I am totally at a loss. Maybe I should post this in the Security forum.
I'm on Stretch running skolinux.
I have installed iptables as well as netfilter-persistent. I have blocked ipv6 elsewhere (net....settings) When the rules are loaded,
$ sudo iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED
DROP tcp -- anywhere anywhere state INVALID
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere state RELATED,ESTABLISHED
REJECT tcp -- anywhere anywhere tcp dpt:auth reject-with tcp-reset
DROP tcp -- anywhere anywhere multiport dports loc-srv,netbios-ns,netbios-ssn,microsoft-ds
DROP udp -- anywhere anywhere multiport dports loc-srv,netbios-ns,netbios-ssn,microsoft-ds
DROP tcp -- anywhere anywhere multiport dports loc-srv,netbios-ns,netbios-ssn,microsoft-ds
DROP udp -- anywhere anywhere multiport dports loc-srv,netbios-ns,netbios-ssn,microsoft-ds
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:auth state RELATED
That looks fine. I can get those rules loaded via
$ sudo iptables-restore < /etc/iptables/rules.v4
But after a few minutes I see I am wide open:
$ sudo iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
and have to manually run:
$ sudo iptables-restore < /etc/iptables/rules.v4
again.
This changing state of iptables rules is constant.
This is just a desktop system. I may or may not need a firewall setup but I prefer to have it. I have also been using, fcheck, maldet, clamav, rkhunter and chkrootkit and haven't seen a specific compromise.
The only reason that I am using skolinux (or debianEdu) is that I wanted to try it out and assumed I could revert back to simple xfce desktop. I don't get that option when I am at the login screen.
I am clueless what is causing rules that where loaded to get changed every few minutes. Is there some errant process doing it?
I see that actual program is xtables-multi and I question the permissions:
0 lrwxrwxrwx 1 root root 7 Nov 24 01:22 ip -> /bin/ip
0 lrwxrwxrwx 1 root root 13 Apr 12 2017 ip6tables -> xtables-multi
0 lrwxrwxrwx 1 root root 13 Apr 12 2017 ip6tables-restore -> xtables-multi
0 lrwxrwxrwx 1 root root 13 Apr 12 2017 ip6tables-save -> xtables-multi
0 lrwxrwxrwx 1 root root 13 Apr 12 2017 iptables -> xtables-multi
0 lrwxrwxrwx 1 root root 13 Apr 12 2017 iptables-restore -> xtables-multi
0 lrwxrwxrwx 1 root root 13 Apr 12 2017 iptables-save -> xtables-multi
Any input appreciated.
In general, this OS has been good, very solid and snappy. it boots in about 23 seconds.
$ systemd-analyze critical-chain
graphical.target @23.791s
└─multi-user.target @23.791s
└─wicd.service @13.310s +10.480s
└─dbus.service @12.438s
└─basic.target @12.334s
└─sockets.target @12.334s
└─dnscrypt-proxy.socket @12.334s
└─sysinit.target @12.333s
└─systemd-timesyncd.service @11.964s +368ms
└─systemd-tmpfiles-setup.service @11.321s +582ms
└─local-fs.target @11.319s
└─boot-efi.mount @10.955s +363ms
└─systemd-fsck@dev-disk-by\blahblahblah
.service @9.462s +1.455s
└─dev-disk-by\blahblahblee;-).device @9.460s