LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-04-2005, 01:33 PM   #1
epoo
Member
 
Registered: Aug 2003
Distribution: slackware 11, ubuntu 7.04
Posts: 165

Rep: Reputation: 30
is this a bad idea ? fileserver/firewall...


i have a box right now that im thinking of using as a router/firewall. i currently use a dlink router, but that's not as much fun as this could be
currently im using this box as an ftp server and samba file server. would it be okay to keep the same services running (still use it as an ftp and file server) but include a firewall script and use it as a firewall/router ? my main concern is that someone gets in through the running services somehow, but i was thinking last nite that this might actually be possible.
any input is appreciated - thanks !
 
Old 05-04-2005, 01:54 PM   #2
msound
Member
 
Registered: Jun 2003
Location: SoCal
Distribution: CentOS
Posts: 465

Rep: Reputation: 30
if youre not an expert at configuring linux firewalls than i would keep your samba/ftp server BEHIND a real firewall until your confident in your firewalling skills. misconfiguring your firewall would compromise your fileserver and potentially put your entire network at risk.

if you want to have fun with linux, just setup your linux box as a proxy server behind your dlink router. that way you'll still have the security from the dlink, but you can have fun configuring your proxy settings and traffic logging with linux. its win-win

ex:

INTERNET --> DLINK --> LINUX SERVER --> NETWORK SWITCH --> THE REST OF YOUR NETWORK
 
Old 05-04-2005, 04:09 PM   #3
epoo
Member
 
Registered: Aug 2003
Distribution: slackware 11, ubuntu 7.04
Posts: 165

Original Poster
Rep: Reputation: 30
thats a good idea, i think i'll try that this weekend.

another question - i have a 10mb 4 port hub, and a 16port switch. i have a laptop, desktop, and server (which would actually end up being the proxy server) - would it be worth it to use the switch, or should i stick with the hub ?
 
Old 05-04-2005, 04:29 PM   #4
Mara
Moderator
 
Registered: Feb 2002
Location: Grenoble
Distribution: Debian
Posts: 9,696

Rep: Reputation: 232Reputation: 232Reputation: 232
It depends. In most cases the hub will be enough. It also depends how 'inteligent' is the switch and how many interesting things you can do with it.
 
Old 05-05-2005, 12:35 AM   #5
April
LQ Newbie
 
Registered: Apr 2005
Distribution: Slackware 10.1
Posts: 18

Rep: Reputation: 0
Do you need to allow access to samba file server and FTP only from inside your network? If so, you can configure iptables to allow this while blocking access to these services from the outside world

Example -

# Flush all previous iptables chains
iptables -F

# The first rule sets the default policy, i.e. what to do if a packet doesn't match any
# other rule, to drop any packet coming into (INPUT) through your box.

iptables -P INPUT DROP

# The next rule is added (-A) to the INPUT chain. This rule allows
# response packets from any connections established from within your system..

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Thist rule allows packets through the loopback interface.
iptables -A INPUT -i lo -j ACCEPT

# Allow internal network to function freely
iptables -A INPUT -j ACCEPT -p all -s 192.168.0.0/16 -i eth1

# Allow internal network machines to access internet and masquerade IP addresses
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# Allow access to FTP and SMB requests ONLY from within the internal network
iptables -A INPUT -p tcp -m multiport --destination-port 21,137,139 -s 192.168.0.0/16 -j ACCEPT

# Allow internal machines ONLY to make SMB requests (UDP)
iptables -A INPUT -p udp -m multiport --destination-port 137,139 -s 192.168.0.0/16 -j ACCEPT

Last edited by April; 05-07-2005 at 04:08 PM.
 
Old 05-06-2005, 12:38 PM   #6
epoo
Member
 
Registered: Aug 2003
Distribution: slackware 11, ubuntu 7.04
Posts: 165

Original Poster
Rep: Reputation: 30
id need access to the ftp server from outside the network, but thats the only service that anyone outside should be able to access.

if i were to make a rule to drop all packets coming in from outside, would web browsing still work ?
 
Old 05-06-2005, 04:42 PM   #7
bulliver
Senior Member
 
Registered: Nov 2002
Location: Edmonton AB, Canada
Distribution: Gentoo x86_64; Gentoo PPC; FreeBSD; OS X 10.9.4
Posts: 3,760
Blog Entries: 4

Rep: Reputation: 78
Quote:
if i were to make a rule to drop all packets coming in from outside, would web browsing still work ?
Yes it would, because 'iptables' is a stateful packet filter. What this means is that iptables is smart enough to know if a packet arriving on the firewall is a response to a packet sent from your box originally. This is demonstrated by this rule, in April's example script above:
Code:
# The next rule is added (-A) to the INPUT chain. This rule allows
 # packets from any previously established connections.
 
 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
Old 05-06-2005, 09:26 PM   #8
epoo
Member
 
Registered: Aug 2003
Distribution: slackware 11, ubuntu 7.04
Posts: 165

Original Poster
Rep: Reputation: 30
Quote:
Originally posted by bulliver
Yes it would, because 'iptables' is a stateful packet filter. What this means is that iptables is smart enough to know if a packet arriving on the firewall is a response to a packet sent from your box originally. This is demonstrated by this rule, in April's example script above:
Code:
# The next rule is added (-A) to the INPUT chain. This rule allows
 # packets from any previously established connections.
 
 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
oh, ok. i read that, but i thought it meant that if there was a network connection already established when the script was run, it would leave it alone.
 
Old 05-07-2005, 03:44 PM   #9
April
LQ Newbie
 
Registered: Apr 2005
Distribution: Slackware 10.1
Posts: 18

Rep: Reputation: 0
Woops! I just noticed that the syntax of the last rule was incorrect. So just in case you tryed this and had problems epoo, I corrected it above.

So if you need access to FTP from outside, then remove port 21 from the following rule in the example script

# Allow access to FTP and SMB requests ONLY from within the internal network
iptables -A INPUT -p tcp -m multiport --destination-port 21,137,139 -s 192.168.0.0/16 -j ACCEPT

and add a new rule below that one

# Allow access to FTP from outside the network
iptables -A INPUT -p tcp --destination-port 21 -j ACCEPT


BTW, you can save this script as (for example) rc.firewall, chmod 755 and place it in your /etc/rc.d folder, and the firewall will automatically load on boot.

Do some reading regarding iptables and you can expand this script to accomodate any future needs you may have.

Last edited by April; 05-07-2005 at 03:45 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Bad Idea dudeman41465 Linux - Software 1 10-10-2005 03:37 AM
Slack on a LapTop, Bad Idea??? Synth218 Slackware 33 04-11-2005 07:15 PM
TOMCAT: good or bad idea chadi Linux - General 3 11-02-2004 07:42 PM
Is this a good or bad idea? kemplej Linux - Software 2 10-26-2004 10:34 AM
Why is chmod a+r -R /usr/ a bad idea? BroX Linux - Newbie 4 11-18-2003 01:47 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:15 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration