LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 12-07-2016, 10:23 AM   #16
hack3rcon
Senior Member
 
Registered: Jan 2015
Posts: 1,432

Original Poster
Rep: Reputation: 10

Quote:
Originally Posted by Turbocapitalist View Post
If it's just a standard desktop, then you don't need much in the filter rules as far as a basic set up is concerned.

Code:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-port-unreachable
COMMIT
That should do it. If you need to log into that machine with SSH, then add the rules for port 22 back in.

If you still can't use the Tor Browser Bundle with that short rule set, then maybe you should look at using a bridge or obfsproxy
With current iptables rules I used obfsproxy too but not worked. Your iptables rules are so simple. I like to block scanners like Nmap.
 
Old 12-07-2016, 10:30 AM   #17
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,531
Blog Entries: 3

Rep: Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791
Quote:
Originally Posted by hack3rcon View Post
With current iptables rules I used obfsproxy too but not worked. Your iptables rules are so simple. I like to block scanners like Nmap.
The above rules block scanners, in-so-far as scanners can be blocked. As you see the default is to block and only a few things are let in. If you block ICMP completely you break your network. If you want logging of some of the scans, then that is a different matter and you have a lot of choices but the logging would occur just before that last blocking rule.
 
Old 12-07-2016, 11:52 AM   #18
lazydog
Senior Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,249
Blog Entries: 3

Rep: Reputation: 194Reputation: 194
Quote:
Originally Posted by Turbocapitalist View Post
The above rules block scanners, in-so-far as scanners can be blocked. As you see the default is to block and only a few things are let in. If you block ICMP completely you break your network. If you want logging of some of the scans, then that is a different matter and you have a lot of choices but the logging would occur just before that last blocking rule.
You don't have to answer external ping and it will not break your network.
Code:
-A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
 
Old 12-10-2016, 12:35 AM   #19
hack3rcon
Senior Member
 
Registered: Jan 2015
Posts: 1,432

Original Poster
Rep: Reputation: 10
Quote:
Originally Posted by Turbocapitalist View Post
This line needs to be moved to the end of your INPUT chain:

Code:
-A INPUT -j REJECT --reject-with icmp-port-unreachable
Otherwise all the rules that follow afterwards, including those for Tor, are never reached and thus fail.
I removed this line and problem exist
 
Old 12-10-2016, 01:02 AM   #20
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,531
Blog Entries: 3

Rep: Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791
If you are using the rules posted in #16, where the default policy for the OUTPUT is to accept packets, then I'm not sure where the problem lies since it is unlikely to be in iptables.

What method did you use to acquire and install the Tor Browser Bundle?
 
Old 12-10-2016, 05:25 AM   #21
hack3rcon
Senior Member
 
Registered: Jan 2015
Posts: 1,432

Original Poster
Rep: Reputation: 10
Quote:
Originally Posted by Turbocapitalist View Post
If you are using the rules posted in #16, where the default policy for the OUTPUT is to accept packets, then I'm not sure where the problem lies since it is unlikely to be in iptables.

What method did you use to acquire and install the Tor Browser Bundle?
Tor Browser Bundle is portable but not need any install. Can you write my rules on your system and test it?
 
Old 12-10-2016, 08:27 AM   #22
hack3rcon
Senior Member
 
Registered: Jan 2015
Posts: 1,432

Original Poster
Rep: Reputation: 10
I changed my iptables rules and used below rules too:
Code:
-A INPUT -p tcp -m tcp --dport 9150 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 9150 -j ACCEPT
But, not worked and TorBrowser Log say me:
Code:
12/09/2016 17:50:48.400 [NOTICE] Bootstrapped 5%: Connecting to directory server 
12/09/2016 17:50:48.500 [NOTICE] Bootstrapped 10%: Finishing handshake with directory server 
12/09/2016 17:53:14.300 [NOTICE] Closing no-longer-configured Socks listener on 127.0.0.1:9150 
12/09/2016 17:53:14.300 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections. 
12/09/2016 17:53:14.300 [NOTICE] Closing old Socks listener on 127.0.0.1:9150 
12/09/2016 17:53:14.800 [NOTICE] Delaying directory fetches: DisableNetwork is set. 
12/09/2016 17:53:19.800 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections. 
12/09/2016 17:53:19.800 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections. 
12/09/2016 17:53:19.800 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections. 
12/09/2016 17:53:19.800 [NOTICE] Opening Socks listener on 127.0.0.1:9150 
12/09/2016 17:53:56.100 [WARN] Proxy Client: unable to connect to 192.95.36.142:443 ("general SOCKS server failure") 
12/09/2016 17:54:03.300 [WARN] Proxy Client: unable to connect to 154.35.22.11:443 ("general SOCKS server failure") 
12/09/2016 17:54:04.100 [WARN] Proxy Client: unable to connect to 83.212.101.3:50001 ("general SOCKS server failure") 
12/09/2016 17:54:09.000 [NOTICE] Closing no-longer-configured Socks listener on 127.0.0.1:9150 
12/09/2016 17:54:09.000 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections. 
12/09/2016 17:54:09.000 [NOTICE] Closing old Socks listener on 127.0.0.1:9150
Any idea?
 
Old 12-10-2016, 08:31 AM   #23
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,531
Blog Entries: 3

Rep: Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791
Try these rules and then look in /var/logs/syslog for the string "iptables denied:"

Code:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
-A INPUT -m state --state NEW -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A INPUT -j REJECT --reject-with icmp-port-unreachable
COMMIT
 
Old 12-10-2016, 09:55 AM   #24
hack3rcon
Senior Member
 
Registered: Jan 2015
Posts: 1,432

Original Poster
Rep: Reputation: 10
Quote:
Originally Posted by Turbocapitalist View Post
Try these rules and then look in /var/logs/syslog for the string "iptables denied:"

Code:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
-A INPUT -m state --state NEW -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A INPUT -j REJECT --reject-with icmp-port-unreachable
COMMIT
Thank you a lot, But I like to know where is the problem in my iptables rules?
 
Old 12-10-2016, 09:59 AM   #25
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,531
Blog Entries: 3

Rep: Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791
Add them in one line at a time before the last two lines. However, before doing that, do the proposed rules work for you?
 
Old 12-10-2016, 11:05 AM   #26
lazydog
Senior Member
 
Registered: Dec 2003
Location: The Key Stone State
Distribution: CentOS Sabayon and now Gentoo
Posts: 1,249
Blog Entries: 3

Rep: Reputation: 194Reputation: 194
Biggest flaw I'm seeing is you are not adding outbound connections to your ConnTracking DB. since your out bound connections are simply ACCEPT they are not being added to the DB. You should have a line like this to ensure they get added;
Code:
-A OUTPUT -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
This will add all your new connections to the DB so that the rule
Code:
-A INTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
will match.
 
Old 12-11-2016, 07:31 AM   #27
hack3rcon
Senior Member
 
Registered: Jan 2015
Posts: 1,432

Original Poster
Rep: Reputation: 10
Excuse me if I can't explain my goal. I like to have an iptables rules that block all incoming connections to my system and allow TorBrowser and also detect scanners like Nmap and block scanners IP.
 
Old 12-11-2016, 07:37 AM   #28
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,531
Blog Entries: 3

Rep: Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791
I'm not able to duplicate the problem with my system. The rules I provided earlier work for me, as well as with the modification that lazydog provides. So I'm not sure what to look at next. Which distro do you have and which version is it?
 
Old 12-11-2016, 08:55 AM   #29
hack3rcon
Senior Member
 
Registered: Jan 2015
Posts: 1,432

Original Poster
Rep: Reputation: 10
As I said, I use Debian amd64. I sent an email to Tor mailing list and they told me:

Code:
You always need to allow some input as well in order for the Tor guard node to 
talk to your computer. Stateful Inspection is used for this. Here's a complete 
ruleset to accomplish what you asked for. All output is allowed, but no input, 
except it belongs to some output your computer previously did.

# Stateful inspection for input and output
iptables -A INPUT -j ACCEPT -m state --state RELATED,ESTABLISHED
iptables -A OUTPUT -j ACCEPT -m state --state RELATED,ESTABLISHED

# Allow loopback traffic
iptables -A INPUT -i lo -j ACCEPT

# Reject any other input
iptables -A INPUT -j REJECT

# Accept all output
iptables -A OUTPUT -j ACCEPT

Note that you also want to accout for IPv6 using ip6tables. It depends on your 
network though.
My current iptables rules are:
Code:
# Generated by iptables-save v1.4.21 on Fri Dec  9 17:25:25 2016
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -j ACCEPT -m state --state RELATED,ESTABLISHED
-A INPUT -i lo -j ACCEPT
#-A INPUT -d 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 180 --hitcount 4 --name DEFAULT --mask 255.255.255.255 --rsource -j DROP
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A INPUT -m recent --rcheck --seconds 86400 --name portscan --mask 255.255.255.255 --rsource -j DROP
-A INPUT -m recent --remove --name portscan --mask 255.255.255.255 --rsource
-A INPUT -p tcp -m tcp --dport 139 -m recent --set --name portscan --mask 255.255.255.255 --rsource -j LOG --log-prefix "portscan:"
-A INPUT -p tcp -m tcp --dport 139 -m recent --set --name portscan --mask 255.255.255.255 --rsource -j DROP
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 10.0.0.0/8 -j DROP
-A INPUT -s 169.254.0.0/16 -j DROP
-A INPUT -s 172.16.0.0/12 -j DROP
-A INPUT -s 127.0.0.0/8 -j DROP
-A INPUT -s 192.168.0.0/24 -j DROP
-A INPUT -s 224.0.0.0/4 -j DROP
-A INPUT -d 224.0.0.0/4 -j DROP
-A INPUT -s 240.0.0.0/5 -j DROP
-A INPUT -d 240.0.0.0/5 -j DROP
-A INPUT -s 0.0.0.0/8 -j DROP
-A INPUT -d 0.0.0.0/8 -j DROP
-A INPUT -d 239.255.255.0/24 -j DROP
-A INPUT -d 255.255.255.255/32 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 17 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 13 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 13 -m limit --limit 1/sec -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/sec --limit-burst 2 -j ACCEPT
-A INPUT -m recent --rcheck --seconds 86400 --name portscan --mask 255.255.255.255 --rsource -j DROP
-A INPUT -m recent --remove --name portscan --mask 255.255.255.255 --rsource
-A INPUT -p tcp -m tcp --dport 139 -m recent --set --name portscan --mask 255.255.255.255 --rsource -j LOG --log-prefix "portscan:"
-A INPUT -p tcp -m tcp --dport 139 -m recent --set --name portscan --mask 255.255.255.255 --rsource -j DROP
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -m recent --rcheck --seconds 86400 --name portscan --mask 255.255.255.255 --rsource -j DROP
-A FORWARD -m recent --remove --name portscan --mask 255.255.255.255 --rsource
-A FORWARD -p tcp -m tcp --dport 139 -m recent --set --name portscan --mask 255.255.255.255 --rsource -j LOG --log-prefix "portscan:"
-A FORWARD -p tcp -m tcp --dport 139 -m recent --set --name portscan --mask 255.255.255.255 --rsource -j DROP
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -m recent --rcheck --seconds 86400 --name portscan --mask 255.255.255.255 --rsource -j DROP
-A FORWARD -m recent --remove --name portscan --mask 255.255.255.255 --rsource
-A FORWARD -p tcp -m tcp --dport 139 -m recent --set --name portscan --mask 255.255.255.255 --rsource -j LOG --log-prefix "portscan:"
-A FORWARD -p tcp -m tcp --dport 139 -m recent --set --name portscan --mask 255.255.255.255 --rsource -j DROP
-A FORWARD -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -j ACCEPT
-A OUTPUT -m state --state INVALID -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -j ACCEPT -m state --state RELATED,ESTABLISHED
COMMIT
# Completed on Fri Dec  9 17:25:25 2016
What is your idea?
 
Old 12-11-2016, 09:53 AM   #30
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,531
Blog Entries: 3

Rep: Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791
I'd go with the simpler rules close to those proposed by the list:

Code:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -j ACCEPT -m state --state RELATED,ESTABLISHED
-A INPUT -i lo -j ACCEPT
-A INPUT -j REJECT
-A OUTPUT -j ACCEPT -m state --state NEW,RELATED,ESTABLISHED
COMMIT
The other rules you have contain a bunch of lines unnecessary for a regular desktop. See if those work. If they do, they can be adjusted but try them as-is first.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Tails 2.6 Anonymous Linux Live CD Is Out, Brings Tor 0.2.8.7 and Tor Browser 6.0.5 LXer Syndicated Linux News 0 09-21-2016 01:32 AM
LXer: Tor Browser 4.5.2 Is Out with the Latest Tor Anonymity Network Software LXer Syndicated Linux News 0 06-17-2015 02:40 PM
Iptables Rules For Tor On Alternative Ports Mytob Linux - Networking 2 02-16-2015 02:29 AM
block tor users with iptables? qwertyjjj Linux - Newbie 5 04-13-2013 05:59 PM
Tor, Squid, Privoxy behind iptables firewall mistersnorfles Linux - Security 7 12-13-2007 04:12 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:16 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration