Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I installed the linux version 3 on my laptop pc, gateway solo and want to setup the IP firewall for the application i want to use in this environment. the following are the ports i want to setup, however, i don't know how to do it in linux. it will be very appreciated if someone can give me a hand.
A. In general only the following ports are required for VSP connections.
1) Port 5060 SIP messaging for TCP & UDP Both Directions
2) ICMP Ping Replies (ICMP.type 8) for UCP replies inbound only
3) Port 514 Syslog UDP Outbound only
B. The following ports are required for Management Connections
1) Port 3288 COPS messaging TCP Both Directions.
2) Port 514 SYSLOG outbound only
3) Port 22 SSH inbound only
4) Port xxx DHCP both directions
5) Port xxx SNMP (not required immediately but could be handy)
Could you be a bit more specific about what version of linux you're using. Version 3 of the linux kernel hasn't been released yet and for the majority of linux distributions (Redhat, Mandrake, Slackware, etc) version 3 would be extremely outdated and insecure. The same applies to IP firewall, IPFW was replaced by IPchains, which was replaced with IPtables several years ago.
Again: how to setup IP firewall in linux enterprise ws (ES) version 3 for these port?
Dear Sir:
The same questions again!
I installed the linux enterprise ws (ES) version 3 on my laptop pc, gateway solo and want to setup the IP firewall for the application i want to use in this environment. the following are the ports i want to setup, however, i don't know how to do it in linux. it will be very appreciated if someone can give me a hand.
A. In general only the following ports are required for VSP connections.
1) Port 5060 SIP messaging for TCP & UDP Both Directions
2) ICMP Ping Replies (ICMP.type 8) for UCP replies inbound only
3) Port 514 Syslog UDP Outbound only
B. The following ports are required for Management Connections
1) Port 3288 COPS messaging TCP Both Directions.
2) Port 514 SYSLOG outbound only
3) Port 22 SSH inbound only
4) Port xxx DHCP both directions
5) Port xxx SNMP (not required immediately but could be handy)
The general rule for allowing incoming TCP traffic (where X is your desired port) is:
Code:
iptables -I INPUT -p tcp --dport X -j ACCEPT
So for your first question, the rule to allow incoming TCP traffic to port 5060 would be:
Code:
iptables -I INPUT -p tcp --dport 5060 -j ACCEPT
To allow the UDP traffic on the same port, just change the protocol (-p) match:
Code:
iptables -I INPUT -p udp --dport 5060 -j ACCEPT
To allow outbound traffic, you'll want to add a rule to the OUTPUT chain, so for outbound TCP traffic to port 5060 the rule would be:
Code:
iptables -I OUTPUT -p tcp --dport 5060 -j ACCEPT
To allow specific ICMP traffic types (in this case inbound icmp type 8 traffic):
Code:
iptables -I INPUT -p icmp --icmp-type 8 -j ACCEPT
All the other types of traffic you mention just need various tweaks to the above rules. Though for sensitive services that shouldn't be available to the public, you should limit access to only those systems that are necessary. Use the source and destination matches for this. So to limit incoming syslog udp traffic to a single host (say 192.168.0.2) you'd want to use something like:
There are a number of other important considerations when constructing your firewall that can drastically change it's effectiveness. First you'll need to decide on what type of default policies you want. Having default DROP policies are usually the safest, but require the most thought and tweaking to make sure that you're allowing all the necessary traffic through. Default ACCEPT policies are the easiest to get working right away, but again require alot of thought to make sure that your rules will block malicious traffic. Often people will compromise and use a default policy of DROP for the INPUT and FORWARD chains and a default OUTPUT policy of ACCEPT. Another important thing to remember is that the order of the rules matters in iptables. So when a packet moves through the firewall, iptables will attempt to match the packet to your rules in sequential order (you can see the current rule order with iptables -vnL). So a misplaced rule can ruin a firewall even if the syntax of all the rules is correct. It's also a pretty good idea to take advantage of iptables statefull filtering capacity when possible.
There are a number of good resources for iptables documentation as well and if you are planning to build your own firewall, you should really read them until you are familiar with the basic iptables function and syntax. Here are some links:
the linux firewall looks quite complicated, can you help for the following rules as well.
B. The following ports are required for Management Connections
1) Port 3288 COPS messaging TCP Both Directions.
2) Port 514 SYSLOG outbound only
3) Port 22 SSH inbound only
4) Port xxx DHCP both directions
5) Port xxx SNMP
i have the following questions as well:
1. can you give some examples on how to test the firewall after change the rules?
2. if add a rule, eg. "Port 514 SYSLOG outbound" to the firewall. what are all the steps to accomplish this?
is it to add a line of "-A(or I) OUTPUT -p udp --dport 514 -j ACCEPT" into the file /etc/sysconfig/iptables? that's all?
is it the "iptables -A(or I) OUTPUT -p udp --dport 514 -j ACCEPT" command used to test this new rule?
except updating the /etc/sysconfig/iptables file, is there anything needs to do for adding this new rule?
3. in the original file /etc/sysconfig/iptables, there is some rules like, "-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT", what is the difference between RH-Firewall-1-INPUT and INPUT? is it ok to use INPUT to replace RH-Firewall-1-INPUT?
4. is the following syntax for adding a ssh rule correct?
"-A INPUT -p ssh --dport 22 -j ACCEPT"
after adding the above line to the /etc/sysconfig/iptables file, then run "service iptables start", get the following error:
for the 2) ICMP Ping Replies (ICMP.type 8) for UCP replies inbound only, your answer is
iptables -I INPUT -p icmp --icmp-type 8 -j ACCEPT
how about the "UCP"? should it be put into somewhere in the above iptables statement?
I'm not that familiar with the inner workings of VoIP and UCP, but if the docs specifically say icmp type 8, then the protocol will be icmp not ucp. In fact I don't believe ucp is even a valid protocol in iptables (it's not defined in /etc/protocols and iptables doesn't recognize it either.
[QUOTE]Originally posted by qbsu21th the linux firewall looks quite complicated, can you help for the following rules as well.
1) Port 3288 COPS messaging TCP Both Directions.
2) Port 514 SYSLOG outbound only
3) Port 22 SSH inbound only
4) Port xxx DHCP both directions
5) Port xxx SNMP
For inbound traffic, use the INPUT chain along with the protocol (tcp, udp, or icmp) and the proper destination port (3288, 514, 22, etc). For outbound, you'll use the OUTPUT chain and the ports will be the source port instead of the destination port. Though I'd recommend using a default OUTPUT rule of ACCEPT to start off with (you won't have to worry about defining specific rules for each outbound type of connection. Once you get that working, then you can change it to DROP and then add rules for each one. If your unsure of the port to use, check the /etc/services files or the documntation for that service.
1. can you give some examples on how to test the firewall after change the rules?
Performing a nmap and nessus scan from a remote system would probably be informative in terms of what your firewall looks like from the outside and should identify common miss-configurations and vulnerabilities
2. if add a rule, eg. "Port 514 SYSLOG outbound" to the firewall. what are all the steps to accomplish this?
In order to add the above rule, you need to be root and enter the following command at the command line:
iptables -I OUTPUT -p udp --dport 514 -j ACCEPT
If you enter the rule properly, you'll return to the command prompt, otherwise you'll see an error message. You can put all these rules together in the form of a executable bash script so that you can make changes to the firewall more easily.
is it to add a line of "-A(or I) OUTPUT -p udp --dport 514 -j ACCEPT" into the file /etc/sysconfig/iptables? that's all?
Don't directly edit the /etc/sysconfig/iptables file. Enter the commands from the command line as I've posted them. If you want to see the current state of the firewall, do iptables -vnL. Once you get it to your liking, do service iptables save. This will save the firewall config to the iptables file and will reload these rules at boot.
is it the "iptables -A(or I) OUTPUT -p udp --dport 514 -j ACCEPT" command used to test this new rule?
Not sure what you mean here. Usually the most effective test will be "does the service work or not", but you can use a remote nmap scan or just looking at the output of iptables -vnL will tell you whether the command worked properly.
except updating the /etc/sysconfig/iptables file, is there anything needs to do for adding this new rule?
Again don't edit the iptables file, use the service iptables save command.
3. in the original file /etc/sysconfig/iptables, there is some rules like, "-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT", what is the difference between RH-Firewall-1-INPUT and INPUT? is it ok to use INPUT to replace RH-Firewall-1-INPUT?
That's the default Redhat firewall rules (which aren't particularly that great). You can enter the rules with -I (as I've posted them) which will put your rules before these default rules or you can remove the defaults from the firewall entirely with iptables -F and then enter and save your rule set. Make sure to test your ruleset and be sure it works before wiping out the defaults.
"-A INPUT -p ssh --dport 22 -j ACCEPT"
after adding the above line to the /etc/sysconfig/iptables file, then run "service iptables start", get the following error:
Applying iptables firewall rules: iptables-restore v.1.2.8: unknown protocol 'ssh' specified
Error occured at line: 32
SSH is the type of service being used (like http, ftp,etc) not the protocol (tcp, udp, icmp,gre, etc). SSH uses tcp, so the rule would be:
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
For what it's worth, read the iptables documentation. There is certainly a learning curve to iptables, but the docs can go into far more detail about the questions your having and have alot more examples that will probably be really helpful.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
