Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
06-15-2004, 03:15 PM
|
#1
|
LQ Newbie
Registered: Jun 2004
Posts: 5
Rep:
|
Opening ports
Hi, I'm using this firewall script and I'm wondering how do I open ports with this one?
Code:
#!/bin/sh
#
# rc.firewall-2.4
FWVER=0.75
#
# Initial SIMPLE IP Masquerade test for 2.4.x kernels
# using IPTABLES.
#
# Once IP Masquerading has been tested, with this simple
# ruleset, it is highly recommended to use a stronger
# IPTABLES ruleset either given later in this HOWTO or
# from another reputable resource.
#
#
#
# Log:
# 0.75 - Added more kernel modules to the comments section
# 0.74 - the ruleset now uses modprobe vs. insmod
# 0.73 - REJECT is not a legal policy yet; back to DROP
# 0.72 - Changed the default block behavior to REJECT not DROP
# 0.71 - Added clarification that PPPoE users need to use
# "ppp0" instead of "eth0" for their external interface
# 0.70 - Added commented option for IRC nat module
# - Added additional use of environment variables
# - Added additional formatting
# 0.63 - Added support for the IRC IPTABLES module
# 0.62 - Fixed a typo on the MASQ enable line that used eth0
# instead of $EXTIF
# 0.61 - Changed the firewall to use variables for the internal
# and external interfaces.
# 0.60 - 0.50 had a mistake where the ruleset had a rule to DROP
# all forwarded packets but it didn't have a rule to ACCEPT
# any packets to be forwarded either
# - Load the ip_nat_ftp and ip_conntrack_ftp modules by default
# 0.50 - Initial draft
#
echo -e "\n\nLoading simple rc.firewall version $FWVER..\n"
# The location of the iptables and kernel module programs
#
# If your Linux distribution came with a copy of iptables,
# most likely all the programs will be located in /sbin. If
# you manually compiled iptables, the default location will
# be in /usr/local/sbin
#
# ** Please use the "whereis iptables" command to figure out
# ** where your copy is and change the path below to reflect
# ** your setup
#
IPTABLES=/sbin/iptables
#IPTABLES=/usr/local/sbin/iptables
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe
#Setting the EXTERNAL and INTERNAL interfaces for the network
#
# Each IP Masquerade network needs to have at least one
# external and one internal network. The external network
# is where the natting will occur and the internal network
# should preferably be addressed with a RFC1918 private address
# scheme.
#
# For this example, "eth0" is external and "eth1" is internal"
#
#
# NOTE: If this doesnt EXACTLY fit your configuration, you must
# change the EXTIF or INTIF variables above. For example:
#
# If you are a PPPoE or analog modem user:
#
# EXTIF="ppp0"
#
#
EXTIF="eth0"
INTIF="eth1"
echo " External Interface: $EXTIF"
echo " Internal Interface: $INTIF"
#======================================================================
#== No editing beyond this line is required for initial MASQ testing ==
echo -en " loading modules: "
# Need to verify that all modules have all required dependencies
#
echo " - Verifying that all kernel modules are ok"
$DEPMOD -a
# With the new IPTABLES code, the core MASQ functionality is now either
# modular or compiled into the kernel. This HOWTO shows ALL IPTABLES
# options as MODULES. If your kernel is compiled correctly, there is
# NO need to load the kernel modules manually.
#
# NOTE: The following items are listed ONLY for informational reasons.
# There is no reason to manual load these modules unless your
# kernel is either mis-configured or you intentionally disabled
# the kernel module autoloader.
#
# Upon the commands of starting up IP Masq on the server, the
# following kernel modules will be automatically loaded:
#
# NOTE: Only load the IP MASQ modules you need. All current IP MASQ
# modules are shown below but are commented out from loading.
# ===============================================================
echo "----------------------------------------------------------------------"
#Load the main body of the IPTABLES module - "iptable"
# - Loaded automatically when the "iptables" command is invoked
#
# - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "ip_tables, "
$MODPROBE ip_tables
#Load the IPTABLES filtering module - "iptable_filter"
# - Loaded automatically when filter policies are activated
#Load the stateful connection tracking framework - "ip_conntrack"
#
# The conntrack module in itself does nothing without other specific
# conntrack modules being loaded afterwards such as the "ip_conntrack_ftp"
# module
#
# - This module is loaded automatically when MASQ functionality is
# enabled
#
# - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "ip_conntrack, "
$MODPROBE ip_conntrack
#Load the FTP tracking mechanism for full FTP tracking
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -en "ip_conntrack_ftp, "
$MODPROBE ip_conntrack_ftp
#Load the IRC tracking mechanism for full IRC tracking
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -en "ip_conntrack_irc, "
$MODPROBE ip_conntrack_irc
#Load the general IPTABLES NAT code - "iptable_nat"
# - Loaded automatically when MASQ functionality is turned on
#
# - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "iptable_nat, "
$MODPROBE iptable_nat
#Loads the FTP NAT functionality into the core IPTABLES code
# Required to support non-PASV FTP.
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -en "ip_nat_ftp, "
$MODPROBE ip_nat_ftp
#Loads the IRC NAT functionality into the core IPTABLES code
# Required to support NAT of IRC DCC requests
#
# Disabled by default -- remove the "#" on the next line to activate
#
#echo -e "ip_nat_irc"
#$MODPROBE ip_nat_irc
echo "----------------------------------------------------------------------"
# Just to be complete, here is a partial list of some of the other
# IPTABLES kernel modules and their function. Please note that most
# of these modules (the ipt ones) are automatically loaded by the
# master kernel module for proper operation and don't need to be
# manually loaded.
# --------------------------------------------------------------------
#
# ip_nat_snmp_basic - this module allows for proper NATing of some
# SNMP traffic
#
# iptable_mangle - this target allows for packets to be
# manipulated for things like the TCPMSS
# option, etc.
#
# --
#
# ipt_mark - this target marks a given packet for future action.
# This automatically loads the ipt_MARK module
#
# ipt_tcpmss - this target allows to manipulate the TCP MSS
# option for braindead remote firewalls.
# This automatically loads the ipt_TCPMSS module
#
# ipt_limit - this target allows for packets to be limited to
# to many hits per sec/min/hr
#
# ipt_multiport - this match allows for targets within a range
# of port numbers vs. listing each port individually
#
# ipt_state - this match allows to catch packets with various
# IP and TCP flags set/unset
#
# ipt_unclean - this match allows to catch packets that have invalid
# IP/TCP flags set
#
# iptable_filter - this module allows for packets to be DROPped,
# REJECTed, or LOGged. This module automatically
# loads the following modules:
#
# ipt_LOG - this target allows for packets to be
# logged
#
# ipt_REJECT - this target DROPs the packet and returns
# a configurable ICMP packet back to the
# sender.
#
echo -e " Done loading modules.\n"
#CRITICAL: Enable IP forwarding since it is disabled by default since
#
# Redhat Users: you may try changing the options in
# /etc/sysconfig/network from:
#
# FORWARD_IPV4=false
# to
# FORWARD_IPV4=true
#
echo " Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward
# Dynamic IP users:
#
# If you get your IP address dynamically from SLIP, PPP, or DHCP,
# enable this following option. This enables dynamic-address hacking
# which makes the life with Diald and similar programs much easier.
#
echo " Enabling DynamicAddr.."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
# Enable simple IP forwarding and Masquerading
#
# NOTE: In IPTABLES speak, IP Masquerading is a form of SourceNAT or SNAT.
#
# NOTE #2: The following is an example for an internal LAN address in the
# 192.168.0.x network with a 255.255.255.0 or a "24" bit subnet mask
# connecting to the Internet on external interface "eth0". This
# example will MASQ internal traffic out to the Internet but not
# allow non-initiated traffic into your internal network.
#
#
# ** Please change the above network numbers, subnet mask, and your
# *** Internet connection interface name to match your setup
#
#Clearing any previous configuration
#
# Unless specified, the defaults for INPUT and OUTPUT is ACCEPT
# The default for FORWARD is DROP (REJECT is not a valid policy)
#
echo " Clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
echo " FWD: Allow all connections OUT and only existing and related ones IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG
echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
echo -e "\nDone.\n"
|
|
|
06-15-2004, 04:13 PM
|
#2
|
Senior Member
Registered: Nov 2002
Location: British Columbia, Canada
Distribution: Gentoo x86_64; FreeBSD; OS X
Posts: 3,764
Rep:
|
Well, to open ports to the internet ie eth0 you would use:
Code:
$IPTABLES -A INPUT -i $EXTIF -p tcp -dport 80 ACCEPT
This particular line would open port 80, httpd. However the point is moot as the INPUT chains default policy is to accept:
Code:
$IPTABLES -P INPUT ACCEPT
so everything will be allowed = not secure. I would change it to DROP and only allow connections to ports you specify.
Are you really using IP Masq? If you are not then this script is not suitable for you.
|
|
|
06-15-2004, 04:48 PM
|
#3
|
LQ Newbie
Registered: Jun 2004
Posts: 5
Original Poster
Rep:
|
to be honest I have no idea, I've just found this script on the net and I got it working for my config.
You got any ideas of where to find a good firewall script with good/easy port managment?
|
|
|
06-15-2004, 05:31 PM
|
#4
|
LQ Newbie
Registered: Jun 2004
Posts: 5
Original Poster
Rep:
|
Ok so now I'm using this script, problem is it doesn't seem to open the ports I want, whats wrong with this script?
Code:
#!/bin/sh
#
# generated by ./quicktables-2.3 on 2004.06.16.24
#
# set a few variables
echo ""
echo " setting global variables"
echo ""
export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
iptables="/sbin/iptables"
ext_addr=`ifconfig eth0 |grep inet |cut -f2 -d: |cut -f1 -d" "`
# adjust /proc
echo " applying general security settings to /proc filesystem"
echo ""
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then echo 1 > /proc/sys/net/ipv4/tcp_syncookies; fi
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter; fi
if [ -e /proc/sys/net/ipv4/ip_forward ]; then echo 1 > /proc/sys/net/ipv4/ip_forward; fi
# load some modules
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_nat_irc.o ]; then modprobe ip_nat_irc; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack_irc.o ]; then modprobe ip_conntrack_irc; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o ]; then modprobe ip_conntrack_ftp; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_nat_ftp.o ]; then modprobe ip_nat_ftp; fi
# flush any existing chains and set default policies
$iptables -F INPUT
$iptables -F OUTPUT
$iptables -P INPUT DROP
$iptables -P OUTPUT ACCEPT
# setup nat
echo " applying nat rules"
echo ""
$iptables -F FORWARD
$iptables -F -t nat
$iptables -P FORWARD DROP
$iptables -A FORWARD -i eth1 -j ACCEPT
$iptables -A INPUT -i eth1 -j ACCEPT
$iptables -A OUTPUT -o eth1 -j ACCEPT
$iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
# allow all packets on the loopback interface
$iptables -A INPUT -i lo -j ACCEPT
$iptables -A OUTPUT -o lo -j ACCEPT
# allow established and related packets back in
$iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# blocking reserved private networks incoming from the internet
echo " applying incoming internet blocking of reserved private networks"
echo ""
$iptables -I INPUT -i eth0 -s 10.0.0.0/8 -j DROP
$iptables -I INPUT -i eth0 -s 172.16.0.0/12 -j DROP
$iptables -I INPUT -i eth0 -s 192.168.0.0/16 -j DROP
$iptables -I INPUT -i eth0 -s 127.0.0.0/8 -j DROP
$iptables -I FORWARD -i eth0 -s 10.0.0.0/8 -j DROP
$iptables -I FORWARD -i eth0 -s 172.16.0.0/12 -j DROP
$iptables -I FORWARD -i eth0 -s 192.168.0.0/16 -j DROP
$iptables -I FORWARD -i eth0 -s 127.0.0.0/8 -j DROP
# icmp
echo " applying icmp rules"
echo ""
$iptables -A OUTPUT -p icmp -m state --state NEW -j ACCEPT
$iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -i eth0 -j ACCEPT
# apply icmp type match blocking
echo " applying icmp type match blocking"
echo ""
$iptables -I INPUT -p icmp --icmp-type redirect -j DROP
$iptables -I INPUT -p icmp --icmp-type router-advertisement -j DROP
$iptables -I INPUT -p icmp --icmp-type router-solicitation -j DROP
$iptables -I INPUT -p icmp --icmp-type address-mask-request -j DROP
$iptables -I INPUT -p icmp --icmp-type address-mask-reply -j DROP
# open ports to the firewall
echo " applying the open port(s) to the firewall rules"
echo ""
$iptables -A INPUT -p tcp --dport 666 -j ACCEPT
$iptables -A INPUT -p tcp --dport 80 -j ACCEPT
$iptables -A INPUT -p tcp --dport 1852 -j ACCEPT
$iptables -A INPUT -p tcp --dport 6969 -j ACCEPT
$iptables -A INPUT -p udp --dport 666 -j ACCEPT
$iptables -A INPUT -p udp --dport 80 -j ACCEPT
$iptables -A INPUT -p udp --dport 6969 -j ACCEPT
$iptables -A INPUT -p udp --dport 1852 -j ACCEPT
# open and forward ports to the internal machine(s)
echo " applying port forwarding rules"
echo ""
$iptables -A FORWARD -i eth0 -p tcp --dport 6969 -j ACCEPT
$iptables -t nat -A PREROUTING -i eth0 -p tcp -d $ext_addr --dport 6969 -j DNAT --to-destination 192.168.0.2:6969
$iptables -A FORWARD -i eth0 -p tcp --dport 1852 -j ACCEPT
$iptables -t nat -A PREROUTING -i eth0 -p tcp -d $ext_addr --dport 1852 -j DNAT --to-destination 192.168.0.2:1852
#Open bittorrent port range
PORT=6881
while [ $PORT -le 6999 ]
do
$iptables -A INPUT -p tcp --dport $PORT -j ACCEPT
$iptables -A FORWARD -i eth0 -p tcp --dport $PORT -j ACCEPT
$iptables -t nat -A PREROUTING -i eth0 -p tcp -d $ext_addr --dport $PORT -j DNAT --to-destination 192.168.0.2:$PORT
PORT=$((PORT+1))
done
# drop all other packets
echo " applying default drop policies"
echo ""
$iptables -A INPUT -i eth0 -p tcp --dport 0:65535 -j DROP
$iptables -A INPUT -i eth0 -p udp --dport 0:65535 -j DROP
echo "### quicktables is loaded ###"
echo ""
|
|
|
06-16-2004, 03:11 AM
|
#5
|
Senior Member
Registered: Nov 2002
Location: British Columbia, Canada
Distribution: Gentoo x86_64; FreeBSD; OS X
Posts: 3,764
Rep:
|
My friend, you have found another script set up for NAT/IP Masq. No good for you I think.
Perhaps the best thing to do is have you explain your setup a bit, ie do you have a network, or just one box facing the internet that you want secured? Then I can write out a skeleton of a script for you to use and modify as you see fit....
These scripts you keep finding are dreadfully more complex than they need to be. Iptables is actually quite easy to grasp once all the extra cruft is taken away. If you only have one box facing the internet and want a few ports open you can do it in a script of less than ten lines.
Give us some info and we'll see what we can do alright?
|
|
|
06-16-2004, 03:39 AM
|
#6
|
LQ Newbie
Registered: Jun 2004
Posts: 5
Original Poster
Rep:
|
Yes perhaps I've should have done that sooner, anyway my setup is like this;
modem->linux gateway->router (working as a switch)->wireless network
this might seem a bit odd but it's because my router sucks =/
anyway what I need the gateway to do is forward all wanted packs from eth0 to eth1 and be able to open/close ports
|
|
|
06-16-2004, 04:18 AM
|
#7
|
Senior Member
Registered: Nov 2002
Location: British Columbia, Canada
Distribution: Gentoo x86_64; FreeBSD; OS X
Posts: 3,764
Rep:
|
Ok, I think the script I use on my firewall should work for the most part:
Code:
#!/bin/sh
EXTIF="eth0"
INTIF="eth1"
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
# set chain policy, and flush
iptables -P INPUT DROP
iptables -F INPUT
iptables -P OUTPUT ACCEPT
iptables -F OUTPUT
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -t nat -F
# allow local-only connections
iptables -A INPUT -i lo -j ACCEPT
# Permit established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# open ports on eth0
iptables -A INPUT -i $EXTIF -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i $EXTIF -p tcp --dport 25 -j ACCEPT
# open ports on eth1
iptables -A INPUT -i $INTIF -p tcp --dport 110 -j ACCEPT
iptables -A INPUT -i $INTIF -p tcp --dport 22 -j ACCEPT
# Masquerade
iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
# Everything else -> /dev/null
iptables -A INPUT -i $EXTIF -p tcp -j DROP
# Remove this line if you trust your internal LAN
iptables -A INPUT -i $INTIF -p tcp -j DROP
If you use kernel modules for the iptables/masq functionality, you might want to load them at the top.
|
|
|
06-16-2004, 09:09 AM
|
#8
|
LQ Newbie
Registered: Jun 2004
Posts: 5
Original Poster
Rep:
|
Ok I got it working now with my webserver, the only problem now is that I need to forward some ports from the external if to my internal network. and not only to one ip but to multiple ones, this is because I want to be able to use DC in active mode and also Bittorrent, can you forward ports to multiple ip's?
Last edited by lunke; 06-16-2004 at 12:54 PM.
|
|
|
06-16-2004, 03:32 PM
|
#9
|
Senior Member
Registered: Nov 2002
Location: British Columbia, Canada
Distribution: Gentoo x86_64; FreeBSD; OS X
Posts: 3,764
Rep:
|
This rule will forward all web requests to an internal box with ip 5.6.7.8 to port 8080:
Code:
# iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth0 \
-j DNAT --to 5.6.7.8:8080
You should be able to adjust it to your purposes. Also here is some background which should help you:
http://www.netfilter.org/documentati...T-HOWTO-6.html
|
|
|
06-01-2005, 11:07 AM
|
#10
|
LQ Newbie
Registered: Mar 2005
Location: Slovenia
Distribution: Fedora Core
Posts: 7
Rep:
|
By the way, what do I have to do to open ports for DCC?
|
|
|
06-07-2005, 04:04 AM
|
#11
|
Newbie
Registered: May 2005
Posts: 9
Rep:
|
Thank you kindly. This information is very useful for me. Great site! Thanks again!
_________________________________________________________________
http://www.neolink.ro
|
|
|
All times are GMT -5. The time now is 07:05 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|