Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
For some reason my rc.firewall isn't implementing automatically at boot up anymore.
I'm running Debian (sarge) and I can watch the services and the eth0 int come up at a restart, at that point it should have executed my firewall, but I can still ping the box from my lan, and my friend on an outside connection can ping and map the services.
If I manually go in and bash the rc.firewall neither of us can ping it, and he can only map the services I've allowed through the firewall.
Any ideas as to why it's not executing at bootup anymore and how I fix it?
Originally posted by Jukas For some reason my rc.firewall isn't implementing automatically at boot up anymore.
I'm running Debian (sarge) and I can watch the services and the eth0 int come up at a restart, at that point it should have executed my firewall, but I can still ping the box from my lan, and my friend on an outside connection can ping and map the services.
If I manually go in and bash the rc.firewall neither of us can ping it, and he can only map the services I've allowed through the firewall.
Any ideas as to why it's not executing at bootup anymore and how I fix it?
Assuming you have the script in the /etc/init.d/ directory then update-rc.d rc.firewall defaults and it should create the startup and shutdown links for you.
Originally posted by HappyTux Assuming you have the script in the /etc/init.d/ directory then update-rc.d rc.firewall defaults and it should create the startup and shutdown links for you.
Stephen,
I did that, and it re-added the symlink which wasn't there, however it doesn't seem to be processing the firewall still. On a fresh reboot I can ping the box from an outside source (which I shouldn't be able to) however if I ssh in or from the terminal bash the rc.firewall it processes correctly and I can't ping the box anymore.
Re: Re: Re: rc.firewall not implementing at boot up
Quote:
Originally posted by Jukas Stephen,
I did that, and it re-added the symlink which wasn't there, however it doesn't seem to be processing the firewall still. On a fresh reboot I can ping the box from an outside source (which I shouldn't be able to) however if I ssh in or from the terminal bash the rc.firewall it processes correctly and I can't ping the box anymore.
And you have checked to make sure the rc.firewall is executable? What does the file look like anyways can you post it?
The firewall itself is just a quick and dirty designed to open only a couple ports, block incoming ICMP requests and allow the box to use ping, trace, nmap etc.
Code:
#Change the part after the = to the where you IPTABLES is on your system
IPTABLES=/sbin/iptables
#flush existing rules
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p icmp
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p tcp
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p udp
$IPTABLES -A INPUT -p tcp --dport 20 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 21 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
$IPTABLES -A INPUT -p tcp -s 216.229.107.32 --dport 3306 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 20 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 21 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 22 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 80 -j ACCEPT
$IPTABLES -A INPUT -p tcp -j REJECT
$IPTABLES -A INPUT -p ICMP -j DROP
I'm open to any opinions about what it's lacking btw
The firewall itself is just a quick and dirty designed to open only a couple ports, block incoming ICMP requests and allow the box to use ping, trace, nmap etc.
Code:
#Change the part after the = to the where you IPTABLES is on your system
IPTABLES=/sbin/iptables
#flush existing rules
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p icmp
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p tcp
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED -i eth0 -p udp
$IPTABLES -A INPUT -p tcp --dport 20 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 21 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
$IPTABLES -A INPUT -p tcp -s 216.229.107.32 --dport 3306 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 20 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 21 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 22 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 80 -j ACCEPT
$IPTABLES -A INPUT -p tcp -j REJECT
$IPTABLES -A INPUT -p ICMP -j DROP
I'm open to any opinions about what it's lacking btw
Well if that is the entire file the #!/bin/bash at the top of the file to tell bash it should be executing the commands.
The basics are covered in this article but the link to the page doesn't always work for some reason. I will summarise the steps in the article;
1. Place the rc.firewall script in /etc
2. make sure it's exectable (chmod 700 /etc/rc.firewall)
3. symlink to the runlevels to make the script initate during the boot process by doing;
ln -s /etc/rc.firewall /etc/rc2.d/S89rc.firewall
ln -s /etc/rc.firewall /etc/rc3.d/S89rc.firewall
ln -s /etc/rc.firewall /etc/rc4.d/S89rc.firewall
ln -s /etc/rc.firewall /etc/rc5.d/S89rc.firewall
(Tip here; after entering the first line, press tab and move back to rcX with the back arrow key and change to the next # and then move forward to the end of the line and press return which saves typing the command in all the time).
Thanks for the tips, the firewall is now executing at boot correctly.
Give that this was just a quick and dirty firewall I put together, is there anything you normall put in yours that I'm missing that you would recommend?
Personally I use MonMotha's firewall script which basically has everything I need but I use it on a server that has other boxes behind it. You'll find good basics on firewall scripting here .
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.