LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-12-2005, 01:12 AM   #76
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 379Reputation: 379Reputation: 379Reputation: 379

it looks perfectly fine. the firewall configuration was properly saved. my work here is done.

good luck on your linux adventure, you have a VERY tough road ahead of you with lots of reading and lots of frustration - but i hope you hang-in-there cuz in the end it's worth it...

and for like the millionth time: YES, IT'S STATEFUL!!!

=)

GOOD NIGHT. HAVE FUN.


Last edited by win32sux; 02-12-2005 at 01:17 AM.
 
Old 02-12-2005, 01:21 AM   #77
wardialer
Member
 
Registered: Sep 2004
Distribution: SUSE Linux Pro 9.3
Posts: 375

Original Poster
Rep: Reputation: 30
Thanks and I appologize for my rude behaviour. I was indeed tired and frusterated. No wonder people (most) are so stuck to Windows because of.......well.....you know, this type of complications. But yes, I would like to learn Linux and I will. Whatever it takes.

Now, before I REALLY go, Like I said, I really want a firewall script which does the same thing as a router like Linksys (Stateful Packet Inspection). And I really hope that your script does the same. I would like for you to confirm that.

And thanks again
 
Old 02-12-2005, 07:23 AM   #78
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 379Reputation: 379Reputation: 379Reputation: 379
Quote:
Originally posted by wardialer
Thanks and I appologize for my rude behaviour.
it's okay... i've put-up with much worse...

Quote:
No wonder people (most) are so stuck to Windows because of.......well.....you know, this type of complications.
yeah, but here's an analogy:

a person who's only flown a Cessna skylane all of their life would have complications when they start learning to fly an F-22 Raptor...

it's natural that they'd have issues, and it doesn't mean there's something wrong with the Raptor, or that the Raptor should try and be more like the Cessna... the main concepts of flight (lift, weight, thrust, and drag) will still apply on the Raptor, but everything else will be completely different and new...


if you apply the mentality of a lot of linux newbies to my analogy, they would conclude that because things on the Raptor are so different than their Cessna there has to be something wrong with the Raptor... IT'S RIDICULOUS...

- gnu/linux has been a server-oriented os from the start (with one of the main objectives being to "be the best it can be"), and that will be in it's DNA forever - no matter how much "GUI Fluff" certain distributors lay on top of it...

- windows has been a pc-oriented os from the start (with one of the main objectives being to "make as much money as possible") - that's why even though 99% of PCs use windows, you don't see anyone using windows on mainframes (for example), no matter how much marketing hype and FUD microsoft spills-out onto the media...

Quote:
But yes, I would like to learn Linux and I will. Whatever it takes.
i'm happy for you... not just cuz it's gnu/linux you're interested in, but because you are thinking outside the microsoft box... i know you're just getting started, but the world needs more people like this - people that aren't scared to give Mac a shot... or Solaris... or Free/Net/OpenBSD... or GNU/Linux... or IRIX... or something else... "Diversity is the one true thing we all have in common. Celebrate it every day."
Quote:
I really want a firewall script which does the same thing as a router like Linksys (Stateful Packet Inspection). And I really hope that your script does the same. I would like for you to confirm that.
yes, you are using a stateful solution, don't worry - I CONFIRM IT - on linux it's called Stateful Packet Filtering, but you can call it whatever you want...

check-out the website for Netfilter, the firewall that you are using right now:

http://www.netfilter.org

READ! READ! READ!

also, there's SEVERAL reasons why using linux/netfilter as a firewall is even BETTER than using those linksys boxes...

i'll give you ONE reason:

you are able to do SO MUCH MORE... those linksys boxes are kinda like windows in that they are designed to make lots of money by giving the average joe the ability to do a few cute things... but the kind of routing that an experienced linux user can do with netfilter/iptables is WAY BEYOND anything that most of those linksys boxes can do... WAY BEYOND...

of course you still have A LOT of linux learning to do before you are able to get down and dirty with things like netfilter/iptables... you really need to work on your basic linux skills first... LQ is one of the best tools you can use to learn linux, but google's linux search engine is just as vital:

http://www.google.com/linux

once you've got your basic linux skills in order, grasping the fundamental netflter/iptables concepts will be much easier - you should grasp the general concepts before you dive-into specifics - just like with everything else...

if you READ, READ, READ, and keep READING you'll be on the right track to doing some great stuff with linux real soon!!!

good luck!!!

Last edited by win32sux; 02-13-2005 at 01:10 AM.
 
Old 02-12-2005, 11:03 AM   #79
wardialer
Member
 
Registered: Sep 2004
Distribution: SUSE Linux Pro 9.3
Posts: 375

Original Poster
Rep: Reputation: 30
Ok ,heres an overall recap on what happened:
Finally:

1. I PASTED your script in a Text document with the Shebang (#!/bin/bash sh) or whatever on top of whole script.
2. Placed it in the /home/myusename/Documents/firewall
3. Went to the Konsole and did the following steps:

cd /home/myusername/Documents

chmod +x firewall

./firewall

service iptables save

shutdown -r now


Is this OK? PLEASE TELL ME IF THIS IS CORRECT????.... And the script that I posted before on here at the beginning of this thread, was that secure enough or what was the problem with it?

And one other thing, in addition to this script, I have noticed in the Mandrake Services that the following is RUNNING:

Shorewall = running
iptables = running


Do these services have anything to do with the script? Should I leave them running or leaved them disabled and only use the script to firewall my system??? Please advise..... And should I also disable the built-in firewall (Which is the Shorewall in Mandrake) and let the script do all the work instead????

Should I leave them RUNNING or DISABLED?

Last edited by wardialer; 02-12-2005 at 11:26 AM.
 
Old 02-12-2005, 12:46 PM   #80
wardialer
Member
 
Registered: Sep 2004
Distribution: SUSE Linux Pro 9.3
Posts: 375

Original Poster
Rep: Reputation: 30
Please answer every single question here, this very important. I would gladly appreciate it.

WHY ARE ALL OF MY PORTS SHOWS CLOSED?????

PLEASE TELL ME OR GIVE ME ANOTHER SCRIPT THAT WOULD MAKE MY PORTS ALL STEALTHED. THIS SCRIPT OF YOURS WILL NOT BE ACCEPTED IF ALL MY PORTS ARE CLOSED.

I WANT THEM ALL STEALTHED

WHAT AM I DOING WRONG HERE????? I HAVE SHOREWALL AND IPTABLES STOPPED

HERE IS MY CURRENT IPTABLES -L OUTPUT: (This is with the IPTABLES Service STOPPED:

Code:
root@localhost vin001]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
WITH IPTABLES SERVICE RUNNING:

Code:
[root@localhost vin001]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere           state INVALID
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
NOW, IJUST ENABLED THE IPTABLES SERVICE AS RUNNING AND ALL MY PORTS ARE STEALTHED.

IN ORDER FOR YOUR SCRIPT TO FUNCTION, I HAVE TO ENABLE THE IPTABLES SERVICE IN THE MANDRAKE SERVICES????

Are you positively SURE that the script you provided is powerful enough with Stateful Packet Inspection? And, is this script more powerful than a Linksys Router??? Because before, how come my ports were all CLOSED?? Now there ALL STEALTHED after I checked the IPTABLES Service as RUNNING.

So in order for your script to work, I have to have the iptables service running, am i right??? Because it seemed to stealth all my ports when I had it running

Last edited by wardialer; 02-12-2005 at 01:28 PM.
 
Old 02-12-2005, 02:45 PM   #81
wardialer
Member
 
Registered: Sep 2004
Distribution: SUSE Linux Pro 9.3
Posts: 375

Original Poster
Rep: Reputation: 30
And why I am seeing this in your script as a Network Address Translation (NAT)??? I specifically said I ONLY need Stateful Packet Inspection. Look below:

Code:
$IPT -F -t nat
Code:
$IPT -X -t nat
Do you think this script what you gave me will provide me with enough security MORE THAN A LINKSYS ROUTER?

So in order for your script to work, I have to have the iptables service running, am i right??? Because it seemed to stealth all my ports when I had it running.

Last edited by wardialer; 02-12-2005 at 03:49 PM.
 
Old 02-13-2005, 01:02 AM   #82
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 379Reputation: 379Reputation: 379Reputation: 379
yes, you need iptables to be running ALWAYS... when you load iptables the firewall configuration you saved to it will be loaded... if you don't load it then you will be allowing ANY traffic to come-in WITHOUT any filtering/inspection... this should be obvious to you by now...


no, you don't want shorewall - DISABLE IT... or better yet, UNINSTALL IT...


the NAT stuff in the script is FLUSHING and DELETING any chains in the NAT table (as a security precaution) since you don't need anything NAT-related for now... you are NOT doing any NAT...


yes, the script as i posted gives you stealth, there's NO DOUBT whatsoever about it... i repeat: NO DOUBT WHATSOEVER...


stop saying that you only want stateful packet inspection if you don't even understand what stateful packet inspection is... i'll say it one last time: any firewall that can tell the difference between NEW, ESTABLISHED, and RELATED packets is stateful:

http://en.wikipedia.org/wiki/Stateful_firewall


yes, the script i gave you will provide you equal or better security than a linksys router would... but instead of asking me about this you should READ and LEARN this iptables stuff on your own and that way you'll be able to UNDERSTAND the script instead of just relying on what i or someone else tells you on this thread (or the others in which you've asked the SAME questions):

http://iptables-tutorial.frozentux.n...-tutorial.html


if you have any NEW questions i'll gladly answer them, but if you keep posting the same questions over and over like you're doing right now before you've had a chance to STUDY then that's not going to work...

Last edited by win32sux; 02-13-2005 at 01:33 AM.
 
Old 02-13-2005, 11:12 AM   #83
wardialer
Member
 
Registered: Sep 2004
Distribution: SUSE Linux Pro 9.3
Posts: 375

Original Poster
Rep: Reputation: 30
I am going to say this again incase it was not clear. You know how Windows and Linux have whats called 'Services'???? Ok, in the Mandrake Services (Inside Mandrake Control Center) I scrolled down the list of running services. I saw 'iptables'. Now, should that be RUNNING or STOPPED along with my script that you gave me???? Thats all I'm asking. Because, I did some tests. I had it STOPPED and my results were PORTS CLOSED. Then I went back to set it as RUNNING and my ports were ALL STEALTH. So I am really confused. Thats all I want to ask for the last time. Look at the various tests that I did in POST #80.




Last edited by wardialer; 02-13-2005 at 07:59 PM.
 
Old 02-14-2005, 03:43 AM   #84
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 379Reputation: 379Reputation: 379Reputation: 379
Quote:
Originally posted by wardialer
I am going to say this again incase it was not clear. You know how Windows and Linux have whats called 'Services'???? Ok, in the Mandrake Services (Inside Mandrake Control Center) I scrolled down the list of running services. I saw 'iptables'. Now, should that be RUNNING or STOPPED along with my script that you gave me???? Thats all I'm asking. Because, I did some tests. I had it STOPPED and my results were PORTS CLOSED. Then I went back to set it as RUNNING and my ports were ALL STEALTH. So I am really confused. Thats all I want to ask for the last time. Look at the various tests that I did in POST #80.
yes, iptables needs to be RUNNING always - you need to set it as a service so that it's automatically started every time you boot... the iptables configuration you saved will then be loaded every boot, automatically...

the only time you'd need for iptables to be STOPPED is if you need to test something WITHOUT your firewall rules in effect, for example...
 
Old 02-14-2005, 07:06 PM   #85
wardialer
Member
 
Registered: Sep 2004
Distribution: SUSE Linux Pro 9.3
Posts: 375

Original Poster
Rep: Reputation: 30
Ok, cool.... got it.

But I think the iptables isn't going to be all that necessary because I want to get a Router anyways. But, if I do want extra layer or added protection then I may keep the iptables running with the addition of a router. But to keep in mind what you said, the iptables does more of a better job in firewalling than a router, so I dont know.... I'll see.....

But for now, I think thats it for the questions. But now, seriously speaking, I am going to learn and read all about iptables. Because I want to, and iptables beats any of the Windows software firewalls out there like (zone alarm) and stuff like that.

Thanks again, and BTW, when Im angry like this, ITS NOT YOU!!!!!! Im just mad that why Linux could not be much easier like Windows???

Sorry....

Last edited by wardialer; 02-14-2005 at 07:08 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Firewall script simcox1 Linux - Security 7 11-13-2005 12:08 PM
slackware's /etc/rc.d/rc.firewall equivalent ||| firewall script startup win32sux Debian 1 03-06-2004 09:15 PM
Firewall script help!!!! cirkut5732 Linux - Newbie 8 04-17-2003 06:09 PM
Could you look over my firewall script please... Grim Reaper Linux - Networking 8 03-26-2003 03:33 AM
Firewall script help jfall Linux - Networking 6 10-23-2002 03:46 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:35 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration