LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 04-07-2005, 12:52 PM   #1
Ben2210
Member
 
Registered: Feb 2004
Location: Toronto
Distribution: Arch
Posts: 146

Rep: Reputation: 16
test firewall ?


Hi,

I've been setting up (thanks Capt_Caveman) a very simple firewall to block some services I don't use from being inadvertently activated. Here's my rc.firewall startup script :

Code:
iptables -I INPUT -i eth0 -p tcp --dport 21 -j DROP
iptables -I INPUT -i eth0 -p tcp --dport 22 -j DROP
iptables -I INPUT -i eth0 -p tcp --dport 177 -j DROP
iptables -I INPUT -i eth0 -p udp --dport 177 -j DROP
iptables -I INPUT -i eth0 -p tcp --dport 6000 -j DROP
iptables -I INPUT -i eth0 -p udp --dport 6000 -j DROP
I would like to know how I can test it. I understand that I can easily test port 22 by launching sshd and attempting an ssh connection. I also understand that I could test any other tcp port by moving my sshd to this port. But this way I won't ever test udp ! Also, this is a very tedious way of testing. So, I wondered if there was some way of testing any protocol on any port and check that the firewall actually blocks packets.

Also I would like that the firewall keeps a log of the packets it has blocked. How can I do that ?

Also, I don't know at all what protocol XDMCP uses, so I blocked tcp and udp on port 177, but perhaps that's wrong? Can you help ?

By the way, here's the output of iptables --list :
Code:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       udp  --  anywhere             anywhere            udp dpt:x11
DROP       tcp  --  anywhere             anywhere            tcp dpt:x11
DROP       udp  --  anywhere             anywhere            udp dpt:xdmcp
DROP       tcp  --  anywhere             anywhere            tcp dpt:xdmcp
DROP       tcp  --  anywhere             anywhere            tcp dpt:ssh
DROP       tcp  --  anywhere             anywhere            tcp dpt:ftp

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
 
Old 04-07-2005, 01:01 PM   #2
skunkburner
Member
 
Registered: Mar 2004
Distribution: Fedora Core 17 & 18, Debian Wheezy
Posts: 137

Rep: Reputation: 16
To test your firewall you can use a port scanner like nmap

go to http://www.insecure.org/nmap and download the latest version (there are rpms, binary as well as the source).

then run

nmap -sS -p- -P0 -vv YOUR-IP-HERE

that will perform a scan of all the ports on the ip you specify and tell you whether they are open/closed or filtered like below.

# nmap 3.75 scan initiated Fri Jan 14 12:25:50 2005 as: nmap -sS -p- -vv 192.168.1.30
All 65535 scanned ports on ws3.X.X.X (192.168.1.30) are: filtered

# Nmap run completed at Fri Jan 14 12:49:54 2005 -- 1 IP address (1 host up) scanned in 1444.250 seconds
 
Old 04-07-2005, 01:08 PM   #3
Ben2210
Member
 
Registered: Feb 2004
Location: Toronto
Distribution: Arch
Posts: 146

Original Poster
Rep: Reputation: 16
Thank you. I ran your test, but it told me that all ports were "closed". It didn't mention any "filtered" port. Does that mean that packet filtering is not effective ?

PS. I am running a custom kernel and I am not sure to have all necessary options enabled. I have CONFIG_NETFILTER=y and CONFIG_IP_NF_IPTABLES_y. Also, iptables runs without making any warning.
 
Old 04-07-2005, 01:11 PM   #4
Ben2210
Member
 
Registered: Feb 2004
Location: Toronto
Distribution: Arch
Posts: 146

Original Poster
Rep: Reputation: 16
Just for information, nmap terminated in a few seconds.
 
Old 04-07-2005, 01:22 PM   #5
skunkburner
Member
 
Registered: Mar 2004
Distribution: Fedora Core 17 & 18, Debian Wheezy
Posts: 137

Rep: Reputation: 16
>>Does that mean that packet filtering is not effective ?

Not at all, iptables will be filtering the packets, BUT because you have your default input rule set to accept if you
receive a packet that you don't have a specific rule for it will be accepted anyway.

you would be much better setting your default input to DROP
and allowing the specific ports you use.
as well as letting ESTABLISHED and RELATED connections in.

btw.
The reason your scan took at lot less time than mine is because of my default action.
because the firewall drops the packets nmap never receives anything back so has to wait for the connection to timeout.
 
Old 04-07-2005, 01:36 PM   #6
Ben2210
Member
 
Registered: Feb 2004
Location: Toronto
Distribution: Arch
Posts: 146

Original Poster
Rep: Reputation: 16
Thanks a lot for your explanations.

One last question : what do you think of automatic iptables script generators ? Like this one :
http://easyfwgen.morizot.net/gen/
 
Old 04-07-2005, 02:10 PM   #7
skunkburner
Member
 
Registered: Mar 2004
Distribution: Fedora Core 17 & 18, Debian Wheezy
Posts: 137

Rep: Reputation: 16
i've just had a quick look at http://easyfwgen.morizot.net/gen/ it seems a really good tool for for most end-users.
 
Old 04-07-2005, 02:27 PM   #8
Ben2210
Member
 
Registered: Feb 2004
Location: Toronto
Distribution: Arch
Posts: 146

Original Poster
Rep: Reputation: 16
OK, thank you.
 
Old 04-07-2005, 03:30 PM   #9
frgtn
LQ Newbie
 
Registered: Mar 2005
Location: Kaunas, Lithuania
Distribution: Slackware 10.1
Posts: 28

Rep: Reputation: 15
Firewall script generators may be a good thing, but imho it's always good to know at least the basics of iptables. Just in case.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Firewall fails port scan test windz Linux - Security 3 08-01-2004 01:05 AM
Firewall / Network Security Test Sites mrnikeswsh Linux - Security 1 08-28-2003 05:34 PM
Test my firewall synecdoche Linux - Software 4 07-23-2003 07:11 PM
How to test firewall? drjimstuckinwin Linux - Security 2 06-12-2001 08:59 PM
I need to test my firewall... bfloeagle Linux - Security 1 06-27-2000 01:04 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:21 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration