Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I've recently set up cups to work for a printer connected to my linux box. I am not sharing the printer, I plan to only use it from my linux box. I am able to print fine using "lpr <filename>" in the command line with my firewall accepting all input packets. However once I turn my firewall on the system hangs and does not print anything. I opened the port 631 for cups, however that does not seem to help. Below is my firewall rules. Can someone please help me find what is missing? Thanks.
#(1) Policies (default)
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# (3) INPUT chain rules
#Rules for incoming packets from the internet
#Packets for established connections
iptables -A INPUT -p ALL -d 192.168.0.101 -m state --state ESTABLISHED,RELATED -j ACCEPT
# (5) OUTPUT chain rules
# Only output packets with local addresses (no spoofing)
iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -p ALL -s 192.168.0.101 -j ACCEPT
You're not allowing packets out with a destination of localhost (127.0.0.1). Try the following:
Code:
# (1) Policies (default)
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# Always allow loopback traffic
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# (3) INPUT chain rules
#Rules for incoming packets from the internet
#Packets for established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A INPUT -p ALL -d 192.168.0.101 -m state --state ESTABLISHED,RELATED -j ACCEPT
#TCP rules
iptables -A INPUT -p TCP -i eth0 --destination-port 22 -j ACCEPT # Allow SSH server connections
iptables -A INPUT -p TCP -i eth0 --destination-port 80 -j ACCEPT # Allow HTTP server connections
#UDP rules
iptables -A INPUT -p UDP -i eth0 --destination-port 53 -j ACCEPT
# (5) OUTPUT chain rules
# Only output packets with local addresses (no spoofing)
#
# COMMENT: This is a silly rule. You're allowing everything out of your computer, regardless of what it is.
#
iptables -A OUTPUT -p ALL -s 192.168.0.101 -j ACCEPT
# A Better idea is to allow specific services out:
iptables -A OUTPUT -p tcp -dport http -m state --state NEW -j ACCEPT # Allow HTTP client connections.
iptables -A OUTPUT -p tcp -dport ssh -m state --state NEW -j ACCEPT # allow SSH client connections, etc.
Ah, I didn't notice that. I tried the rules you posted and it works fine. However, my one concern is with the loopback rules when i do iptables -L it shows for input and output target ACCEPT prot all opt -- source anywhere destination anywhere. Doesn't that mean that I am now accepting all connections from anwhere to anywhere? Thanks.
Originally posted by mousie Doesn't that mean that I am now accepting all connections from anwhere to anywhere? Thanks.
No, that means that you are now accepting all connections on the loopback device, i.e. 127.0.0.1. No router in the world will route a packet with that destination address, and even if they did, the loopback device is protected by the kernel (I think its the kernel anyways) and is only accessible to the localhost.
Last edited by TruckStuff; 10-26-2004 at 06:37 PM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.