Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hey crew, I am pretty well happy I finally made the switch.
I am kinda wondering one thing though, do I need a firewall
and if so what program would you suggest?
Namaste'
Scot
BTW, I have Xubuntu with the XFCE GUI.
(I think that is right.)
any computer should have a firewall, but you've said nothing at all about the topology of the network for us to comment much more. All linux firewalls are built under netfilter and iptables. if you are expecting recommendations for little toys to write config files for you, then that's not a firewall, just wrapper gui's, don't be mislead.
if you have a lan that your sharing the internet with any old router will do the trick or do something like pf sense, monowall, smoothwall
for linux by itself i would use firestarter.
any computer should have a firewall, but you've said nothing at all about the topology of the network for us to comment much more. All linux firewalls are built under netfilter and iptables. if you are expecting recommendations for little toys to write config files for you, then that's not a firewall, just wrapper gui's, don't be mislead.
Kewpie,
Thanks you for your help.
I am simply looking for something
that I can install and forget.
I am not yet so savi with linux
that I am punching my own code.
Namaste'
Scot
if you have a lan that your sharing the internet with any old router will do the trick or do something like pf sense, monowall, smoothwall
for linux by itself i would use firestarter.
Jag2000,
Thank you for your help.
I am not sure of whats what here.
I would like to ask something though.
If I were to use this command code
sudo apt-get install firestarter
would that get me a firewall that would
just do it's thing in the background
and would it also upgrade each time
I performed applications>system>update manager?
would that get me a firewall that would
just do it's thing in the background
and would it also upgrade each time
I performed applications>system>update manager?
It would get you a GUI program which you can use to configure your firewall. Yes, the program would be updated whenever you use the Update Manager. That said, let us know what kind of firewall configuration you are looking to end-up with, because if you just want a simple, yet full-blown stealth setup then you don't really need to install Firestarter or anything else.
I think there is something which needs clarification. In Linux, a firewall is usually assumed to be some configuration of iptables rules which allows and/or disallows specified network traffic into or out of a host or network. A firewall of this sort may run on an individual host for the protection of that host, or it may run on a standalone computer used as a router, where the firewall protects the LAN behind it (and to some extent possibly the WAN, as well). Of course, the original poster may also be referring to the standalone boxes one buys from computer stores to protect their home networks. Any of the above forms of firewalling should be used.
There are packages available for configuring Linux iptables firewalls. These are intended to allow users to produce a functional configuration of iptables rules to provide the protection and functionality required for a specific setup. Often these use user friendly GUI interfaces. I have not used any of these, and cannot comment on their usefulness, although many people seem to be having success with them. There are also packages which provide a canned set of rules and some simple config files for customization. I have successfully used one of these for several years as a home LAN firewall. There is also the possibility of rolling your own iptables rule sets, however to be successful with this method requires considerable expertise. Using a GUI or canned package allows you to benefit from a history of development, testing, and updating that would be difficult to match by even the most accomplished experts. In this respect, I regard these as more than simple toys. I guess that acid_kewpie means that they are not fool proof, and that they cannot replace real expertise.
In any case, you need to find one that suits the scenario you require. There is probably some sort of GUI firewall config tool already installed on your distro. If you tell us what distro you are using, perhaps someone can tell you what to look for.
--- rod.
You mentioned that you want to be able to set it and forget it. That's basically three steps.
1) Configure your iptables rules accordingly.
2) Save your iptables configuration to a text file with root ownership.
3) Tell Ubuntu to load your saved configuration every startup before your network is up.
This script I put together for you does all these things for you in one shot. You can save it as a text file (I'll call it example.txt here) and then just run it through bash using sudo, like:
Code:
sudo sh example.txt
Here's what the script does: It sets your iptables configuration (stealth); it saves your configuration to /etc/firewall.txt; and it adds a "pre-up iptables-restore" line to your /etc/network/interfaces file.
Here's the script:
Code:
#!/bin/sh
IPT="/sbin/iptables"
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P FORWARD ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT
$IPT -t raw -P PREROUTING ACCEPT
$IPT -t raw -P OUTPUT ACCEPT
$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -F -t raw
$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
$IPT -X -t raw
$IPT -Z
$IPT -Z -t nat
$IPT -Z -t mangle
$IPT -Z -t raw
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
# Save the iptables configuration:
${IPT}-save > /etc/firewall.txt
# Perform a backup of the interfaces file:
cp -a /etc/network/interfaces /etc/network/interfaces.bak
# Add the pre-up line to the interfaces file:
sed '/^iface lo inet loopback/a\
pre-up iptables-restore < /etc/firewall.txt\n' \
/etc/network/interfaces.bak > /etc/network/interfaces
After executing it, reboot and check that your iptables configuration was loaded by doing a:
Code:
iptables -nvL
Now go to one of those online port scanning sites and have them scan your box.
Are you looking for a stealth firewall or do you need some open ports?
Win32sux,
I would say I'd prefer a stealth firewall.
In fact one that is not only virtually bullet proof
but, one that just runs with little or no need for
me to do anything to it once I've installed it.
And just to be on the safe side, with ALL ports closed!
Namaste'
Scot
Last edited by ScotHypnotist; 01-05-2008 at 03:08 AM.
Reason: Forgot one point of interest.
You mentioned that you want to be able to set it and forget it. That's basically three steps.
1) Configure your iptables rules accordingly.
2) Save your iptables configuration to a text file with root ownership.
3) Tell Ubuntu to load your saved configuration every startup before your network is up.
This script I put together for you does all these things for you in one shot. You can save it as a text file (I'll call it example.txt here) and then just run it through bash using sudo, like:
Code:
sudo sh example.txt
Here's what the script does: It sets your iptables configuration (stealth); it saves your configuration to /etc/firewall.txt; and it adds a "pre-up iptables-restore" line to your /etc/network/interfaces file.
Here's the script:
Code:
#!/bin/sh
IPT="/sbin/iptables"
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P FORWARD ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT
$IPT -t raw -P PREROUTING ACCEPT
$IPT -t raw -P OUTPUT ACCEPT
$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -F -t raw
$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
$IPT -X -t raw
$IPT -Z
$IPT -Z -t nat
$IPT -Z -t mangle
$IPT -Z -t raw
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
# Save the iptables configuration:
${IPT}-save > /etc/firewall.txt
# Perform a backup of the interfaces file:
cp -a /etc/network/interfaces /etc/network/interfaces.bak
# Add the pre-up line to the interfaces file:
sed '/^iface lo inet loopback/a\
pre-up iptables-restore < /etc/firewall.txt\n' \
/etc/network/interfaces.bak > /etc/network/interfaces
After executing it, reboot and check that your iptables configuration was loaded by doing a:
Code:
iptables -nvL
Now go to one of those online port scanning sites and have them scan your box.
You should be completely stealth-firewalled.
Win32sux,
That is just way beyond my understanding of Linux.
I am concerned I will screw something up.
I would want to go with something much less complicated.
I think there is something which needs clarification. In Linux, a firewall is usually assumed to be some configuration of iptables rules which allows and/or disallows specified network traffic into or out of a host or network. A firewall of this sort may run on an individual host for the protection of that host, or it may run on a standalone computer used as a router, where the firewall protects the LAN behind it (and to some extent possibly the WAN, as well). Of course, the original poster may also be referring to the standalone boxes one buys from computer stores to protect their home networks. Any of the above forms of firewalling should be used.
There are packages available for configuring Linux iptables firewalls. These are intended to allow users to produce a functional configuration of iptables rules to provide the protection and functionality required for a specific setup. Often these use user friendly GUI interfaces. I have not used any of these, and cannot comment on their usefulness, although many people seem to be having success with them. There are also packages which provide a canned set of rules and some simple config files for customization. I have successfully used one of these for several years as a home LAN firewall. There is also the possibility of rolling your own iptables rule sets, however to be successful with this method requires considerable expertise. Using a GUI or canned package allows you to benefit from a history of development, testing, and updating that would be difficult to match by even the most accomplished experts. In this respect, I regard these as more than simple toys. I guess that acid_kewpie means that they are not fool proof, and that they cannot replace real expertise.
In any case, you need to find one that suits the scenario you require. There is probably some sort of GUI firewall config tool already installed on your distro. If you tell us what distro you are using, perhaps someone can tell you what to look for.
--- rod.
TheNbom aka Rod,
I am using Xubuntu with the XFCE GUI.
I would be looking for what you described as
a canned package.
One that I have little or no chance of screwing up.
It would get you a GUI program which you can use to configure your firewall. Yes, the program would be updated whenever you use the Update Manager. That said, let us know what kind of firewall configuration you are looking to end-up with, because if you just want a simple, yet full-blown stealth setup then you don't really need to install Firestarter or anything else.
Win32sux,
I do in fact want a simple, yet full-blown stealth setup.
(Preferably with a simply GUI.)
That would hit the nail right on the head!
Namaste'
Scot
Win32sux,
That is just way beyond my understanding of Linux.
I am concerned I will screw something up.
I would want to go with something much less complicated.
Well, one thing you definitely want to get familiar with on GNU/Linux is the concept of shell scripts. They are the bread and butter of GNU/Linux, and many times the solutions to a problem will be posted in this manner. But it's okay. In fact, your concern about doing something you aren't familiar with yet is quite honorable IMHO.
Quote:
Originally Posted by ScotHypnotist
Win32sux,
I do in fact want a simple, yet full-blown stealth setup.
(Preferably with a simply GUI.)
That would hit the nail right on the head!
I don't know of any that are specialized for stealth setups. But Firestarter should be able to let you configure whatever setup you like. So maybe you should get started with it? You definitely wanna read and understand the documentation on their website before you do, though - I doubt it's gonna be as easy as just executing my shell script.
PS: As a side note, I used Shorewall back in the day before I learned to use iptables. It's not a GUI, but it's a front-end nevertheless. You basically tweak a few configuration files and it will do all the iptables stuff for you. Like I said, it's not a GUI, but I thought I'd mention it.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
