Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Originally posted by Neomaster Nice iptables firewall.But is there away you can block port scan try to find out what OS your running to?
Well that is called OS fingerprinting and is also blocked. Often source IP 0.0.0.0 and port 0 is used for that. Try to find out the OS using my firewall ... you will have problems :-)
IN= incomming interface
OUT= outgoing interface
MAC= MAC-address (last router)
SRC= source IP
DST= destination IP
LEN= length of packet
TTL= time to live
ID= sequence ID
proto= protocol
spt= source port
dpt = destination port
window= window size
flags used: ACK SYN
if you need more help maybe a googling will help you :-)
Yeah I nmap'ed from the SAME host. I figured thats why it didn't get logged but I had to check with the creator of this fine script.
Thanks again and again and again and again...
There is no detection if you scan from the loopback device. But I suggest not to install anything not really required on a server. Like I would NEVER install gcc, nmap or any other tools if there is no require for them. I have a own host where gcc is and I see no reason for gcc, etc on a server. I know that RH installs gcc and a lot of other bullshit ... you have to clean it up.
So 192.168.0.1(which is my router) can not connect through port 53 or 80 to my server(which is 192.168.0.1). After these errors I get no network activity.
Well it looks like you changed the OUTPUT chain. Anything which is not invalid won't get dropped ... ($IPTABLES -A OUTPUT -m state --state ! INVALID -j ACCEPT).
Thanks for the script. seeing it makes me feel that I am beginning to understand the IPTables better now (I am a very very very very newbie)
However, I was wondering whether there should be reference to interfaces for allowing / disallowing connections. For example, if I run a dual-homed box (I guess that is what is known as a box with two eth interfaces, eth0 connected to the INTERNET and eth1 connected to LAN), then I have NAT table too. In cases like that, don't we need to make restrict rules with Interface options? Or does it take both (or all) interfaces by default?
Also, you have used only one IP (I guess that is OK for you), but what do we do for two IPs?
Well, I was planning for the router-firewall we are running. We have a small LAN (192.168.0.0/24) and is connected to the net with the other interface of our server. The scenerio is very simple
IF_EXTERNAL=eth0
IF_INTERNAL=eth1
services that runs from eth0 (or the world) will be
a. Mail (smtp, smtps, imap, imaps, pop3, pop3s, pop2)
b. DNS (port 53 from/to unpriviledged ports)
c. SSH
d. HTTP(S)
e. FTP(S)
f. Maybe, just maybe, a simple route to another box inside through some unpriviledged port (that might come later too).
And of course, the entire lan will have NAT and proxy for browsing.
I am currently working on your script and another I've found on the net. I'll be very happy if you could please find some time to have a look at my semi-final script and let me know if I've done something wrong. I can mail you off the list, if you wish to and give me your email address. My giveaway address is shamims@hotmail.com
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.