SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Sorry if this has already been mentioned before, I didnt feel like reading through all 17 pages of posts. But your guide suggests you use 'nmap localhost' to find out what ports you have open. Although this does work, a better way would be to use the following command:
Code:
netstat -tpan
Not only will this show you the ports that are open, it will show you what interface(s) its listening on, if it's an established or just listening connection, and most important of all, it will show you the process ID/name of the program that is bound to that listening port.
If there is a funky port open that I havnt already memorized, lets say port 37 for example, the fastest way to figure out what exactly that port is used for is to type in the following command
Code:
grep "37/tcp" /etc/services
The 'services' file is basically a 1:1 map of port numbers to their common name. From this command I would be able to figure out that its used for time servers and thus not needed.
Lastly, you recommend buying a router to allow multiple computers to share the internet and act like a "firewall." I put firewall in quotes because really its not a firewall, its just a byproduct of Network Address Translation (NAT). A "true" firewall will allow statefull packet inspection, packet mangleing etc. Now although a router will do a decent job, if we are going to make our Slackware box into a web and mail server, heck why not make it into a rock solid firewall that will blow any Router out of the water using the 100% free 'iptables'. With one extra Network Interface Card (NIC), a switch (could even use a Router and just turn off everything), and a program called 'ipkungfu' which you can get at http://www.linuxkungfu.org you got yourself one beast of a firewall. While your at it, you can set up dhcpd and become your own DHCP server and only lease out IP's to known MAC addresses!
As you can probably guess im pretty big into security and ive never come across a more robust, full of options, easy to configure firewall script than ipkungfu. I plan to write a howto on how to turn your Linux machine into a firewall/gateway and I might just toss in dhcpd server for the fun of it. Feel free to incorporate these into your site as you see fit.
Three comments: To the netstat -natp command, I'd like to add lsof -i; it's also very handy. Another iptables script - or "ruleset generator" - is quicktables. The DI-604 router we discussed above does stateful packet inspection, but since it's basically a black box, you really don't know what it's doing.
Thanks guys. That stuff is great. I just tried out all the commands you guys gave, and they work great. The only one I would change at all is:
Code:
grep " 37/tcp" /etc/services
Instead of:
Code:
grep "37/tcp" /etc/services
That's just me being silly, though. All that does is get rid of the extra results that end in *37.
I've been very busy lately, but I do have some plans for a some big changes/additions to the site (and of course this thread). One of the things that I've been saying for awhile is that I'd like to add more on security, so this is exactly the kinds of things I've been looking for.
SiegeX - I agree that, "heck why not make it into a rock solid firewall." I'm not very sharp when it comes to the use of iptables. I'm wondering this; Is it possible to leave the current router/"firewall" in place and implement iptables also, essentially "doubling up". This would be great, if possible. That way, I would be able to add a section on this further down in my guide. That way, people (meaning me ) would be able to get their servers up and running, test them out, implement iptables, and verify that the iptables wasn't the cause of their server not working. Does this sound right?
Security, yes There was the SAStk for Slackware, but it seems to not have been upgraded since 2002, which is a pity. On the other hand, this Jeffrey Denton, who seems to be the lead developer of it has some stuff on his Slackware page. The system hardening page gives good advice. I have written a hardening script myself, following the tips of CERT's UNIX Security checklist. Of course, all of this can be found on the Security references thread that unSpawn has written in the Security forum.
About the "doubling up"; I'm not sure I understand what you mean, but of course both a router and an iptables firewall can be used at the same time.
<EDIT>
Oh yes, have a look at the articles at hackinglinuxexposed.com too! Concerning firewalls, there is this, this and this article. Here is an expanded version of the latter.
</EDIT>
Wow!!! Thanks Bebo. It looks like I'm gonna be busy reading for awhile. I really gotta pick up the pace on my website revisions so I can start adding some new stuff like this. Just glancing through the articles that you posted, I already see that I am going to need to A) Revise some of the sections that I have and, B) Add some new sections.
As far as doubling up goes, yes you can do what I call a nested NAT, basically:
Modem => Router's NAT (192.168.0.0/24) => Linux NAT ( 10.0.0.0/8)
But to tell you the truth, if you have your Linux firewall set up properly, there really is no reason to do it and it just unnecessary complicates things. For those of you who already have a hardware router (be it linksys, dlink, netgear etc) then you can actually use that as the switch and you only need to buy an extra NIC for a total of two in your linux box. In case you didn't know, all the hardware routers you buy on the shelves are nothing more than a 4-port switch with an embedded OS that often times runs a stripped down linux kernel using iptables! I currently own a Wireless Linksys router, and all I do is plug my DSL modem into the first NIC on my linux box, then plug the second NIC into port1 of the router and my other computers into ports 2, 3 and 4. I then give the router a new LAN IP address, usually 192.168.1.254 so that I can use 192.168.1.1 for the LAN interface on my linux box, I also turn off DHCP because I use linux to do that as well, and then I have myself a wireless 4-port switch. By the way, you don't have to change the router's IP, but by convention the first IP of the subnet ( 192.168.1.1 in this case) is generally the gateway, which is now your linux box.
As far as learning IPTables goes, its definitly a good idea to learn some of its basic syntax, some rules can get quite complicated, especially if you are doing stuff in the NAT table. Again my best recommendation is still IPkungfu from www.linuxkungfu.org , and trust me ive done my share of testing of many many iptables scripts. The nice thing about IPKungfu is that its not just one huge linear series of questions, it actually breaks down all the abilities of iptables into seperate .conf files: forwarding, redirecting, deny hosts, allow hosts, virtual servers to name a few. And if that wasnt cool enough, the syntax you use to do a rule in the .conf files is WAY easier than the actual syntax of the IPtables rule it creates. For example:
IPTables Syntax to forward port 8080 from WAN IP 123.123.123.123 to port 80 of LAN IP of 192.168.1.7
Ill admit I am a bit biased towards IPkungfu because after seeing how kick ass it was, I contacted the author and im currently working on adding features to it. Right now I got a working mod that im testing that will detect a port-scan to your box and report to the attacker that ALL your ports (yes, all 65,536) are open even though you may only have 3 or 4. By doing this, the attacker has no way to determine *in an easy manner* which ports are really open and which ports it lied about. Hopefully it will be included in the next version of IPkungfu which is 0.60. Im currently working on a way to have it randomly choose ports that are open, this way the response looks more real and is even more confusing because the open ports change every scan!
I just remembered something about Brian Hatch's Ten minute host firewall that I linked to above. It says that one can use an iptables rule like this
Code:
iptables -A INPUT -p tcp ! --syn -j ACCEPT
to block incoming connections. He says
Quote:
No machines can connect to your machine with TCP, but you can make outbound connections and the associated packets will be allowed back in. You can't be a server (no SSH to your machine, for example) but all outbound TCP stuff should work fairly well.
I'd say that this rule is a not good enough, since it assumes that all packets which do not have the SYN bit set are packets that should be let through. So what happens then when someone uses nmap to scan your computer and uses any of those scans which are not the stealth (-sS) or the connection (-sT) scan, for instance the ACK or FIN scan? Those packets are let through!
Instead one should use
Code:
iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
to let packets through which you have requested, for instance when surfing or ssh'ing to some remote computer. If you want to be able to ssh to your computer, or want to allow other people to access something on your computer, you should instead use something like
Code:
iptables -A INPUT -i eth0 -p tcp --syn -m state --state NEW --dport 22 -j ACCEPT
This rule of course applies to new ssh requests (port 22!), but you can use --dport 80 for your web server. This way, the incoming connection is allowed in if it is NEW, if it has the SYN bit set properly, and is coming to a specific port. Being specific is always good in these contexts. It is even better if you also can be specific about which IP's that are allowed to establish connections to your box - like this:
Code:
iptables -A INPUT -i eth0 -p tcp --syn -m state --state NEW --source 192.168.23.58 --dport 22 -j ACCEPT
When the connection has been established, the connection is no longer NEW, but instead ESTABLISHED, so the first rule is applied instead.
So, in summary, the INPUT chain may look like this:
Code:
iptables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --syn -m state --state NEW --source 192.168.23.58 --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --syn -m state --state NEW --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -j DROP
The last DROP rule is redudant (the policy is enough for this), but, well, whatever.
I have just installed slackware 10.0 again to give it another try. I have run into 1 problem since my fresh full install and that is the fact that when I type xf86config in the console it says:
Slackware10 no longer uses XFree86, it uses X.org now which is a fork of XFree86. Basically a big licence fiasco went down now everybody is pissed off and said no problem screw you XFree86 , we will use X.org. XFree86 really shot themselves in the foot this time cause most if not all major distro's have dropped them for X.org.
ok thanks I will just have to look at my xorg.conf file and see what I can edit in it to get things working properly for my nvidia drivers and also for my scrolling on my mouse unless someone can please tell me so I don't have to worry about messing things up.
Go the the very 1st post in this thread, Shilo then gives a link to his webpage. One of the buttons on the left tells how to setup mouse scrolling, another button tells how to setup Nvidia drivers.
OK I got swaret all installed and even edited my swaret.conf file but keeping getting this failure when trying to run swaret --update.
swaret 1.6.2-1
[ ftp://ftp.nluug.nl/pub/os/Linux/dist...ckware-current ]
### Fetching CHECKSUMS List File... DONE!
FILELIST List File is up-to-date!
Packages Descriptions up-to-date!
Extra Packages Descriptions up-to-date!
ChangeLog up-to-date!
[ ftp://ftp.linuxpackages.net/pub/Slackware-10.0 ]
### Fetching 'LinuxPackagesDOTNET' CHECKSUMS List File... FAILED!
### Fetching 'LinuxPackagesDOTNET' FILELIST List File... FAILED!
### Fetching 'LinuxPackagesDOTNET' PACKAGES List File for Packages... FAILED!
any ideas and help would be great, I have tried changing the ftp location back to 9.1 and that still failed so I turned it back to 10.0. I am at a loss.
In my experience, it's not very uncommon to have troubles downloading LinuxPackages' package info. I think the "default" mirror is having a hard time coping with all the download requests. Try using another mirror; they're listed here: http://www.linuxpackages.net/mirrors.php
However, for upgrading your Slack install, it's not necessary to use a LinuxPackages repository. If you just want to upgrade the "ordinary" Slack packages on your box, then just disable LinuxPackages in /etc/swaret.conf.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.