Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi everyone. I'll being visiting this forum for a few weeks already and let me tell you that the information, resources and members support is incredible. Thanks to all of you in behalf of all the newbies like me. Now to the question, I'm running Mandrakelinux 10 in my system, Basically I use my system for e-mail, INTERNET browsing, etc., nothing fancy just regular usage. I have to confess that I'm a security freak even do, I know that using
Linux represent a major step in improving security compare with windows.
I was reading about IP tables and I was wondering if this is something that I need base in how I use my system. If you guys agree that isn't a bad idea to have one, I will like to ask you Guru's in here if you can provide me with a basic script that I can use as a markup. Countless hours reading about creating scripts but I'm still loss went it comes to command line. Also anyone know about a good book for beginners,what I meant for beginner's is not a book that assumes I know the basics because I don't and then take it from there, like a lot of information I found on the INTERNET. Any help in achieving my goals will be very appreciated. Thanks
Distribution: Fedora, Debian, OpenSuSE and Android
Posts: 1,820
Rep:
First identify what you want to do. What services do you want visible from the Internet, and what services for you LAN. Second, are you using a proxy or do you need masquerading.
Once you get a clear picture of what you need, writing the script is not too tough. Nobody can write a script that fits your needs perfectly, since everyone's setups are different, but there are many here who can and will help YOU write your script.
Thank you Pcghost for the response. I'm going to try to answer your questions the best I can;
Quote:
First identify what you want to do.
All I do when I'm connected to the internet is search topics, visit my favorite websites, read the post in forums like this one some others so I can learn about Linux and some other matters, retrieve my e-mails and sometime send e-mails as well. I don't play any online games in which you interact with other users. I sometime play music and videos when I'm browsing this forums so I don't want that to be affected. This is what my internet usage represent, pretty boring.
Quote:
What services do you want visible from the Internet?
I don't know is this what you mean for service visible from the internet but like I said it before, I just one to be able to retrieve my e-mails, send e-mails, update mandrake when it need to be done (I don't want to interfere with how mandrakesoft communicates with my system to keep it updated) and just browse the internet.
Quote:
what services for you LAN.
I only own one computer at this moment, I also don't want to interfere with my ISP that it could jeopardize my service.
Quote:
Are you using a proxy or do you need masquerading.
Sorry for my ignorance but i don't know the answer to this question. I'm just going to type some information hoping that this will provide you with a picture of my system. I think that my ISP (Road Runner) doesn't use proxy server, I'm connected to a cable modem via my 2Wire router/gateway and then to my computer. I think I'm using DHCP now for my Linux network configuration but I want to do a fixed IP eventually cause apparently is more secure. I don't know anything about masquerading.
looks like this person is not running any servers, and is behind a hardware router.
also, only has a small home network. (so we can trust the local machines ?)
the router IS a firewall is it not ?
unless port forwarding has been configured, his linux machine is already rpotected from incomming connection attempts ?
anyways, just to be over paranoid....
this should start you off.. you will need to add more if you use linux with windows on the network and want file shareing to work.
Code:
# reset firewall
iptables -F
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# allow loopback traffic
iptables -A INPUT -d lo -j ACCEPT
# un comment out if you want this machine to respond to pings
# iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
# allow established or related connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# un-comment out to trust all pc's on your lan.
#iptables -A INPUT -s 192.168.0.0/16 -j ACCEPT
# un comment out if this machine is a printer server, and you have NOT truested all machies on your lan
#iptables -A INPUT -p tcp --dport 631 -s 192.168.0.0/16 -j ACCEPT
Thank you qwijibo your script seems to have worked for me too.
I couldn't get my Shorewall working as advised elsewhere on this forum and have read so much stuff but still not able to get it working.
It just wasn't allowing any connection with the boxes all unticked and would only allow connections when I set it to enable everything.
Then I read your post a few minutes ago and thought I'd give it a try.
It works fantastically and I know it's working because I went to www.grc.com and tested it out.
I have placed your script inside a file called /etc/shorewall/start.
I hope I put it in the right place.
Thanks very much again. I've spent a couple of days on this.
I really think this is one of the problems with Linux out of the box. The defaults should have set the firewall to maximum security for newbies. Then they would be able to get online to find the help they need to do other stuff.
More qualified people would know how to reconfigure if they wanted more features.
Anyway I'm very happy and can now get back to my plastering.
The firewall settings did work but when I rebooted the system it was very slow to do so and then when it got into starting KDE it frose up and wouldn't go any further.
I've commented out the stuff I put into shorewalls start file and the system is back to normal.
but the firewall still doesn't allow any connections unless I set it to allow everything.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.