LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-09-2004, 12:18 AM   #1
Tyir
Member
 
Registered: Sep 2003
Distribution: Slackware 9.1 with fluxbox
Posts: 259

Rep: Reputation: 30
Is this an ok firewall?


Ok, so to set up ssh, i had to get a new firewall
I found this script on the net
Is this good enough? It seems pretty simple, but I don't really know fi thats a good thing or a bad thing...
I basically just need basic internet stuff and ssh, no mail/web server etc

[code]
#!/bin/bash
# main code is from Ziegler's book "Linux Firewalls":
# "optimized code for stand-alone firewall"
#
# modified from our gateway firewall script to use it only on stand-alone Lin$
# OUTPUT chain has default policy "accept".
# So all the rules below are about allowing some input ports.
# First Date: Oct. 11th, 2002
#################################################################
# Load Modules
modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ipt_state
modprobe iptable_filter

EXT_IF="eth0" # network interface to the external: 128$
LOOPBACK_INTERFACE="lo" # however your system names it
EXT_IPADDR="192.168.1.166" # static allocated IP address
CLASS_A="10.0.0.0/8" # class A private networks
CLASS_B="172.16.0.0/12" # class B private networks
CLASS_C="192.168.0.0/16" # class C private networks
CLASS_D_MULTICAST="224.0.0.0/4" # class D multicast addresses
CLASS_E_RESERVED_NET="240.0.0.0/5" # class E reserved addresses
BROADCAST_SRC="0.0.0.0" # broadcast source address
BROADCAST_DEST="255.255.255.255" # broadcast destination address
PRIVPORTS="0:1023" # well-known, privileged port range
UNPRIVPORTS="1024:65535" # unprivileged port range
IMAP4SSL_PORT="993"

###############################################################
# Enable broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Disable Source Routed Packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
# Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Disable ICMP Redirect Acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
# Don't send Redirect Messages
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 > $f
done
# Drop Spoofed Packets coming in on an interface, which if replied to,
# would result in the reply going out a different interface.
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
# Do not log packets with impossible addresses.
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 0 > $f
done
###############################################################

# Remove any existing rules from all chains
iptables --flush
iptables -t nat --flush
iptables -t mangle --flush
# Unlimited traffic on the loopback interface
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Set the default policy to drop
iptables --policy INPUT DROP
iptables --policy OUTPUT ACCEPT
iptables --policy FORWARD DROP

iptables -t nat --policy PREROUTING ACCEPT
iptables -t nat --policy OUTPUT ACCEPT
iptables -t nat --policy POSTROUTING ACCEPT
iptables -t mangle --policy PREROUTING ACCEPT
iptables -t mangle --policy OUTPUT ACCEPT

# Remove any pre-existing user-defined chains
iptables --delete-chain
iptables -t nat --delete-chain
iptables -t mangle --delete-chain
###############################################################
# Using Connection State to By-pass Rule Checking

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP

###############################################################
# Stealth Scans and TCP State Flags
# All of the bits are cleared
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
###############################################################
# Source Address Spoofing and Other Bad Addresses
iptables -A OUTPUT -s ! $EXT_IPADDR -j DROP
iptables -A INPUT -p ! udp -d $CLASS_D_MULTICAST -j DROP
##############################################################
# ICMP Control and Status Messages
# allow incoming pings from anywhere
iptables -A INPUT -p icmp --icmp-type echo-request -d $EXT_IPADDR \
-m state --state NEW -j ACCEPT
# Drop initial ICMP fragments
iptables -A INPUT -p icmp --fragment -j DROP
iptables -A INPUT -p icmp --icmp-type source-quench -j ACCEPT
iptables -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -p icmp --icmp-type fragmentation-needed -j ACCEPT

# Intermediate traceroute responses
iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT

###############################################################
# Accept the following input requests and ports #
###############################################################
# reject outside AUTH request.
iptables -A INPUT -p tcp --sport $UNPRIVPORTS --dport 113 -j REJECT --reject-w$
###############################################################
# Accept SMTP, IMAPS from outside.
iptables -A INPUT -p tcp --sport $UNPRIVPORTS --dport 25 -m state --state NEW $
iptables -A INPUT -p tcp --sport $UNPRIVPORTS --dport $IMAP4SSL_PORT -m state $
###############################################################
# accept outside ssh (TCP Port 22)
iptables -A INPUT -p tcp --sport $UNPRIVPORTS --dport 22 -m state --state NEW $

EDIT:
I did a web port scan, and they found that port 22 is OPEN, but this is neccesary, and can't be hidden (i learn this from the tread about it on thsi page).
but ssh is veyr secure right, so i shouldn't have to worry? Oh, and when i got my friend to ssh, he had the option of a basic or encrypted pass, can i remove the basic option? and im guessing that would be in sshd_config, i will go look around in there...

Last edited by Tyir; 02-09-2004 at 12:22 AM.
 
Old 02-09-2004, 12:22 AM   #2
jtshaw
Senior Member
 
Registered: Nov 2000
Location: Seattle, WA USA
Distribution: Ubuntu @ Home, RHEL @ Work
Posts: 3,892
Blog Entries: 1

Rep: Reputation: 67
Ya, that is pretty good. If you don't run a SMTP or IMAPS server you don't need those lines in there. Besically the only thing that'll let in currently is ssh, SMTP, and IMAPS though, and it shouldn't reply to port scanning.
 
Old 02-09-2004, 12:27 AM   #3
Tyir
Member
 
Registered: Sep 2003
Distribution: Slackware 9.1 with fluxbox
Posts: 259

Original Poster
Rep: Reputation: 30
SMTP is only if i want it to be a mail server, right? which i dont....

so i will get rid of those lines...

also, do ./rc.firewall start|stop work?

otherwise, how would i turn it off (if i wanted to)
 
Old 02-09-2004, 12:31 AM   #4
jtshaw
Senior Member
 
Registered: Nov 2000
Location: Seattle, WA USA
Distribution: Ubuntu @ Home, RHEL @ Work
Posts: 3,892
Blog Entries: 1

Rep: Reputation: 67
The following 3 commands should turn everything off.
iptables --flush
iptables -t nat --flush
iptables -t mangle --flush
 
Old 02-09-2004, 12:56 AM   #5
Tyir
Member
 
Registered: Sep 2003
Distribution: Slackware 9.1 with fluxbox
Posts: 259

Original Poster
Rep: Reputation: 30
alright, i ran nmap..
Code:
Starting nmap 3.45 ( http://www.insecure.org/nmap/ ) at 2004-02-09 00:51 EST
Interesting ports on localhost (127.0.0.1):
(The 1647 ports scanned but not shown below are in state: closed)
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
37/tcp   open  time
79/tcp   open  finger
113/tcp  open  auth
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
631/tcp  open  ipp
901/tcp  open  samba-swat
6000/tcp open  X11
Device type: general purpose
Running: Linux 2.4.X|2.5.X
OS details: Linux Kernel 2.4.0 - 2.5.20
Uptime 0.039 days (since Sun Feb  8 23:56:19 2004)

Nmap run completed -- 1 IP address (1 host up) scanned in 6.741 seconds
Im worried about ftp, and X11...should i change the script?
 
Old 02-09-2004, 01:00 AM   #6
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
By the way, I wouldn't disable logging martians. You want to know if some device on your network has a wrong IP address (or is trying to spoof an address, perhaps as part of a DoS attack on some remote host). You also want to know if a packet is trying to spoof it's way in from outside your firewall.

SSH is only as secure as the daemon that's running it. What version of OpenSSH are you running, and do you know if you've updated it since you installed the system? If you haven't installed at least one update for OpenSSH, chances are it's vulnerable.
 
Old 02-09-2004, 01:02 AM   #7
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Your firewall isn't protecting your loopback adaptor (which is what you ran nmap against). Try running the scan from outside your box (maybe from another box on your network?).

Edit: Oh, I should clarify that... your loopback adaptor is only available to the machine itself, not to the outside world. If you're firewalling your network card, then no one else can connect to your loopback adaptor. You need to run nmap against your NIC's IP, not against localhost (localhost will resolve to the loopback).

Last edited by chort; 02-09-2004 at 01:03 AM.
 
Old 02-09-2004, 02:16 AM   #8
Tyir
Member
 
Registered: Sep 2003
Distribution: Slackware 9.1 with fluxbox
Posts: 259

Original Poster
Rep: Reputation: 30
so i shoudl nmap my isp's ip then?

Loggin martians? what?


I can't find where by firewall put's its logs by the way....

02:14:26-~:ssh -V
OpenSSH_3.7.1p2, SSH protocols 1.5/2.0, OpenSSL 0.9.7c 30 Sep 2003

Also:
scp doesn't seem to work (?)
but sftp does, so if i use sftp to copy files, i guess i need that port open, eh?
 
Old 02-09-2004, 04:21 AM   #9
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
In /etc/ssh/sshd_config, change the line that says either
Protocol 2,1
or
#Protocol 2,1

to:
Protocol 2
(don't forget to start and stop sshd after you save this change)

The reason is that SSHv1 has a number of flaws, which although mostly mitigated by workarounds in OpenSSH, is still not entirely safe.

You must be using scp incorrectly, because it will work as long as normal ssh does. Recheck your syntax to make sure you're doing it right. Also, make sure you're scp'ing in the correct direction. You can't open an scp connection to a host that is not running an ssh daemon.

As for the martians, I'm referring to this section:
Code:
# Do not log packets with impossible addresses.
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 0 > $f
done
Personally, I would take it out. Leaving it in will let you know when something weird is going on and you're getting traffic from IPs that in theory, you should not be able to get traffic from. This would indicate either spoofing, or a local devices that is misconfigured. In either case, I think you would want to know about that.

Edit: Oh, and to get the correct IP address to scan, do
ifconfig eth0
look for the address. That is the one you want to nmap. It may or may not work if you do it from the same machine, though (depending on how iptables and your NIC driver handle that sort of thing). The best solution would be to use another computer to nmap it.

Last edited by chort; 02-09-2004 at 04:24 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
BSD Firewall vs Linux Firewall ? rootlinux Linux - Security 5 08-29-2007 08:38 AM
Firewall lets ips which are not in the firewall ... why ? sys7em Linux - Networking 2 06-30-2005 01:50 PM
Firewall with features of a Sidewinder firewall? abcampa Linux - Security 4 04-22-2005 05:24 PM
slackware's /etc/rc.d/rc.firewall equivalent ||| firewall script startup win32sux Debian 1 03-06-2004 10:15 PM
Firewall Builder sample firewall policy file ? (.xml) nuwanguy Linux - Networking 0 09-13-2003 01:32 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:39 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration