Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
On a desktop, single user system that is only used to browse the internet?
Do I only need port 80 open? Forgive me, I dont know much about this stuff..........
I used to use guarddog and I would disable it when I needed to chek my email, then reenable it after I checked my email. But guarddog does not work with KDE4.
On a desktop, single user system that is only used to browse the internet?
Do I only need port 80 open? Forgive me, I dont know much about this stuff..........
I used to use guarddog and I would disable it when I needed to chek my email, then reenable it after I checked my email. But guarddog does not work with KDE4.
You don't need to open any ports (you can/should have them all filtered). What you will need to allow at a minimum is outbound packets with destination ports 80/TCP (HTTP), 443/TCP (HTTPS), and 53/UDP (DNS). Example:
Code:
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -o eth0 -p TCP --dport 80 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -o eth0 -p TCP --dport 443 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -o eth0 -p UDP --dport 53 -m state --state NEW -j ACCEPT
That said, I must ask: What are you hoping to achieve with this firewall setup? Like, why don't you just filter inbound packets while allowing all outbound ones? It's an honest question, I'm not suggesting that's the way you should go.
Security, I guess. I am not sure what part of the Iptables script to place that code.
I am currently using an Iptables script I found online but it is old and I dont feel good about it. I dont know how to write them, nor do I understand iptables yet so most of what you posted is beyond me.
Security, I guess. I am not sure what part of the Iptables script to place that code.
I am currently using an Iptables script I found online but it is old and I dont feel good about it. I dont know how to write them, nor do I understand iptables yet so most of what you posted is beyond me.
Well, if you're on Slackware you could just change my example into a shell script, like:
Code:
#!/bin/sh
IPT="/usr/sbin/iptables"
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
$IPT -A OUTPUT -o eth0 -p TCP --dport 80 -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -o eth0 -p TCP --dport 443 -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -o eth0 -p UDP --dport 53 -m state --state NEW -j ACCEPT
Then just save that as /etc/rc.d/rc.firewall and make it executable. That would make the commands get run automatically every startup. If you're willing to invest some time to learn the basics of iptables, I suggest this tutorial.
Although, honestly, if you're just starting out it might not be a bad idea to do only inbound filtering until you have a better grasp of things (it's up to you, of course). Such a script would be much simpler. Example:
Code:
#!/bin/sh
IPT="/usr/sbin/iptables"
$IPT -P INPUT DROP
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
It basically says: "Send all inbound packets to DROP by default. Allow inbound packets if they are in either RELATED or ESTABLISHED state. Allow all inbound packets on the loopback interface." While doing both ingress and egress filtering is optimal, starting out with only ingress filtering is a good way IMHO to save yourself some potentially serious frustration while you're learning the basics of iptables.
Its kinda old and lots of confusing code, I was thinking about toying with it but dont want to screw things up. :-
Yeah, you always have the option to run a separate distro inside a virtual machine and then experiment freely, with the assurance that you won't be messing anything up in your real installation.
Quote:
I have been searching for an Iptables book but have not made a purchase yet.
Let us know if you find something nice!
Quote:
Thanks for the link.
You're welcome!
BTW, you can verify that the rc.firewall is having the desired effect by running (and perhaps also posting the output of):
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.