LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (https://www.linuxquestions.org/questions/slackware-14/)
-   -   Iptables with iptables-firewall.conf arno's (https://www.linuxquestions.org/questions/slackware-14/iptables-with-iptables-firewall-conf-arnos-112905/)

matt3333 11-05-2003 11:07 PM

Iptables with iptables-firewall.conf arno's
 
Ok what im having trouble with is iptables-firewall by arno anyways i downloaded this and installed it and followed his directions and then opend the manualy page for it and i still couldnt find out how to block certian ports like it says that all ports are blocked by default but i did nmap localhost and like all the ports that shouldnt be are open suchs as:

21,22,111,37,57..etc like all of them the only major ones im worried about is like the finger and ssh and ftp because i was looking i nthe proftd.log file and i noticed that someone was trying to log on i guess they werent to successfull b/c they couldnt find a valid user but it says ftp session opened. I went into /etc/iptables-firewall.conf and edited that i made sure under block_tcp i put port 20,21,22 then i did /etc/rc.d/rc.iptables restart so it would flush all ther rules and bring them back up but i guess i did it wrong b/c i tried nmap localhost and i still got the same response wiht all these ports open. Any suggestions?? Thanx


Matt3333

Hangdog42 11-06-2003 07:34 AM

I may be wrong about this, but I think that if you are running nmap on the machine you're scanning (nmap localhost), you're going to get a different answer than if you scanned your machine from the outside. The reason I think this way is that most iptables rule sets have a line that allows localhost complete access to itself. So something like:

iptable -A INPUT -i lo -j ACCEPT

So all the fancy rules about blocking various ports look like they don't work because the nmap packets match the localhost rule.

Now if you are scanning your firewall from another computer and it is showing blocked ports as being open, THEN you've got a problem.

Azmeen 11-06-2003 07:49 AM

Hangdog is right, most sane iptables rulesets would allow localhost connection doing whatever.

tireseas 11-06-2003 03:03 PM

Matt3333:
I also use Arno's iptables on my Slack box. I'm a sole home user - no network, services, etc - which enables me to stealth all ports and disable/uninstall services. A firewall is, I think only one part of the solution to security. I'd suggest that you serious weigh up which services you need and which you don't. That depends obviously on your usage.
1. Please post more details about your installation (e.g. full/newbie or customised), what have you changed from the vanilla install - if anything - and you usage needs. It's hard to know much about anything without some specs.
2. Strong recommendation that you try to google on "arno's iptables" - I found over four pages on that search string :) Anyway, my personal recommendation is Jay's great site at http://simplylinux.punted.net (parent) or more specifically for Arno's iptables go to http://simplylinux.punted.net/Usingiptables.html .
3. Read the rest of Jay's material and let him know if you like it. He's put a lot of effort into it and it was a great resource for me.
Good luck

- Andy

Azmeen 11-06-2003 05:32 PM

You might also want to look at other iptables configs... one that I've found here on LQ is this excellent one by marcus.

matt3333 11-06-2003 09:32 PM

Ok thanx Hangdog42 for ur help, I ended up just asking a friend to do a port scan for me and guess what there were all blocked!!!

Ok tireseas hmm i use ftp and ssh and im running a httpd server so i would need them open and with this if i need to use ftp i just gotta shut down the iptables and boom its usable same wtih ssh im hoping i havnt tried this theory out yet. But i think it will work hehe anyways.

Azmeen, i have a few questions about this script first of all would what do i have to do to use this. Meaning would i have to del or remove arno's firewall??? or just change rc.iptables?? Second of all i have a cable i dunno if im like totally out of it but i think it noticed "lo" meaning like phone line i think would i change that to eth0??? also do i need the proxy scan in there and whats the unix scan??? sorry about all the questions??
Thanx for replys


Matt3333

Azmeen 11-07-2003 02:03 AM

Quote:

Originally posted by matt3333
Azmeen, i have a few questions about this script first of all would what do i have to do to use this. Meaning would i have to del or remove arno's firewall??? or just change rc.iptables?? Second of all i have a cable i dunno if im like totally out of it but i think it noticed "lo" meaning like phone line i think would i change that to eth0??? also do i need the proxy scan in there and whats the unix scan??? sorry about all the questions??
Thanx for replys


Matt3333

First of all, I don't use arno's and I don't know whether it's a complete ruleset or some sort of rule generator.

What I do know is that markus' script is that you can stick it in a text file, save it as rc.firewall and chmod +x it... and bam, you have a full-fledged and stable firewall... with some minor tweaking, it'll be perfect.

lo does not mean phone line... it's local connection... loopback to be precise. You shouldn't block loopback connections unless you want to see your whole network setting go down the drain.

If you look closely, you can see that eth0 is inside the script... actually you need not bother about that at all, just enable/disable the services you need/don't need.

kahpeetan 11-07-2003 02:12 AM

well i dont know much bout arno but you could set this rule at the top of ur input chain (and imho is what happened)

you have a rule like

iptables -I INPUT -j DROP

to make ur firewall a mostly closed system by default. Now when you use nmap on another puter to scan what was prolly happening is ur box was dropping all the connection request without sending a RST (tcp-reset) packet. So nmap was waiting and since no reset packet was received it assumed the port was "open" (which is typical of linux)

matt3333 11-07-2003 07:03 AM

Ok sorry Azmeen i mixed u and tireseas up sorry guys. Thanx kahpeetan i think i either understand more or just mor confused but i think i know whats going on.

One more question which firewall should i use??? Im all confused now like should i stick with arno's or drop it and go to markus's script like which would benafit me mostly?? I was thinking that if i went to Markus's script i could try to play with iptables and actually learn what does what. Am i just like totally outa it again?? or would this not work hehe? Anyways thanx for ur help!!!


matt3333

Hangdog42 11-07-2003 07:35 AM

Quote:

Im all confused now like should i stick with arno's or drop it and go to markus's script like which would benafit me mostly??
My 2 cents:

Scripts like arno's or markus's are very fine pieces of work, BUT they do tend to be complicated beasties because of the number of things they are trying to do and that can get in the way of learning what iptables is doing. Personally, I prefer a simple approach of setting all your table defaults to DROP, then adding as few rules as needed to open the ports you want. Toss in some state matching so ESTABLISHED and RELATED packets are accepted on the INPUT chain and NEW, ESTABLISHED and RELATED packets are accepted on the OUTPUT chain and top it off by accepting everything on loopback. Bingo, a simple, reasonably secure firewall. Then you can sit back and take the time to understand what markus has written and add the rules you want.

Of course don't stop there. If someone was probing your FTP port, you're gonna want to have the stuff you need to watch for future attempts. Look into an intrusion detection system like Snort and add a file monitor like Aide. And be sure to shut down ALL services you aren't using. I mean really, who needs finger running on their personal box? It's just a security breach waiting to happen.

matt3333 11-07-2003 10:12 AM

Ok thanx Hangdog42. Im really a real newbie to iptables. How should i start off a project like this?? Should i like start off bare?? or should i just like find another one??? I dunno and about snort where would i download this?? whats the website for this or anyother good program? Thanx for ur help!!!


Matt3333

Hangdog42 11-07-2003 01:22 PM

Quote:

How should i start off a project like this??
That's really up to you. Do you want to learn iptables? Then the iptables tutorial is a great place to start. If you just want a solid firewall, and you don't care about the details, then arno's or markus's scripts are great. Or you could use a graphical front end like firestarter.

The simplest useful script I can think of would be this;

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -i lo -j ACCEPT
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

Basically this restricts traffic to that originating within the machine. In other words, anyone trying to get in from the outisde would be dropped.

Now if you want to act as a server for something like SSH or Apache, you'll need to open those ports like this

iptables -A INPUT -p tcp --dport 22 -j ACCEPT #Accepts ssh traffic
iptables -A INPUT -p tcp --dport 80 -J ACCEPT #Accepts httpd traffic

Just remember that the chains are executed in order and the packet is handled according to the first chain it matches.

My own firewall isn't much more complicated than this. Scripts like markus's really do a much more thorough job of examinining a packet and coming up with a more specific reason for accepting or dropping it. Personally, I didn't feel I needed that level of detail, so I kept mine simple.

As for the other programs, probabaly the best place to find info is right here at LQ in the Security forum. unSpawn has done a tremendous job at gathering links and explanations together and you'll find the links to programs like Snort or Aide there.

kahpeetan 11-09-2003 10:13 PM

i have heard of incidents where your loopback or local host address can be spoofed. So as a super-paranoid check...you could add the following rule to your iptables too (if you have enabled lo)

iptables -A INPUT -i ppp0 -s lo -j DROP
iptables -A INPUIT -i ppp0 -s 127.0.0.1 -j DROP

**replacing ppp0 with your internet interface

snort can be had at www.snort.org
just click and download the pre-compiled binaries

kennedy01 06-10-2004 09:37 AM

Another strong IPTABLES config
 
Thought this might be useful as it worked GREAT for my install.

http://www.e-infomax.com/ipmasq/howt...2.4.X-STRONGER

Its an IPTABLES strong firewall for 2.4.x

dingo_aus 06-26-2004 06:22 PM

I'm just a newbie but you are too then I suggest http://www.simonzone.com/software/guarddog/ for a great, easy to use firewall configurator


All times are GMT -5. The time now is 11:51 AM.