LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-29-2008, 11:13 PM   #1
The_Nerd
Member
 
Registered: Aug 2002
Distribution: Debian
Posts: 540

Rep: Reputation: 32
Security setting too strict


Hello! I am not a newbie in linux, but I am a newbie to linux firewall and iptables. I've been trying to mess with my firewall to make it so any/all users I desire are restricted from the internet. I haven't accomplished this, and worse, I've somehow managed to make my system so strict that programs (such as DosBox) can not even open a listening port unless they are running as root. My cups printer server can not even listen to localhost... meaning I can't print. Is there an easy way to flush my firewall completely for now? After all, I am behind a gateway, so having an open firewall isn't a huge concern right now.

I am running Debian 4.
By the way, when I type the command: lsmod | grep 'iptables' it shows nothing, is this good?
 
Old 03-29-2008, 11:38 PM   #2
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 677Reputation: 677Reputation: 677Reputation: 677Reputation: 677Reputation: 677
Iptables is a command and not a kernel module. The actual firewall in the kernel is called netfilter and is built in without a module of its own. However there may be netfilter kernel modules that are loaded. For example, try "lsmod | grep conntrack".
The prefix that the module uses depends on your kernel version. On my kernel they start with "nf".

I find it convenient to look at an individual iptable's chain instead of an entire listing. For example:
sudo /usr/sbin/iptables -L INPUT

With only 6 to 10 entries it is easy to count where you want a rule inserted in that table. Sometimes a rule doesn't work because a previous rule has already handled the situation.

You can insert a new rule at a certain place in the chain.
Code:
       -I, --insert chain [rulenum] rule-specification
              Insert one or more rules in the selected chain as the given rule number.  So, if the rule number is 1, the rule or rules
              are inserted at the head of the chain.  This is also the default if no rule number is specified.

       -R, --replace chain rulenum rule-specification
              Replace a rule in the selected chain.  If the source and/or destination names resolve to multiple addresses, the command
              will fail.  Rules are numbered starting at 1.

       -L, --list [chain]
              List all rules in the selected chain.  If no chain is selected, all chains are listed.  As every other iptables command,
              it applies to the specified table (filter is the default), so NAT rules get listed by
               iptables -t nat -n -L
              Please  note that it is often used with the -n option, in order to avoid long reverse DNS lookups.  It is legal to spec‐
              ify the -Z (zero) option as well, in which case the chain(s) will be atomically listed and zeroed.  The exact output  is
              affected by the other arguments given. The exact rules are suppressed until you use
               iptables -L -v
Note the rulenum argument. This will help you add or change rules in a particular chain and try them out before committing the changes.
 
Old 03-30-2008, 12:11 AM   #3
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 379Reputation: 379Reputation: 379Reputation: 379
Quote:
Originally Posted by The_Nerd View Post
Is there an easy way to flush my firewall completely for now?
This script will reset everything for you:
Code:
#!/bin/sh

IPT="/sbin/iptables"

$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT

$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT

$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P FORWARD ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT

$IPT -t raw -P PREROUTING ACCEPT
$IPT -t raw -P OUTPUT ACCEPT

$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -F -t raw

$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
$IPT -X -t raw

$IPT -Z
$IPT -Z -t nat
$IPT -Z -t mangle
$IPT -Z -t raw
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Strict Routing elfoozo Linux - Networking 1 12-12-2007 08:06 PM
Setting Security Policies in MDK? unixfreak Linux - Security 1 09-01-2004 08:32 PM
Security setting, RedHat 9 juusober Linux - Security 1 03-10-2004 10:57 AM
Strict DHCP puzz_1 Linux - Networking 8 06-05-2003 12:20 PM
Setting security trap... ugenn Linux - General 6 11-13-2002 11:56 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:50 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration