Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Ok i read a whole bunch of documentation on iptables (through google), and i get the idea of how to set the rules. My question is, how do i set-up iptables on my slackware 10.1 distro?
Is there a config file that i can edit? where is it stored? how do i run iptables on startup, as i don't see any start-up scripts pertaining to /etc/rc.d directory.
I ran iptables-save to save the current config, but i have no idea where it is stored so I can edit the contents.
Unless and until someone more experienced comes along, I can give you some pointers to start. Because I am setting up iptables on my Slack-10.1 box right now.
Easy Firewall Generator for IPTables will generate a rc.firewall script for you. Just select the options that apply to your system, press Generate Firewall! and then save the page as a text file named rc.firewall
After that you must put it in /etc/rc.d/ and then you make it owned by root (chown root:root /etc/rc.d/rc.firewall) and then you make it the proper permissions (chmod 755 /etc/rc.d/rc.firewall).
For this script to run in Slackware, you'll have to edit the path. Where it says
Code:
# IPTables Location - adjust if needed
IPT="/sbin/iptables"
IPTS="/sbin/iptables-save"
IPTR="/sbin/iptables-restore"
you'll need to change that to
Code:
# IPTables Location - adjust if needed
IPT="/usr/sbin/iptables"
IPTS="/usr/sbin/iptables-save"
IPTR="/usr/sbin/iptables-restore"
Then you can browse to Iptables Tutorial 1.1.19 and read that novel. That's what I'm doing, and it's a start.
I hope someone more knowledgable will come add more to this so that we can learn...
i am new to slackware and iptables, i tried to use firestarter with xfce, it never worked, i don't have the appropriate gnome libraries, and i didn't have the option to install gnome, i am using a cd from a linux magazine in England which only has xfce, anyway i saw this post and i asking what that script does?
any help appreciated
Originally posted by geletine i am new to slackware and iptables, i tried to use firestarter with xfce, it never worked, i don't have the appropriate gnome libraries, and i didn't have the option to install gnome, i am using a cd from a linux magazine in England which only has xfce, anyway i saw this post and i asking what that script does?
any help appreciated
Iptables is a firewall. This firewall controls what goes in and out with instructions (rules). Some people may find writing these rules 'manually' a bit cumbersome because of all the knowledge that is required to make these rules. What this script does is automatically generate rules for you, using a 'choosing scheme' of what interface you have, what services and servers you are running, and creates a table of rules, custom to your choosing.
Originally posted by houler Iptables is a firewall.
actually, iptables is NOT a firewall... the linux firewall code is netfilter... iptables is simply the tool we use to configure the way netfilter behaves...
also, i'd like to point out that using these iptables script generators and stuff is convenient for the linux newcomer, and in fact, it can provide the linux newcomer with good material to study (by looking at the generated script), but anybody that is serious about linux system adminsitration should really learn to write their own iptables scripts from scratch - it's actually quite easy once you get the hang of it...
Originally posted by geletine one i have inserted rc.firewall, its all done?, i am using dhcp to connect to the internet, which i heard needs to be set up diffrently.
is the script very basic, what do you advise to do afterwards?
are you already using dhcp successfully or are you asking how to setup dhcp also??
how many network interfaces do you have?? what are you trying to accomplish with your firewall??
PS: yes, on slackware you basically put all the firewall rules in /etc/rc.d/rc.firewall and they get executed every time you boot...
if you have a single-interface slackware PC and what you want is basically protection from all the nasties crawling around the internet then something simple like this /etc/rc.d/rc.firewall can be enough for a lot of people:
Code:
#!/bin/sh
echo "0" > /proc/sys/net/ipv4/ip_forward
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -m state --state NEW -j ACCEPT
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
but it's a good idea to add some extra security measures into the mix:
Code:
#!/bin/sh
IPT="/usr/sbin/iptables"
echo "0" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "0" > /proc/sys/net/ipv4/tcp_timestamps
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i lo -m state --state NEW -j ACCEPT
$IPT -A INPUT -j LOG --log-prefix "INPUT DROP: "
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
echo "So let it be written. So let it be done."
set that as your /etc/rc.d/rc.firewall on your single-interface slackware PC and you'll have a very powerful netfilter stealth firewall sitting between you and the bad guys...
just my two cents...
EDIT 1: removed modprobes for ip_nat_ftp and ip_nat_irc as we aren't doing any NAT...
EDIT 2: removed FORWARD rule as we aren't doing any forwarding, hehe...
Originally posted by win32sux actually, iptables is NOT a firewall... the linux firewall code is netfilter... iptables is simply the tool we use to configure the way netfilter behaves...
also, i'd like to point out that using these iptables script generators and stuff is convenient for the linux newcomer, and in fact, it can provide the linux newcomer with good material to study (by looking at the generated script), but anybody that is serious about linux system adminsitration should really learn to write their own iptables scripts from scratch - it's actually quite easy once you get the hang of it...
Thanks for the correction. Always learn something new everyday.
Originally posted by win32sux actually, iptables is NOT a firewall... the linux firewall code is netfilter... iptables is simply the tool we use to configure the way netfilter behaves...
also, i'd like to point out that using these iptables script generators and stuff is convenient for the linux newcomer, and in fact, it can provide the linux newcomer with good material to study (by looking at the generated script), but anybody that is serious about linux system adminsitration should really learn to write their own iptables scripts from scratch - it's actually quite easy once you get the hang of it...
Ok, what if one knows how to write their own iptables scripts, but doesn't know what to filter against?
(eg. block icmp [smurf attacks, dos, and the like])
is there like a website or something to show what one should filter against? inc. examples and explanations (why)
Quote:
Originally posted by win32sux if you have a single-interface slackware PC and what you want is basically protection from all the nasties crawling around the internet then something simple like this /etc/rc.d/rc.firewall can be enough for a lot of people:
Code:
#!/bin/sh
echo "0" > /proc/sys/net/ipv4/ip_forward
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -m state --state NEW -j ACCEPT
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe ip_nat_irc
but it's a good idea to add some extra security measures into the mix:
Code:
#!/bin/sh
IPT="/usr/sbin/iptables"
echo "0" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "0" > /proc/sys/net/ipv4/tcp_timestamps
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD DROP
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i lo -m state --state NEW -j ACCEPT
$IPT -A INPUT -j LOG --log-prefix "INPUT DROP: "
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe ip_nat_irc
echo "So let it be written. So let it be done."
set that as your /etc/rc.d/rc.firewall on your single-interface slackware PC and you'll have a very powerful netfilter stealth firewall sitting between you and the bad guys...
just my two cents...
Nice. What does all that do? You probably don't want to explain all that. link?
Originally posted by houler Ok, what if one knows how to write their own iptables scripts, but doesn't know what to filter against?
(eg. block icmp [smurf attacks, dos, and the like])
is there like a website or something to show what one should filter against? inc. examples and explanations (why)
usually one doesn't start writing a firewall script with rules that filter out certain things... one starts by setting a policy that filters EVERYTHING first... once everything is filtered, one begins to add rules allowing the things one wants/needs...
there's certain iptables rules which can be useful to check for weird packets, though... if you search this site you will find plenty of those... but they tend to be more useful to someone running servers... for example the ubiquitous "new not syn" rule... someone using a home pc which is completely stealthed won't have much use for a lot of those rules, and will meet most of their needs by setting a few kernel parameters (as is done in the first section of the script i provided)...
you can find plenty example scripts (with comments) here:
Originally posted by houler Nice. What does all that do?
i've added some comments to the script, here you go:
Code:
#!/bin/sh
IPT="/usr/sbin/iptables"
# Let's make sure forwarding is DISABLED:
echo "0" > /proc/sys/net/ipv4/ip_forward
# Let's enable SYN cookies (to protect against SYN floods):
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
# Let's disable TCP timestamps to reduce the TCP stack workload:
echo "0" > /proc/sys/net/ipv4/tcp_timestamps
# Let's enable reverse path filtering for anti-spoofing:
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
# Let's ignore PINGs which have been BROADCAST:
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Let's disable source routed packets as they are ridiculous:
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
# Let's allow redirects from trusted gateways only:
echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
# Let's log any UFOs which are spotted:
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
# Let's flush-out all the chains in our tables:
$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
# Let's delete every non-builtin chains in our tables:
$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
# Let's set our INPUT policy to DROP:
$IPT -P INPUT DROP
# Let's set our OUTPUT policy to ACCEPT, because we can
# appreciate this kinda flexibility on a Home PC:
$IPT -P OUTPUT ACCEPT
# Let's accept incoming packets which belong to connections
# that have ALREADY been initiated:
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Let's allow all packets initiating new connections LOCALLY:
$IPT -A INPUT -i lo -m state --state NEW -j ACCEPT
# Let's log every packet that reaches this rule, right before
# it hits our INPUT policy and gets a DROP:
$IPT -A INPUT -j LOG --log-prefix "INPUT DROP: "
# Let's load the module allowing Connection Tracking for FTP:
/sbin/modprobe ip_conntrack_ftp
# Let's load the module allowing Connection Tracking for IRC:
/sbin/modprobe ip_conntrack_irc
# No rc.firewall script is complete without the ubiquitous echo:
echo "So let it be written. So let it be done."
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.