Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
08-16-2006, 10:27 AM
|
#1
|
Member
Registered: Apr 2006
Distribution: ubuntu 7.04
Posts: 219
Rep:
|
How to configure my firewall
1) I am running Fedora Core 5 86_64 and was wondering whether anyone could point me in the direction of a good script to set up my firewall. Its accidentally in a rather permissive mode at the moment as a result of me fiddling with it!
I need access for my wireless and wired ethernet card, my modem & internet access, etc. (Wouldn't want to lock myself out of these). I think setting up a firewall myself (even with such tools as Webmin, which I just downloaded) is beyond my scope.
Any suggestions?
2) I was also wondering about SELinux. I had to turn off SELinux sometime ago in order to get vmware to work.
Somebody said:
Quote:
Just get rid of SELinux. Dozens of mysterious problems will suddenly disappear and your TCO will be much lower
|
What do you think? Exactly how much performance do I save by turining off SELinux?
|
|
|
08-16-2006, 12:39 PM
|
#2
|
LQ Guru
Registered: Dec 2005
Location: Somewhere on the String
Distribution: Debian Wheezy (x86)
Posts: 6,094
|
1) If it's a desktop, I'd try using a gui like firestarter. It's a stateful firewall and you can set it up such that it will prompt you as you use services to allow or disallow them. So when a machine tries to connect, you can just click "Allow this service from this machine".
2) Don't know much about it.
|
|
|
08-16-2006, 01:41 PM
|
#3
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
here's a simple script that will set your policies, clear your tables, and set your rules...
Code:
#!/bin/sh
IPT="/sbin/iptables"
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P FORWARD ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
this script blocks all incoming connections - it's what is commonly called a "stealth firewall script"... it's also super simple, as the only actual *rules* are those two which appear in bold... this script will work no matter what your interfaces are called, or how many you have...
after executing the script, i believe you save the configuration (on red hat distros) by doing a:
Code:
service iptables save
just my ...
Last edited by win32sux; 08-16-2006 at 01:45 PM.
|
|
|
08-17-2006, 10:44 AM
|
#4
|
Member
Registered: Apr 2006
Distribution: ubuntu 7.04
Posts: 219
Original Poster
Rep:
|
Quote:
If it's a desktop, I'd try using a gui like firestarter.
|
Thanks. This sounds great.
Quote:
this script blocks all incoming connections - it's what is commonly called a "stealth firewall script"...
|
Thank you also! Will this block incoming internet connections through my wireless card though?
|
|
|
08-17-2006, 01:33 PM
|
#5
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by 144419855310001
Thank you also! Will this block incoming internet connections through my wireless card though?
|
yes, because the rule doesn't specify any interface, it will block incoming connections on all your interfaces...
Last edited by win32sux; 08-17-2006 at 01:55 PM.
|
|
|
08-18-2006, 08:58 AM
|
#6
|
Member
Registered: Apr 2006
Distribution: ubuntu 7.04
Posts: 219
Original Poster
Rep:
|
Quote:
yes, because the rule doesn't specify any interface, it will block incoming connections on all your interfaces...
|
Looks like I'll have to do some further reading then. I'll see how I go with firestarter too.
|
|
|
08-19-2006, 09:20 AM
|
#7
|
Member
Registered: Mar 2005
Location: UK
Distribution: Slackware
Posts: 794
Rep:
|
If you want to open a specific incoming port, you can do it something like this.
$IPT -A INPUT -p tcp --dport 25 -i eth0 -j ACCEPT
Which you can add at the end. That specifies that 'port 25' (smtp) is open for the interface called 'eth0'.
|
|
|
08-19-2006, 10:39 AM
|
#8
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by simcox1
If you want to open a specific incoming port, you can do it something like this.
$IPT -A INPUT -p tcp --dport 25 -i eth0 -j ACCEPT
Which you can add at the end. That specifies that 'port 25' (smtp) is open for the interface called 'eth0'.
|
if you're using the script above, it would be a good idea to use the state table for this also, otherwise you're just allowing packets of any state (which kinda defeats the purpose of stateful filtering):
Code:
$IPT -A INPUT -p TCP -i $IFACE --dport 25 \
-m state --state NEW -j ACCEPT
where $IFACE is the interface you want the rule to apply to...
|
|
|
All times are GMT -5. The time now is 10:35 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|