Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm having difficulty with reading iptable rules. I've evidently configured something wrong in the "UFW" and/or "Lokkit" settings, because no traffic seems to be able to get through. I've appended the output of "iptables -L" below. I can't understand a word of it, I'm afraid.
My aims are pretty simple:
I'm connecting via usb stick modem to the Vodafone mobile network
The box is a stand-alone desktop, single-user, running Ubuntu 8.1; no server requirements; no SSH etc.
I just want to close off everything except Web browsing, file downloading (torrent & ftp) and system updates.
Here's the output from "iptables -L"
Chain INPUT (policy DROP)
target prot opt source destination
RH-Lokkit-0-50-INPUT all -- anywhere anywhere
ufw-before-input all -- anywhere anywhere
ufw-after-input all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
RH-Lokkit-0-50-INPUT all -- anywhere anywhere
ufw-before-forward all -- anywhere anywhere
ufw-after-forward all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-output all -- anywhere anywhere
ufw-after-output all -- anywhere anywhere
Okay, thanks for that. I'll try it and report back shortly. I'm just re-installing Ubuntu from scratch just to make certain everything is nice and clean again.
Well the commands went in without complaint from the shell. Is the machine now protected? If so I can save the changes with "sudo iptables-save > /etc/default" which I believe is the correct place within Ubuntu.
Here's the output from # iptables -L......
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere state RELATED,ESTABLISHED
Well the commands went in without complaint from the shell. Is the machine now protected? If so I can save the changes with "sudo iptables-save > /etc/default" which I believe is the correct place within Ubuntu.
Here's the output from # iptables -L......
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere state RELATED,ESTABLISHED
......and here's the output from # iptables -nvL.....
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 40 packets, 3184 bytes)
pkts bytes target prot opt in out source destination
(END)
I've never heard of a file called /etc/default. You can pretty much save your config to any file you wish, just specify the name of the file in a pre-up line in your /etc/network/interfaces file. For example, I store my firewall config in /etc/firewall.txt so my /etc/network/interfaces file looks like:
Code:
auto lo
iface lo inet loopback
pre-up iptables-restore < /etc/firewall.txt
That said, the configuration you've shown doesn't match the commands suggested by anomie. You are sending packages in states RELATED and ESTABLISHED to DROP, which would break all transmissions.
I have to say the terms employed by whomever wrote this program are deeply unhelpful inasmuch as they bear no relation to their generally-accepted meanings in the natural world. It's extremely confusing for those of us who read Victorian novels.
Anyway, am I clear to go online now? Is my box safe?
I have to say the terms employed by whomever wrote this program are deeply unhelpful inasmuch as they bear no relation to their generally-accepted meanings in the natural world. It's extremely confusing for those of us who read Victorian novels.
Anyway, am I clear to go online now? Is my box safe?
I have to say the terms employed by whomever wrote this program are deeply unhelpful inasmuch as they bear no relation to their generally-accepted meanings in the natural world. It's extremely confusing for those of us who read Victorian novels.
Anyway, am I clear to go online now? Is my box safe?
Thanks,
CC.
Actually, the output you've just posted still has the same problem.
If you execute his commands properly, your output should look like this (with different packet/byte counts):
Code:
win32sux@candystore:~$ sudo iptables -nvL INPUT
Chain INPUT (policy ACCEPT 25 packets, 10174 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
33 15047 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
win32sux@candystore:~$
As an aside, I think this is one area of the Ubuntu distro that Team Ubuntu needs to look into urgently if they hope to lure away more Windoze users. Iptables may certainly be a powerful, versatile and wonderfully precise way of tailoring your firewall needs, but user-friendly it CERTAINLY AINT!
I'm aware of add-ons like lokkit and ufw that simplify firewall rule-setting, but they're still crude and in need of further refinement - and they don't come with the distro so you have to download them, which is kinda risky with no operational firewall in the first place!!
I've no idea where to send suggestions for further development (I'm a Debian man, anyway) but the above is just my 2c worth.
I'm aware of add-ons like lokkit and ufw that simplify firewall rule-setting, but they're still crude and in need of further refinement - and they don't come with the distro so you have to download them, which is kinda risky with no operational firewall in the first place!!
O_o...
Downloading without a firewall from the repositories for the distribution is as safe as it gets and a firewall isn't going to protect you from anything bad that would come from those locations anyways.
I do not think a firewall does what you think a firewall does (excuse my princess bride butchery.)
Don't get me wrong-- a firewall is a very useful piece of technology to have between you and the internet. That being said a firewall on the local machine is largely moot if you're already NAT'd like most people on broadband. If you get a direct routeable internet ip on your computer it's considerably more useful of course.
My default install only has ssh showing to the outside even without a firewall, but I don't suppose most newbies strip things down that far to begin with. Shrug, YMMV.
Downloading without a firewall from the repositories for the distribution is as safe as it gets and a firewall isn't going to protect you from anything bad that would come from those locations anyways.
I'm not worried about anything nasty coming from a respository, but all the while I'm connected to the internet as things stand with the box in question, *all* ports are open (the default condition for Ubuntu) so there's no protection from nasties coming in via Telnet, SSH, FTP and the rest of these access points!
I'm not worried about anything nasty coming from a respository, but all the while I'm connected to the internet as things stand with the box in question, *all* ports are open (the default condition for Ubuntu) so there's no protection from nasties coming in via Telnet, SSH, FTP and the rest of these access points!
Unless you've a telnet, SSH and FTP service configured and running, those ports will show as closed. This is the reason why the first measure of hardening a box would be to disable all unneeded services....no listening services, no open ports.
Unless you've a telnet, SSH and FTP service configured and running, those ports will show as closed. This is the reason why the first measure of hardening a box would be to disabled all unneeded services....no listening services, no open ports.
Agreed, but most newbies don't know and don't want to know anything about security period unfortunately.
I'm not worried about anything nasty coming from a respository, but all the while I'm connected to the internet as things stand with the box in question, *all* ports are open (the default condition for Ubuntu) so there's no protection from nasties coming in via Telnet, SSH, FTP and the rest of these access points!
If you have a strong password and root logins disabled (for the services you listed), there's really no "nasties" available that can do anything to you. Ports are only open if you have a daemon running and listening on that port... why would you have telnet, ftp, etc running if you're not using them?
I'd be more concerned with portmap exposed or something similar if I installed nfs than i would be with most distributions versions of ssh and ftp (provided of course my password wasn't something silly like "fred")
Besides, if you're nat'd already behind another device even if you installed every single service you could stuff on the box and had no security enabled what so ever and still didn't have a local firewall... people on the internet *still* couldn't hit a single one of them unless you statically mapped a port from your nat device (or UPNP'd one).
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.