Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am using a DSL-modem on Mandrake Linux 9.1. All I'm doing with the computer is emails and Internet, and maybe using my Telnet to connect to other UNIX shell servers. Thats all. I am not running Samba or other services and I am on a stand-alone PC. Thats all.
I would appreciate it if someone could tell me if the firewall script which is in my rc.local directory, is sufficient enough. I am using this right now and I probed my computer for common ports and the results were all ports STEALTHED. My question is though, is this sufficient enough for my only emails and Internet computing? Please look below. If its not very secure, than please if someone here could provide me with a more secure code than this.
Code:
#PROC SETTINGS
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts #Block pings to broadcast IP (smurf)
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians #Log non-routable IPs
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route #Block source-routed packets
iptables -F
iptables -t nat -F
iptables -X
iptables -Z
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
#DROP BAD PACKETS
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP #DROP NEW NOT SYN
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #DROP SYN-FIN SCANS
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP #DROP SYN-RST SCANS
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP #DROP X-MAS SCANS
iptables -A INPUT -p tcp --tcp-flags ALL FIN -j DROP #DROP NMAP FIN SCAN
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP #DROP NULL SCANS
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP #DROP ALL/ALL SCANS
#LOG AND DROP IANA RESERVED/BOGONS
iptables -A INPUT -i ppp0 -s 0.0.0.0/8 -m limit --limit 5/m -j LOG --log-prefix "WARN: INVALID IP"
iptables -A INPUT -i ppp0 -s 0.0.0.0/8 -j DROP
iptables -A INPUT -i ppp0 -s 127.0.0.0/8 -m limit --limit 5/m -j LOG --log-prefix "WARN: INVALID IP"
iptables -A INPUT -i ppp0 -s 127.0.0.0/8 -j DROP
iptables -A INPUT -i ppp0 -s 10.0.0.0/8 -m limit --limit 5/m -j LOG --log-prefix "WARN: INVALID IP"
iptables -A INPUT -i ppp0 -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i ppp0 -s 192.168.0.0/16 -m limit --limit 5/m -j LOG --log-prefix "WARN: INVALID IP"
iptables -A INPUT -i ppp0 -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i ppp0 -s 172.16.0.0/12 -m limit --limit 5/m -j LOG --log-prefix "WARN: INVALID IP"
iptables -A INPUT -i ppp0 -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
There are always more things you can add to a firewall in order to make it more secure (egress filtering, added spoofing protection,etc), but I think the one you're using is reasonably secure for your needs.
Ok, thanks then I'll go ahead and stick with this one as I probed for ports and resulted in all ports stealthed. That should indicate that it is working.
I am totally off on how to create iptable or ipchains. Everyone here tells me to go read, but even reading this I do not understand. Its very confusing.
Now, what is the real and actual name of the script I have??? Is it called IPTABLES or IPChains???
I am totally off on how to create iptable or ipchains. Everyone here tells me to go read, but even reading this I do not understand. Its very confusing.
The frozentux tutorial is one of the better written and more detailed guides that I really recommend reading, so that is a good place to start. If you have any specific questions though, feel free to ask.
Now, what is the real and actual name of the script I have??? Is it called IPTABLES or IPChains???
IPTables. IPChains was the older linux firewall used in the 2.2 series kernels.
Could I call it a Firewall or Linux firewall??? Does it really matter?
Either one. IPTables is a firewall that runs on the Linux platform and I don't believe it's been ported to any other operating systems, so you can use the two names pretty much interchangably.
So, just to confirm, IPTables is actually considered a firewall? Am I right?
Technically iptables is just the user interface and scripting language for configuring "Netfilter" which is the actual firewalling code present in the linux kernel. However, pretty much everyone just calls it iptables when refering to either one. In fact if you call it Netfilter, people may not know what your talking about. But to get back to your question, yes, iptables/netfilter is a firewall.
How can I add IP Spoofing protection to the script above??? Please let me know where to add the IP spoofing protection??? On which line? If I need one....that is... I dont know if this one already has it or not...
Do you think this script will provide me stealth???
Originally posted by wardialer How can I add IP Spoofing protection to the script above??? Please let me know where to add the IP spoofing protection??? On which line? If I need one....that is... I dont know if this one already has it or not...
That's what this is:
Code:
#LOG AND DROP IANA RESERVED/BOGONS
iptables -A INPUT -i ppp0 -s 0.0.0.0/8 -m limit --limit 5/m -j LOG --log-prefix "WARN: INVALID IP"
iptables -A INPUT -i ppp0 -s 0.0.0.0/8 -j DROP
iptables -A INPUT -i ppp0 -s 127.0.0.0/8 -m limit --limit 5/m -j LOG --log-prefix "WARN: INVALID IP"
iptables -A INPUT -i ppp0 -s 127.0.0.0/8 -j DROP
iptables -A INPUT -i ppp0 -s 10.0.0.0/8 -m limit --limit 5/m -j LOG --log-prefix "WARN: INVALID IP"
iptables -A INPUT -i ppp0 -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i ppp0 -s 192.168.0.0/16 -m limit --limit 5/m -j LOG --log-prefix "WARN: INVALID IP"
iptables -A INPUT -i ppp0 -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i ppp0 -s 172.16.0.0/12 -m limit --limit 5/m -j LOG --log-prefix "WARN: INVALID IP"
iptables -A INPUT -i ppp0 -s 172.16.0.0/12 -j DROP
If you have a static IP, you can add it to this block of rules as well.
Do you think this script will provide me stealth???
Yes. Using the DROP target results in 'stealth'. If you open up any ports in that firewall then it's not so stealth.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.