Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Admittedly, I'm not that familiar with iptables or how it's configured. I ran "sudo iptables -L" to see if it was up and running in my new Lubuntu 14.04 install and received this readout...
What does this mean, exactly? Do I need to configure it more and if so, what would be a good front end to make it a quick easy job that does it right with no weird side affects? For some reason, I didn't see guarddog in the repositories.
Thanks!
Last edited by ardvark71; 02-20-2015 at 09:30 PM.
Reason: Grammar correction.
Thank you, this is a good start, even though I understand very little of what Ramesh is talking about.
I installed gufw to help with the gui end of it, hope it works well. Strange though, I wasn't able to find either Guarddog or Firestarter in the repositories. Hmmm.
I'd welcome any other thoughts, including on gufw, if anyone has any.
Regards...
Last edited by ardvark71; 02-20-2015 at 11:17 AM.
Reason: Grammar correction.
And FWIW, your original post showed a "firewall" with no rules and a default policy of "ACCEPT", which will accept anything from anywhere -- equivalent to no firewall at all.
And FWIW, your original post showed a "firewall" with no rules and a default policy of "ACCEPT", which will accept anything from anywhere -- equivalent to no firewall at all.
Hi...
That's what I suspected. I'm kind of surprised Lubuntu would ship with a default policy of this kind, unless there's something I'm missing.
I'm going to go ahead and mark this as solved as you guys have given me good starter information to work with, thank you!
@pan64: Thanks for the links. I wonder why they're outdated? I don't think at iptables would have changed that much.
Regards...
Last edited by ardvark71; 02-20-2015 at 10:23 PM.
Reason: Changed wording.
That appears to be a skeleton that some tool has set up in preparation for generating some rules. It still doesn't appear to do anything. Somewhere you must have a firewall builder tool that needs to be configured with actual rules.
Don't spend a lot of time trying to understand that skeleton. Any manually generated set of firewall rules would look nothing like that.
[EDIT] OK, I take that back. Buried in all that boilerplate there appears to be an actual firewall, presumably understandable by whoever wrote the tool that generated it.
Last edited by rknichols; 02-21-2015 at 10:06 AM.
Reason: OK, I take that back ...
That appears to be a skeleton that some tool has set up in preparation for generating some rules. It still doesn't appear to do anything. Somewhere you must have a firewall builder tool that needs to be configured with actual rules.
Don't spend a lot of time trying to understand that skeleton. Any manually generated set of firewall rules would look nothing like that.
[EDIT] OK, I take that back. Buried in all that boilerplate there appears to be an actual firewall, presumably understandable by whoever wrote the tool that generated it.
Hi...
Thank you for your observations, I'm glad you saw that it appeared to be a legitimate setup. I installed gufw as Guarddog and Firestarter are no longer in Canonical's repositories.
[EDIT] OK, I take that back. Buried in all that boilerplate there appears to be an actual firewall, presumably understandable by whoever wrote the tool that generated it.
It is quite a extensive skeleton.
unfortunately, while gui's make setting up stuff more simple they also have the effect of making debugging or understanding it a nightmare.
For example,
Code:
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
This to me says, accept anything from anywhere, otherwise accept it as long as it's related or established.
What's the point of the second one if it's already accepted?
This is a example iptables setup script that is in no way the "correct" way, but may serve as a guide to a simple setup.
There are also numerous guides specifying how to setup iptables.
Code:
#!/bin/bash
ipt=/sbin/iptables
$ipt -F
$ipt -P INPUT DROP
$ipt -P FORWARD DROP
$ipt -P OUTPUT ACCEPT
$ipt -A INPUT -i lo -j ACCEPT # Permit loopback
$ipt -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # Permit established connections
$ipt -A INPUT -p tcp -m tcp --syn --dport 22 -j ACCEPT # SSH
$ipt -A INPUT -s 192.168.1.1/24 -j REJECT
By line, flush all rules, set default policies, permit loopback connections, permit established and related connections, permit ssh connections and send reject messages to lan (drop without response otherwise
I find this to be a very simple non-instrusive setup that is quite secure.
It is quite a extensive skeleton.
unfortunately, while gui's make setting up stuff more simple they also have the effect of making debugging or understanding it a nightmare.
I totally agree!
HAHA! I wondered what gufw and ufw were - I find it to be "Uncomplicated Fire Wall"!
Incomprehensible Fire Wall might be a better name from what I can see!
I guess there might be a case to be made for front-ends, but honestly, I have always been able to manage my own using a text file I usually name firewall.rules and the iptables shell commands - and I am not really very smart!
I have recently had to review the how-tos and my own notes to lock down my VPS with some adaptive rules to lockout attackers more effectively, and harden my mail server, but still no big surprises or difficulties.
When I write and test the rules myself, I always know when it is working! The few times in the past when I tried to use a "firewall program", I was never really sure what it was doing, or when it was working, and often ran wide open without knowing it!
If you can understand it well enough to effectively configure a firewall program, then you can probably understand it well enough to just write the rules!
Last edited by astrogeek; 02-21-2015 at 07:18 PM.
Reason: typos, more comments
#!/bin/bash
ipt=/sbin/iptables
$ipt -F
$ipt -P INPUT DROP
$ipt -P FORWARD DROP
$ipt -P OUTPUT ACCEPT
$ipt -A INPUT -i lo -j ACCEPT # Permit loopback
$ipt -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # Permit established connections
$ipt -A INPUT -p tcp -m tcp --syn --dport 22 -j ACCEPT # SSH
$ipt -A INPUT -s 192.168.1.1/24 -j REJECT
By line, flush all rules, set default policies, permit loopback connections, permit established and related connections, permit ssh connections and send reject messages to lan (drop without response otherwise
I find this to be a very simple non-instrusive setup that is quite secure.
Do I run your code in a terminal exactly as I see it? If not, what commands would I use to achieve the same setup?
Do I run your code in a terminal exactly as I see it? If not, what commands would I use to achieve the same setup?
Thanks!
This is a bash script that should be run on boot before network interfaces are brought up.
It should result in a iptables -L output similar to this
While it's easier to simply run it, I would suggest taking some time to identify if it does what you want. It does what I want, but it may be too open or closed for you. If you don't care, I believe it makes a good "standard" ruleset.
If you have no need for ssh, remove the line permitting access to port 22. If you use a webserver utilizing http and https, include port 80 & 443
Code:
iptables -A INPUT -p tcp -m multiport 80,443 -j ACCEPT
Also understand the force of it. iptables -F will cause all rules to be erased and policies reset, which may cause ufw to be very unable / overwrite what you had setup prior.
Note that each time I type $ipt, it really references /sbin/iptables. So it's similar to typing iptables -F, iptables -P INPUT DROP, etc.
I attempted to make it simple and linear since simplicity and good comments (after the #) makes debugging a problem later on much easier.
Also note the order is very important. Should I do this command ($ipt -A INPUT -s 192.168.1.1/24 -j REJECT) first, it will cause all lan connections to be rejected - a negative outcome. However, since it's the last one all connections will be dropped anyways and rejecting it will assist in debugging since it will identify that it was blocked - a positive outcome (preventing hanging connections as well)
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.