|
in your crontab, you need to use absolute pathnames...
notice how in my script "/sbin/iptables" is used instead of "iptables"...
Last edited by win32sux; 08-01-2006 at 06:09 PM.
|
|
|
08-01-2006, 06:13 PM
|
#26
|
Member
Registered: Nov 2004
Location: Horseheads, New York
Distribution: Mandriva 2010.1 / KDE 4.5.2, Slax, Knoppix, Backtrack & etc...
Posts: 198
Rep:
|
To my mind, this is one job you have to run as root, iptables is invisible to the user. The webmin cron interface has a "run as" option, but I'm not sure it won't hang awaiting a root pass in the background, i.e. fail if yoy select "run as root."
|
|
|
08-01-2006, 06:17 PM
|
#27
|
Member
Registered: May 2006
Distribution: CentOS 4.4
Posts: 185
Original Poster
Rep:
|
ok i got the cron to work. just i cant get the scrip to execute now..
[root@vps local]# ls
bin gamecreate include lib man share teamspeak
etc games iptables_script libexec sbin src webmin
[root@vps local]# chmod +x iptables_script
[root@vps local]# ./iptable_script
-bash: ./iptable_script: No such file or directory
[root@vps local]# /usr/local/iptables_script
: bad interpreter: No such file or directory
i tried the full patth the second time just to ry it
i did ls and i see the file right there i dont understand
|
|
|
08-01-2006, 06:19 PM
|
#28
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by catworld
To my mind, this is one job you have to run as root, iptables is invisible to the user.
|
it's not invisible at all, in fact it's in non-root users' paths... they have access to the binary, they will just get a permissions error when they run it...
Code:
win32sux@carly:~$ whoami
win32sux
win32sux@carly:~$ iptables -L
iptables v1.3.3: can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.
win32sux@carly:~$
Last edited by win32sux; 08-01-2006 at 06:20 PM.
|
|
|
08-01-2006, 06:24 PM
|
#29
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by MrSako
[root@vps local]# chmod +x iptables_script
[root@vps local]# ./iptable_script
|
okay this is because you misspelled the script's name...
Quote:
-bash: ./iptable_script: No such file or directory
[root@vps local]# /usr/local/iptables_script
: bad interpreter: No such file or directory
|
this looks like your shebang (#!/bin/sh) isn't set right...
i seriously recommend that you use my cleanup script from post #19 instead of just two rules which do nothing but set policies...
Last edited by win32sux; 08-01-2006 at 06:26 PM.
|
|
|
08-01-2006, 06:25 PM
|
#30
|
Member
Registered: May 2006
Distribution: CentOS 4.4
Posts: 185
Original Poster
Rep:
|
Quote:
Originally Posted by win32sux
okay this is because you misspelled the script's name...
this looks like your shebang (#!/bin/sh) isn't set right...
|
how do i make it "set right"
|
|
|
All times are GMT -5. The time now is 01:17 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|