View previous topic :: View next topic |
Author |
Message |
rajendra82 n00b
Joined: 04 Aug 2002 Posts: 46
|
Posted: Thu Aug 29, 2002 3:42 am Post subject: Configuring iptables |
|
|
I am a linux newbie but I wanted to get my system running with a firewall setup so I went with the script located at
http://projectfiles.com/firewall/rc.firewall
Here is the code listing:
Code: | #!/bin/bash
#
# rc.firewall version 2.0rc4 -- 08/07/02
# http://projectfiles.com/firewall/
# By Scott Bartlett <srb@mnsolutions.com>
#
# This software may be used and distributed according to the terms of the GNU
# General Public License (GPL) provided credit is given to the original author.
#
# NOTE: All lists are delimited by single spaces, eg "eth0 eth1 ppp0".
#
###############################
# -- Configuration Section -- #
###############################
# Ports listed here will be open to ANY connecting host. Protocols 'tcp' and
# 'udp' can be optionally specified. If no protocol is specified, then
# connections using either protocols will be accepted on the given port or port
# range. Use the format: <port-number or port-range>[/<protocol>]
# Example: OPEN_PORTS="80/tcp 53 2400-2500/tcp"
OPEN_PORTS=""
# Listing internal (private) interfaces here will allow this machine to act as a
# router. All interfaces NOT listed here are considered external (public)
# and will be automatically protected by the firewall. IP aliases are permitted.
# Example: INTERNAL_INTERFACES="eth1 eth2"
INTERNAL_INTERFACES=""
# If you have internal interfaces or are using port forwards, then list dial-up
# interfaces (or any other interface that is not always connected/online)
# here. Again, this setting is only required you have INTERNAL_INTERFACES
# or PORT_FORWARDS. Note: Interfaces configured to obtain an IP address
# automatically (DHCP), do not need to be listed here as the DHCP client will
# requests the same address each time it renews the lease.
# Example: DYNAMIC_INTERFACES="ppp0"
DYNAMIC_INTERFACES=""
# Most users do not need to change anything below this point.
########################################
# -- Advanced Configuration Section -- #
########################################
# ** DO NOT ** modify anything below unless you know what you are doing!!
# See online documentation at: http://projectfiles.com/firewall/config.html
TRUSTED_NETWORKS=""
PORT_FORWARDS=""
PORT_FWD_ALL="yes"
PORT_FWD_ROUTED_NETWORKS="yes"
ADDITIONAL_ROUTED_NETWORKS=""
TRUST_ROUTED_NETWORKS="yes"
NO_RP_FILTER_INTERFACES=""
NAT_EXTERNAL="yes"
ADDITIONAL_NAT_INTERFACES=""
INTERNAL_DHCP="yes"
RFC_1122_COMPLIANT="yes"
LOGGING="no"
###########################################################
# -- Nothing below this point should need modification -- #
###########################################################
# Set version information.
VERSION="2.0rc4"
# Welcome!
echo "-> Projectfiles.com rc.firewall version $VERSION running."
# Set PATH explicity.
export PATH="/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin"
# Add SysV style initialization support (ignore everything except 'stop' and 'clear').
if [ "$1" == "stop" ] || [ "$1" == "clear" ]; then
iptables -t filter -F > /dev/null 2>&1
iptables -t filter -X > /dev/null 2>&1
iptables -t nat -F > /dev/null 2>&1
iptables -t nat -X > /dev/null 2>&1
iptables -t mangle -F > /dev/null 2>&1
iptables -t mangle -X > /dev/null 2>&1
iptables -t filter -P INPUT ACCEPT > /dev/null 2>&1
iptables -t filter -P OUTPUT ACCEPT > /dev/null 2>&1
iptables -t filter -P FORWARD ACCEPT > /dev/null 2>&1
iptables -t nat -P PREROUTING ACCEPT > /dev/null 2>&1
iptables -t nat -P POSTROUTING ACCEPT > /dev/null 2>&1
iptables -t nat -P OUTPUT ACCEPT > /dev/null 2>&1
iptables -t mangle -P POSTROUTING ACCEPT > /dev/null 2>&1
iptables -t mangle -P OUTPUT ACCEPT > /dev/null 2>&1
iptables -t mangle -P PREROUTING ACCEPT > /dev/null 2>&1
iptables -t mangle -P INPUT ACCEPT > /dev/null 2>&1
iptables -t mangle -P FORWARD ACCEPT > /dev/null 2>&1
echo "-> Firewall disabled."
exit
fi
if [ "$1" == "loadconfig" ]; then
echo "-> Using data from /etc/firewall.conf instead of current configuration data."
fi
# Define exit/failure function.
exit_failure() {
echo " [ FAILED ]"
echo "-> FATAL: $FAILURE"
echo "-> Firewall configuration ** ABORTED **."
exit 1
}
# Sanity checking section
echo -n "-> Performing sanity checks"
# Make sure we are running the script with root privileges.
if [ "$EUID" != "0" ]; then
FAILURE="You must have root privileges to configure the firewall."
exit_failure
fi
# Use configuration data from /etc/firewall.conf if requested.
if [ "$1" == "loadconfig" ]; then
if [ -r /etc/firewall.conf ]; then
if (( `head -1 /etc/firewall.conf | grep -c \
"# Linux Firewall configuration backup -- http://projectfiles.com/firewall/"` )); then
COMPATIBLE_VERSIONS="2.0rc4"
if (( $(echo "$COMPATIBLE_VERSIONS" | grep -c `head -3 /etc/firewall.conf | tail -1 | cut -d\" -f2`) )); then
. /etc/firewall.conf
else
FAILURE="/etc/firewall.conf is too outdated. Please configure the options at the beginning of rc.firewall and recreate the file."
exit_failure
fi
else
FAILURE="The file /etc/firewall.conf does not appear to associated with this program. Refusing to load data."
exit_failure
fi
else
FAILURE="Cannot read from /etc/firewall.conf. Did you forget to back up your configuration data or has the file been moved?"
exit_failure
fi
fi
# Save selected variable settings if we are going to back up our configuration.
if [ "$1" == "saveconfig" ] || [ "$1" == "writeconfig" ]; then
ORIG_OPEN_PORTS="$OPEN_PORTS"
ORIG_TRUSTED_NETWORKS="$TRUSTED_NETWORKS"
fi
# Determine if we are a router.
if [ -n "$INTERNAL_INTERFACES" ] || [ -n "$PORT_FORWARDS" ]; then
IS_ROUTER="yes"
fi
# That was easy, now santity check trusted networks.
if [ -n "$TRUSTED_NETWORKS" ]; then
for NETWORK in $TRUSTED_NETWORKS; do
NET=`echo "$NETWORK:" | cut -d: -f1`
MOD_PORTS=`echo "$NETWORK:" | cut -d: -f2`
if (( `echo "$NETWORK:" | cut -d: -f3 | grep -c "."` )); then
FAILURE="Syntax error in TRUSTED_NETWORKS definition."
exit_failure
fi
HOST=`echo "$NET/" | cut -d/ -f1`
MASK=`echo "$NET/" | cut -d/ -f2` # Optional: Netfilter assumes /32 if not defined.
if (( `echo "$NET/" | cut -d/ -f3 | grep -c "."` )); then
FAILURE="Syntax error in TRUSTED_NETWORKS definition."
exit_failure
fi
for OCTET in `echo "$HOST." | cut -d. -f1,2,3,4 --output-delimiter=" "`; do
if (( `echo "$OCTET" | grep -c "[^[:digit:]]"` )) || [ "$OCTET" -lt "0" ] || [ "$OCTET" -gt "255" ]; then
FAILURE="All network address definitions must be in dotted decimal format [e.g. 192.168.0.10]."
exit_failure
fi
done
if (( `echo "$HOST." | cut -d. -f5 | grep -c "."` )); then
FAILURE="All network address definitions must be in dotted decimal format [e.g. 192.168.0.10]."
exit_failure
fi
if [ -n "$MASK" ]; then
if (( `echo "$MASK" | grep -c "[^[:digit:]]"` )) || [ "$MASK" -lt "0" ] || [ "$MASK" -gt "32" ]; then
FAILURE="All network masks must between '/0' (0.0.0.0) and '/32' (255.255.255.255) inclusive."
exit_failure
fi
fi
if [ -z "$MOD_PORTS" ]; then
TRUSTED="$TRUSTED $NET"
else
PORTS=`echo "$MOD_PORTS/" | cut -d/ -f1`
PROTOCOL=`echo "$MOD_PORTS/" | cut -d/ -f2`
if (( `echo "$ITEM/" | cut -d/ -f3 | grep -c "."` )); then
FAILURE="Invalid syntax in TRUSTED_NETWORKS definition."
exit_failure
fi
if (( `echo "$PORTS" | grep -c "[^[:digit:]]"` )) || [ "$PORTS" -lt "1" ] || [ "$PORTS" -gt "65536" ]; then
for PORT in `echo "$PORTS-" | cut -d- -f1,2 --output-delimiter=" "`; do
if (( `echo "$PORT" | grep -c "[^[:digit:]]"` )) || [ "$PORT" -lt "1" ] || [ "$PORT" -gt "65536" ]; then
FAILURE="Invalid port number in TRUSTED_NETWORKS definition, must be between 1 and 65535."
exit_failure
fi
done
if (( `echo "$PORTS-" | cut -d- -f3 | grep -c "."` )); then
FAILURE="Invalid syntax in TRUSTED_NETWORKS."
exit_failure
fi
fi
if [ "$PROTOCOL" == "tcp" ] || [ "$PROTOCOL" == "udp" ]; then
TRUSTED_PORTS="$TRUSTED_PORTS $NET:$PORTS/$PROTOCOL"
elif [ -z "$PROTOCOL" ]; then
TRUSTED_PORTS="$TRUSTED_PORTS $NET:$PORTS/tcp"
TRUSTED_PORTS="$TRUSTED_PORTS $NET:$PORTS/udp"
else
FAILURE="Invalid protocol in TRUSTED_NETWORKS."
exit_failure
fi
fi
done
TRUSTED_NETWORKS=$TRUSTED
TRUSTED_PORTS=$TRUSTED_PORTS
fi
# Santity check additional routed networks.
if [ "$IS_ROUTER" == "yes" ]; then
for NETWORK in $ADDITIONAL_ROUTED_NETWORKS; do
HOST=`echo "$NETWORK/" | cut -d/ -f1`
MASK=`echo "$NETWORK/" | cut -d/ -f2` # Optional: Netfilter assumes /32 if not defined.
if (( `echo "$NETWORK/" | cut -d/ -f3 | grep -c "."` )); then
FAILURE="Syntax error in network definition."
exit_failure
fi
for OCTET in `echo "$HOST." | cut -d. -f1,2,3,4 --output-delimiter=" "`; do
if (( `echo "$OCTET" | grep -c "[^[:digit:]]"` )) || [ "$OCTET" -lt "0" ] || [ "$OCTET" -gt "255" ]; then
FAILURE="All network address definitions must be in dotted decimal format [e.g. 192.168.0.10]."
exit_failure
fi
done
if (( `echo "$HOST." | cut -d. -f5 | grep -c "."` )); then
FAILURE="All network address definitions must be in dotted decimal format [e.g. 192.168.0.10]."
exit_failure
fi
if [ -n "$MASK" ]; then
if (( `echo "$MASK" | grep -c "[^[:digit:]]"` )) || [ "$MASK" -lt "0" ] || [ "$MASK" -gt "32" ]; then
FAILURE="All network masks must between '/0' (0.0.0.0) and '/32' (255.255.255.255) inclusive."
exit_failure
fi
fi
done
fi
# Santity check port forwarding definitions. Destination port is optional.
if [ "$IS_ROUTER" == "yes" ]; then
for FORWARD in $PORT_FORWARDS; do
PROTOCOL=`echo "$FORWARD:" | cut -d: -f1`
IN_PORTS=`echo "$FORWARD:" | cut -d: -f2`
DEST=`echo "$FORWARD:" | cut -d: -f3`
DPORTS=`echo "$FORWARD:" | cut -d: -f4`
if (( `echo "$FORWARD:" | cut -d: -f5 | grep -c "."` )); then
FAILURE="Too many parameters in port forwarding definition."
exit_failure
fi
if [ "$PROTOCOL" != "tcp" ] && [ "$PROTOCOL" != "udp" ]; then
FAILURE="Port forwarding <protocol> must be either 'tcp' or 'udp'."
exit_failure
fi
if (( `echo "$IN_PORTS" | grep -c "[^[:digit:]]"` )) || [ "$IN_PORTS" -lt "1" ] || [ "$IN_PORTS" -gt "65536" ]; then
for PORT in `echo "$IN_PORTS" | cut -d- -f1,2 --output-delimiter=" "`; do
if (( `echo "$PORT" | grep -c "[^[:digit:]]"` )) || [ "$PORT" -lt "1" ] || [ "$PORT" -gt "65536" ]; then
FAILURE="Port forwarding <in_ports> must be in the range: 1 to 65535."
exit_failure
fi
done
if (( `echo "$IN_PORTS" | cut -d- -f3 | grep -c "."` )); then
FAILURE="Port forwarding <in_ports> syntax invalid."
exit_failure
fi
fi
for OCTET in `echo "$DEST" | cut -d. -f1,2,3,4 --output-delimiter=" "`; do
if (( `echo "$OCTET" | grep -c "[^[:digit:]]"` )) || [ "$OCTET" -lt "0" ] || [ "$OCTET" -gt "255" ]; then
FAILURE="Port forwarding <dest> must be in dotted decimal format [e.g. 192.168.0.10]."
exit_failure
fi
done
if (( `echo "$DEST" | cut -d. -f5 | grep -c "."` )); then
FAILURE="Port forwarding <dest> must be in dotted decimal format [e.g. 192.168.0.10]."
exit_failure
fi
if [ -n "$DPORTS" ]; then
if (( `echo "$DPORTS" | grep -c "[^[:digit:]]"` )) || [ "$DPORTS" -lt "1" ] || [ "$DPORTS" -gt "65536" ]; then
for PORT in `echo "$DPORTS" | cut -d- -f1,2 --output-delimiter=" "`; do
if (( `echo "$PORT" | grep -c "[^[:digit:]]"` )) || [ "$PORT" -lt "1" ] || [ "$PORT" -gt "65536" ]; then
FAILURE="Port forwarding <dports> must be in the range from 1 to 65535."
exit_failure
fi
done
if (( `echo "$DPORTS" | cut -d- -f3 | grep -c "."` )); then
FAILURE="Port forwarding <dports> syntax invalid."
exit_failure
fi
fi
fi
if [ "$PORT_FWD_ALL" == "yes" ]; then
OPEN_PORTS="$OPEN_PORTS $IN_PORTS/$PROTOCOL"
fi
done
fi
echo -n "."
# Sanity check open ports.
if [ -n "$OPEN_PORTS" ]; then
MOD_PORTS=""
for ITEM in $OPEN_PORTS; do
PORTS=`echo "$ITEM/" | cut -d/ -f1`
PROTOCOL=`echo "$ITEM/" | cut -d/ -f2`
if (( `echo "$ITEM/" | cut -d/ -f3 | grep -c "."` )); then
FAILURE="Invalid syntax in OPEN_PORTS."
exit_failure
fi
if (( `echo "$PORTS" | grep -c "[^[:digit:]]"` )) || [ "$PORTS" -lt "1" ] || [ "$PORTS" -gt "65536" ]; then
for PORT in `echo "$PORTS-" | cut -d- -f1,2 --output-delimiter=" "`; do
if (( `echo "$PORT" | grep -c "[^[:digit:]]"` )) || [ "$PORT" -lt "1" ] || [ "$PORT" -gt "65536" ]; then
FAILURE="Invalid port number in OPEN_PORTS, must be between 1 and 65535."
exit_failure
fi
done
if (( `echo "$PORTS-" | cut -d- -f3 | grep -c "."` )); then
FAILURE="Invalid syntax in OPEN_PORTS."
exit_failure
fi
fi
if [ "$PROTOCOL" == "tcp" ] || [ "$PROTOCOL" == "udp" ]; then
MOD_PORTS="$MOD_PORTS $PORTS/$PROTOCOL"
elif [ -z "$PROTOCOL" ]; then
MOD_PORTS="$MOD_PORTS $PORTS/tcp"
MOD_PORTS="$MOD_PORTS $PORTS/udp"
else
FAILURE="Invalid protocol in OPEN_PORTS."
exit_failure
fi
done
OPEN_PORTS=$MOD_PORTS
fi
# Sanity check that dynamic, nat, and rp_filter interface definitions do not use IP aliases.
if [ "$IS_ROUTER" == "yes" ]; then
if (( `echo "$DYNAMIC_INTERFACES $NO_RP_FILTER_INTERFACES $ADDITIONAL_NAT_INTERFACES" | grep -c ":"` )); then
FAILURE="Dynamic_interfaces, rp_filter, and no_nat_interface definitions cannot contain IP aliases."
exit_failure
fi
fi
# Obtain list of external interfaces.
EXTERNAL_INTERFACES=`ifconfig | grep "^[[:alpha:]]" | cut -d\ -f1 | sed s/^lo.*//`
if [ "$IS_ROUTER" == "yes" ]; then
for INTERFACE in $INTERNAL_INTERFACES; do
EXTERNAL_INTERFACES=`echo "$EXTERNAL_INTERFACES" | sed s/^$INTERFACE$//`
done
fi
EXTERNAL_INTERFACES=`echo $EXTERNAL_INTERFACES` # Remove newlines
# Divide internal and external interfaces into static and dynamic groups.
for INTERFACE in $INTERNAL_INTERFACES; do
if (( `echo "$DYNAMIC_INTERFACES" | grep -c "$INTERFACE"` )); then
DYNAMIC_INTERNAL_INTERFACES="$DYNAMIC_INTERNAL_INTERFACES $INTERFACE"
else
STATIC_INTERNAL_INTERFACES="$STATIC_INTERNAL_INTERFACES $INTERFACE"
fi
done
for INTERFACE in $EXTERNAL_INTERFACES; do
if (( `echo "$DYNAMIC_INTERFACES" | grep -c "$INTERFACE"` )); then
DYNAMIC_EXTERNAL_INTERFACES="$DYNAMIC_EXTERNAL_INTERFACES $INTERFACE"
else
STATIC_EXTERNAL_INTERFACES="$STATIC_EXTERNAL_INTERFACES $INTERFACE"
fi
done
for INTERFACE in $DYNAMIC_INTERFACES; do
if !(( `echo "$INTERNAL_INTERFACES $EXTERNAL_INTERFACES" | grep -c "$INTERFACE"` )); then
DYNAMIC_EXTERNAL_INTERFACES="$DYNAMIC_EXTERNAL_INTERFACES $INTERFACE"
fi
done
# Obtain list of interfaces to NAT outbound connections
if [ "$IS_ROUTER" == "yes" ]; then
if [ "$NAT_EXTERNAL" == "yes" ]; then
for INTERFACE in $STATIC_EXTERNAL_INTERFACES; do
if !(( `echo "$INTERFACE" | grep -c ":"` )); then
STATIC_NAT_INTERFACES="$STATIC_NAT_INTERFACES $INTERFACE"
fi
done
for INTERFACE in $DYNAMIC_EXTERNAL_INTERFACES; do
if !(( `echo "$INTERFACE" | grep -c ":"` )); then
DYNAMIC_NAT_INTERFACES="$DYNAMIC_NAT_INTERFACES $INTERFACE"
fi
done
fi
for INTERFACE in $ADDITIONAL_NAT_INTERFACES; do
if (( `echo "$DYNAMIC_INTERFACES" | grep -c "$INTERFACE"` )); then
DYNAMIC_NAT_INTERFACES="$DYNAMIC_NAT_INTERFACES $INTERFACE"
else
STATIC_NAT_INTERFACES="$STATIC_NAT_INTERFACES $INTERFACE"
fi
done
fi
# Make sure we have iptables installed.
if (( `iptables -V 2>&1 | grep -c "command not found"` )); then
FAILURE="Cannot find 'iptables' command. Did you forget to install iptables?"
exit_failure
fi
# If we are a router, check that all static internal interfaces are up.
if [ "$IS_ROUTER" == "yes" ]; then
for INTERFACE in $STATIC_INTERNAL_INTERFACES; do
if !(( `ifconfig | grep -c "^$INTERFACE\ "` )); then
FAILURE="A static internal interface is down. Did you forgot to configure interfaces before running the firewall?"
exit_failure
fi
done
fi
# Check to see if we have a proc filesystem, if not and we are a router, then exit.
if [ "$IS_ROUTER" == "yes" ] && ! [ -a "/proc/version" ]; then
FAILURE="Routing requires proc filesystem support. Please mount /proc or add proc filesystem support to your kernel."
exit_failure
fi
echo -n "."
# Determine if this is a modular kernel, if so modprobe the required modules.
if !(( `which modprobe 2>&1 | grep -c "which: no modprobe in"` )) && ( [ -a /proc/modules ] || ! [ -a /proc/version ] ); then
for MODULE in ip_tables ip_conntrack ipt_state iptable_filter; do
if (( `modprobe -l | grep -c "$MODULE"` )); then
modprobe $MODULE > /dev/null 2>&1
fi
done
if [ "$RFC_1122_COMPLIANT" == "yes" ]; then
if (( `modprobe -l | grep -c "ipt_REJECT"` )); then
modprobe ipt_REJECT > /dev/null 2>&1
fi
fi
if [ "$LOGGING" == "yes" ]; then
for MODULE in ipt_LOG ipt_limit; do
if (( `modprobe -l | grep -c "$MODULE"` )); then
modprobe $MODULE > /dev/null 2>&1
fi
done
fi
if [ "$IS_ROUTER" == "yes" ]; then
for MODULE in iptable_nat ip_nat_irc ip_nat_ftp ip_conntrack_irc ip_conntrack_ftp; do
if (( `modprobe -l | grep -c "$MODULE"` )); then
modprobe $MODULE > /dev/null 2>&1
fi
done
if [ -n "$DYNAMIC_INTERFACES" ]; then
if (( `modprobe -l | grep -c "ipt_MASQUERADE"` )); then
modprobe ipt_MASQUERADE > /dev/null 2>&1
fi
fi
if [ -n "$PORT_FORWARDS" ]; then
for MODULE in iptable_mangle ipt_mark ipt_MARK; do
if (( `modprobe -l | grep -c "$MODULE"` )); then
modprobe $MODULE > /dev/null 2>&1
fi
done
fi
fi
fi
# Obtain list of NAT addresses if we are a router doing nat.
if [ "$IS_ROUTER" == "yes" ]; then
for INTERFACE in $STATIC_NAT_INTERFACES; do
ADDRESS=`ifconfig | grep "^$INTERFACE\ " -A1 | grep "inet" | cut -d: -f2| cut -d\ -f1 | head -1`
NAT_ADDRESSES="$NAT_ADDRESSES $ADDRESS"
done
fi
NAT_ADDRESSES=`echo $NAT_ADDRESSES` # Remove extra whitespace
# Obtain list of internal networks with subnet masks corrisponding to internal interfaces.
if [ "$IS_ROUTER" == "yes" ]; then
for INTERFACE in $STATIC_INTERNAL_INTERFACES; do
STROKE="0"
MASK=`ifconfig | grep "^$INTERFACE\ " -A1 | grep "Mask" | cut -d: -f4 | head -1`
for OCTET in 1 2 3 4; do
BINARY=`echo "$MASK" | cut -d. -f$OCTET`
for SUBTRACT in 128 64 32 16 8 4 2 1; do
if [ "$((BINARY - SUBTRACT))" -ge "0" ]; then
BINARY=$((BINARY - SUBTRACT))
STROKE=$((STROKE + 1))
fi
done
done
NETWORK=`ifconfig | grep "^$INTERFACE\ " -A1 | grep "inet" | cut -d: -f2| cut -d\ -f1 | head -1`/$STROKE
INTERNAL_NETWORKS="$INTERNAL_NETWORKS $NETWORK"
done
INTERNAL_NETWORKS=`echo $INTERNAL_NETWORKS`
fi
# Obtain a list of external addresses for exit message and port forwarding.
if [ -n "$STATIC_EXTERNAL_INTERFACES" ]; then
for INTERFACE in $STATIC_EXTERNAL_INTERFACES; do
ADDRESS=`ifconfig | grep "^$INTERFACE\ " -A1 | grep "inet" | cut -d: -f2| cut -d\ -f1 | head -1`
EXTERNAL_ADDRESSES="$EXTERNAL_ADDRESSES $ADDRESS"
done
EXTERNAL_ADDRESSES=`echo $EXTERNAL_ADDRESSES`
fi
# Make a table of interfaces for marking packets based on their incoming interface. Do not include IP aliases.
if [ "$IS_ROUTER" == "yes" ] && [ -n "$PORT_FORWARDS" ]; then
COUNT="0"
TAB="0"
for INTERFACE in $STATIC_INTERNAL_INTERFACES $STATIC_EXTERNAL_INTERFACES; do
COUNT=$((COUNT + 1))
if !(( `echo "$INTERFACE" | grep -c ":"` )); then
TAB=$((TAB + 1))
INTERFACE_TAB[$TAB]="$INTERFACE"
ADDRESS_TAB[$TAB]=`echo $INTERNAL_NETWORKS $EXTERNAL_ADDRESSES | cut -d\ -f$COUNT | cut -d/ -f1`
if [ "$PORT_FWD_ROUTED_NETWORKS" == "yes" ]; then
if (( `echo "$STATIC_INTERNAL_INTERFACES" | grep -c "$INTERFACE"` )); then
NETWORK_TAB[$TAB]="$ADDITIONAL_ROUTED_NETWORKS `echo "$INTERNAL_NETWORKS" | cut -d\ -f$COUNT`"
fi
fi
fi
done
for INTERFACE in $DYNAMIC_INTERNAL_INTERFACES $DYNAMIC_EXTERNAL_INTERFACES; do
TAB=$((TAB + 1))
INTERFACE_TAB[$TAB]="$INTERFACE"
done
fi
# If we do not trust routed networks then add internal interfaces as "secured" addresses in the exit message.
if [ "$IS_ROUTER" == "yes" ] && [ -n "$STATIC_INTERNAL_INTERFACES" ] && [ "$TRUST_ROUTED_NETWORKS" != "yes" ]; then
for INTERFACE in $STATIC_INTERNAL_INTERFACES; do
ADDRESS=`ifconfig | grep "^$INTERFACE\ " -A1 | grep "inet" | cut -d: -f2| cut -d\ -f1 | head -1`
EXTERNAL_ADDRESSES="$EXTERNAL_ADDRESSES $ADDRESS"
done
fi
# Check the validity of rp_filter interfaces.
for INTERFACE in $NO_RP_FILTER_INTERFACES; do
if ! [ -w "/proc/sys/net/ipv4/conf/$INTERFACE/rp_filter" ]; then
FAILURE="Cannot write to /proc/sys/net/ipv4/conf/$INTERFACE/rp_filter. Is the interface definition valid?"
exit_failure
fi
done
echo -n "."
# Make sure the filter table exists.
if (( `iptables -t filter -L 2>&1 | grep -c "Table does not exist"` )); then
FAILURE="Could not find 'filter' table. Did you compile support for all necessary modules?"
exit_failure
fi
# Check for the REJECT target if RFC 1122 compliance is enabled.
if [ "$RFC_1122_COMPLIANT" == "yes" ]; then
if ((`iptables -t filter -i lo -o lo -I FORWARD -j REJECT 2>&1 | grep -c "No chain/target/match by that name"`)); then
FAILURE="Could not find 'REJECT' target. Did you compile support for all necessary modules?"
exit_failure
else
iptables -t filter -D FORWARD 1
fi
fi
# If logging is enabled check for LOG and limit targets.
if [ "$LOGGING" == "yes" ]; then
if (( `iptables -t filter -i lo -o lo -I FORWARD -m limit 2>&1 | \
grep -c "No chain/target/match by that name"` )); then
FAILURE="Could not find 'limit' target. Did you compile support for all necessary modules?"
exit_failure
else
iptables -t filter -D FORWARD 1
fi
if (( `iptables -t filter -i lo -o lo -I FORWARD -j LOG 2>&1 | grep -c "No chain/target/match by that name"` )); then
FAILURE="Could not find 'LOG' target. Did you compile support for all necessary modules?"
exit_failure
else
iptables -t filter -D FORWARD 1
fi
fi
# Check for existance of the nat table if we need it.
if [ -n "$STATIC_NAT_INTERFACES" ] || [ -n "$DYNAMIC_NAT_INTERFACES" ] || [ -n "$PORT_FORWARDS" ]; then
if (( `iptables -t nat -L 2>&1 | grep -c "Table does not exist"` )); then
FAILURE="Could not find 'nat' table. Did you compile support for all necessary modules?"
exit_failure
fi
fi
# Determine if we need the MASQUERADE target.
if [ -n "$DYNAMIC_NAT_INTERFACES" ]; then
if ((`iptables -t nat -I POSTROUTING -o lo -j MASQUERADE 2>&1 | grep -c "No chain/target/match by that name"`)); then
FAILURE="Could not find 'MASQUERADE' target. Did you compile support for all necessary modules?"
exit_failure
else
iptables -t nat -D POSTROUTING 1
fi
fi
# Check for state maching module.
if (( `iptables -t filter -I OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 2>&1 | \
grep -c "No chain/target/match by that name"` )); then
FAILURE="Failed to load state matching module. Did you compile support for all necessary modules?"
exit_failure
else
iptables -t filter -D OUTPUT 1
fi
echo -n "."
# With port forwarding enabled make sure we can use the mangle table, the mark match module, and MARK target.
if [ -n "$PORT_PORTWARDS" ]; then
if (( `iptables -t mangle -L 2>&1 | grep -c "Table does not exist"` )); then
FAILURE="Could not find 'mangle' table, required for port forwarding. Did you compile support for all necessary modules?"
exit_failure
fi
if (( `iptables -t mangle -I OUTPUT -j MARK --set-mark "1" | grep -c "No chain/target/match by that name"` )); then
FAILURE="Failed to load MARK target. Did you compile support for all necessary modules?"
exit_failure
else
iptables -t mangle -D OUTPUT 1
fi
if (( `iptables -t mangle -I OUTPUT -m mark --mark "1" -j ACCEPT | grep -c "No chain/target/match by that name"` )); then
FAILURE="Failed to mark match module or MARK target. Did you compile support for all necessary modules?"
exit_failure
else
iptables -t mangle -D OUTPUT 1
fi
fi
# Obtain broadcast list if we are doing logging (so that we will not log them).
if [ "$LOGGING" == "yes" ]; then
BCAST_LIST="255.255.255.255"
for INTERFACE in $STATIC_INTERNAL_INTERFACES $STATIC_EXTERNAL_INTERFACES; do
BROADCAST=`ifconfig | grep "^$INTERFACE\ " -A1 | grep "Bcast" | cut -d: -f3 | cut -d\ -f1 | head -1`
if !(( `echo "$BCAST_LIST" | grep -c "$BROADCAST"` )); then
BCAST_LIST="$BCAST_LIST $BROADCAST"
fi
done
fi
# System and configuration approved.
echo " [ PASSED ]"
# Write a configuration file if passed the 'saveconfig' or 'writeconfig' argument.
if [ "$1" == "saveconfig" ] || [ "$1" == "writeconfig" ]; then
if [ -a /etc/firewall.conf ]; then
if !(( `head -1 /etc/firewall.conf | grep -c "# Linux Firewall configuration backup -- http://projectfiles.com/firewall/"` )); then
echo "-> WARNING: The file '/etc/firewall.conf' is associated with another program!"
echo "-> Press any key to overwrite, or CTRL-C to abort."
read -rsn1
fi
fi
cat << EOF > /etc/firewall.conf
# Linux Firewall configuration backup -- http://projectfiles.com/firewall/
# Generated by '$PWD/`echo $0 | sed s/^\.// | sed s/^\\\///` $1' on `date`.
# Generated with version: "$VERSION".
# WARNING: DO NOT EDIT THIS FILE DIRECTLY!
# Make changes to $PWD/`echo $0 | sed s/^\.// | sed s/^\\\///` and run '$PWD/`echo $0 | sed s/^\.// | sed s/^\\\///` $1'.
OPEN_PORTS="$ORIG_OPEN_PORTS"
INTERNAL_INTERFACES="$INTERNAL_INTERFACES"
DYNAMIC_INTERFACES="$DYNAMIC_INTERFACES"
TRUSTED_NETWORKS="$ORIG_TRUSTED_NETWORKS"
PORT_FORWARDS="$PORT_FORWARDS"
PORT_FWD_ALL="$PORT_FWD_ALL"
PORT_FWD_ROUTED_NETWORKS="$PORT_FWD_ROUTED_NETWORKS"
ADDITIONAL_ROUTED_NETWORKS="$ADDITIONAL_ROUTED_NETWORKS"
TRUST_ROUTED_NETWORKS="$TRUST_ROUTED_NETWORKS"
NO_RP_FILTER_INTERFACES="$NO_RP_FILTER_INTERFACES"
NAT_EXTERNAL="$NAT_EXTERNAL"
ADDITIONAL_NAT_INTERFACES="$ADDITIONAL_NAT_INTERFACES"
INTERNAL_DHCP="$INTERNAL_DHCP"
RFC_1122_COMPLIANT="$RFC_1122_COMPLIANT"
LOGGING="$LOGGING"
EOF
echo "-> Firewall configuration saved to '/etc/firewall.conf'"
exit
fi
##########################
# -- Firewall Section -- #
##########################
# Set ip_forward and enable kernel level reverse path filtering.
if [ "$IS_ROUTER" == "yes" ]; then
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
for INTERFACE in $NO_RP_FILTER_INTERFACES; do
echo "0" > /proc/sys/net/ipv4/conf/$INTERFACE/rp_filter
done
else
echo "0" > /proc/sys/net/ipv4/ip_forward
fi
# Set default policies.
iptables -t filter -F
iptables -t filter -X
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT ACCEPT
if !(( `iptables -t nat -F 2>&1 | grep -c "Table does not exist"` )); then
iptables -t nat -X
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
fi
if !(( `iptables -t mangle -F 2>&1 | grep -c "Table does not exist"` )); then
iptables -t mangle -F
iptables -t mangle -X
iptables -t mangle -P POSTROUTING ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
iptables -t mangle -P PREROUTING ACCEPT > /dev/null 2>&1 # New 2.4.18 builtin mangle chains
iptables -t mangle -P INPUT ACCEPT > /dev/null 2>&1
iptables -t mangle -P FORWARD ACCEPT > /dev/null 2>&1
fi
# Initialize trusted chain
iptables -t filter -N TRUSTED
if [ "$RFC_1122_COMPLIANT" == "yes" ]; then
iptables -t filter -A TRUSTED -j REJECT
else
iptables -t filter -A TRUSTED -j DROP
fi
# Set logging preferences. Do not log broadcasts.
if [ "$LOGGING" == "yes" ]; then
iptables -t filter -N LOGME
iptables -t filter -I TRUSTED -j LOGME
for BROADCAST in $BCAST_LIST; do
iptables -t filter -I LOGME -d $BROADCAST -j RETURN
done
iptables -t filter -A LOGME -p icmp -m limit --limit 1/minute --limit-burst 5 -j LOG --log-level notice \
--log-prefix "firewall: "
iptables -t filter -A LOGME -p tcp -m limit --limit 1/minute --limit-burst 5 -j LOG --log-level notice \
--log-prefix "firewall: "
iptables -t filter -A LOGME -p udp -m limit --limit 1/minute --limit-burst 5 -j LOG --log-level notice \
--log-prefix "firewall: "
fi
# Accept icmp-echo-request packets if RFC-1122 compliance option is enabled. Limit logging of imap packets.
if [ "$RFC_1122_COMPLIANT" == "yes" ]; then
if [ "$LOGGING" == "yes" ]; then
iptables -t filter -I TRUSTED 2 -p icmp --icmp-type echo-request -j ACCEPT # -I TRUSTED 2 so that it goes after LOGME.
iptables -t filter -I TRUSTED -p icmp --icmp-type echo-request -m limit --limit 2/second --limit-burst 10 -j ACCEPT
else
iptables -t filter -I TRUSTED -p icmp --icmp-type echo-request -j ACCEPT
fi
fi
# Insert trusted networks into trusted chain before everything else.
for NETWORK in $TRUSTED_NETWORKS ; do
iptables -t filter -I TRUSTED -s $NETWORK -j ACCEPT
done
# Set default policy for ESTABLISHED and RELATED connections to ACCEPT on FORWARD chains.
iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
if [ "$IS_ROUTER" == "yes" ]; then
iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
fi
# ICMP DNAT information leak workaround
iptables -t filter -A OUTPUT -p icmp -m state --state INVALID -j DROP
# For servers, only allow NEW connections to specified INPUT ports. For port forwarding, allow on FORWARD chain.
for ITEM in $OPEN_PORTS $TRUSTED_PORTS; do
NET=""
if (( `echo "$ITEM:" | cut -d: -f2 | grep -c "."` )); then
NET="-s `echo "$ITEM:" | cut -d: -f1`"
ITEM=`echo "$ITEM:" | cut -d: -f2`
fi
PORTS=`echo "$ITEM" | cut -d/ -f1`
PORTS=`echo "$PORTS" | cut -d- -f1,2 --output-delimiter=":"`
PROTOCOL=`echo "$ITEM" | cut -d/ -f2`
COUNT="0"
for FORWARD in $PORT_FORWARDS; do
IN_PORTS=`echo "$FORWARD" | cut -d: -f2 | cut -d- -f1,2 --output-delimiter=":"`
if [ "`echo "$FORWARD" | cut -d: -f1`" == "$PROTOCOL" ] && [ "$PORTS" == "$IN_PORTS" ]; then
DEST=`echo "$FORWARD" | cut -d: -f3`
DPORTS=`echo "$FORWARD" | cut -d: -f4 | cut -d- -f1,2 --output-delimiter=":"`
if [ -z "$DPORTS" ]; then
DPORTS="$IN_PORTS"
fi
iptables -t filter -A FORWARD -m state --state NEW $NET -d $DEST -p $PROTOCOL --dport $DPORTS -j ACCEPT
COUNT="1"
if [ -z "$NET" ]; then
continue 2 # i.e. This port forward is open to everyone.
fi
fi
done
if [ "$COUNT" == "0" ]; then
iptables -t filter -A INPUT -m state --state NEW $NET -p $PROTOCOL --dport $PORTS -j ACCEPT
fi
done
# For routers, allow routing of internal and routed networks on internal interfaces.
if [ "$IS_ROUTER" == "yes" ]; then
COUNT="0"
for INTERFACE in $STATIC_INTERNAL_INTERFACES; do
COUNT=$((COUNT + 1))
NETWORK=`echo "$INTERNAL_NETWORKS" | cut -d\ -f$COUNT`
INTERFACE=`echo "$INTERFACE" | cut -d: -f1`
iptables -t filter -A FORWARD -m state --state NEW -i $INTERFACE -s $NETWORK -j ACCEPT
if [ "$TRUST_ROUTED_NETWORKS" == "yes" ]; then
iptables -t filter -A INPUT -m state --state NEW -i $INTERFACE -s $NETWORK -j ACCEPT
fi
if [ "$INTERNAL_DHCP" == "yes" ]; then
iptables -t filter -A INPUT -m state --state NEW -i $INTERFACE -p udp --dport 67 -j ACCEPT
fi
for NETWORK in $ADDITIONAL_ROUTED_NETWORKS; do
iptables -t filter -A FORWARD -m state --state NEW -i $INTERFACE -s $NETWORK -j ACCEPT
if [ "$TRUST_ROUTED_NETWORKS" == "yes" ]; then
iptables -t filter -A INPUT -m state --state NEW -i $INTERFACE -s $NETWORK -j ACCEPT
fi
done
done
for INTERFACE in $DYNAMIC_INTERNAL_INTERFACES; do
iptables -t filter -A FORWARD -m state --state NEW -i $INTERFACE -j ACCEPT
if [ "$TRUST_ROUTED_NETWORKS" == "yes" ]; then
iptables -t filter -A INPUT -m state --state NEW -i $INTERFACE -j ACCEPT
fi
done
fi
# Accept new connections from the loopback interface (localhost).
iptables -t filter -A INPUT -i lo -m state --state NEW -j ACCEPT
# Jump to the trusted chain if this packet establishes a NEW connection.
iptables -t filter -A INPUT -m state --state NEW -j TRUSTED
# Configure port forwarding.
for FORWARD in $PORT_FORWARDS; do
PROTOCOL=`echo "$FORWARD" | cut -d: -f1`
IN_PORTS=`echo "$FORWARD" | cut -d: -f2 | cut -d- -f1,2 --output-delimiter=":"`
DEST=`echo "$FORWARD" | cut -d: -f3`
PORTS=`echo "$FORWARD" | cut -d: -f4`
if [ -z "$PORTS" ]; then
PORTS="$IN_PORTS"
fi
DPORTS=`echo "$PORTS" | cut -d- -f1,2 --output-delimiter=":"`
COUNT="0"
while (( `echo "${INTERFACE_TAB[$(($COUNT + 1))]}" | grep -c "."` )); do
COUNT=$((COUNT + 1))
if (( `echo "$DYNAMIC_INTERFACES" | grep -c "${INTERFACE_TAB[$COUNT]}"` )); then
iptables -t nat -A POSTROUTING -m mark --mark "$COUNT" -o ${INTERFACE_TAB[$COUNT]} -d $DEST \
-p $PROTOCOL --dport $DPORTS -j MASQUERADE
else
iptables -t nat -A POSTROUTING -m mark --mark "$COUNT" -o ${INTERFACE_TAB[$COUNT]} -d $DEST \
-p $PROTOCOL --dport $DPORTS -j SNAT --to-source ${ADDRESS_TAB[$COUNT]}
fi
iptables -t filter -A FORWARD -m mark --mark "$COUNT" -i ${INTERFACE_TAB[$COUNT]} -d $DEST \
-m state --state NEW -p $PROTOCOL --dport $DPORTS -j TRUSTED
for ADDRESS in $EXTERNAL_ADDRESSES $INTERNAL_NETWORKS; do
ADDRESS=`echo $ADDRESS | cut -d/ -f1`
if (( `echo "$DYNAMIC_INTERNAL_INTERFACES" | grep -c "$INTERFACE"` )) && [ "$PORT_FWD_ROUTED_NETWORKS" == "yes" ]; then
iptables -t nat -A PREROUTING -d $ADDRESS -i ${INTERFACE_TAB[$COUNT]} \
-p $PROTOCOL --dport $IN_PORTS -j DNAT --to-destination $DEST:$PORTS
iptables -t mangle -A PREROUTING -d $ADDRESS -i ${INTERFACE_TAB[$COUNT]} \
-p $PROTOCOL --dport $IN_PORTS -j MARK --set-mark "$COUNT"
continue # i.e. we are going to accept anything on this interface.
fi
for ITEM in $OPEN_PORTS $TRUSTED_PORTS; do
if (( `echo "$ITEM:" | cut -d: -f2 | grep -c "."` )); then
NET="-s `echo "$ITEM:" | cut -d: -f1`"
ITEM=`echo "$ITEM:" | cut -d: -f2`
else
NET=""
fi
PORT=`echo "$ITEM/" | cut -d/ -f1`
PORT=`echo "$PORT" | cut -d- -f1,2 --output-delimiter=":"`
if [ "$PROTOCOL" == "`echo "$ITEM/" | cut -d/ -f2`" ] && [ "$PORT" == "$IN_PORTS" ]; then
iptables -t nat -A PREROUTING $NET -d $ADDRESS -i ${INTERFACE_TAB[$COUNT]} \
-p $PROTOCOL --dport $IN_PORTS -j DNAT --to-destination $DEST:$PORTS
iptables -t mangle -A PREROUTING $NET -d $ADDRESS -i ${INTERFACE_TAB[$COUNT]} \
-p $PROTOCOL --dport $IN_PORTS -j MARK --set-mark "$COUNT"
if [ -z "$NET" ]; then
continue 2 # i.e. This port forward is open to everyone.
fi
fi
done
for NETWORK in ${NETWORK_TAB[$COUNT]}; do
iptables -t nat -A PREROUTING -d $ADDRESS -i ${INTERFACE_TAB[$COUNT]} -s $NETWORK \
-p $PROTOCOL --dport $IN_PORTS -j DNAT --to-destination $DEST:$PORTS
iptables -t mangle -A PREROUTING -d $ADDRESS -i ${INTERFACE_TAB[$COUNT]} -s $NETWORK \
-p $PROTOCOL --dport $IN_PORTS -j MARK --set-mark "$COUNT"
done
for NETWORK in $TRUSTED_NETWORKS; do
iptables -t nat -A PREROUTING -d $ADDRESS -i ${INTERFACE_TAB[$COUNT]} -s $NETWORK \
-p $PROTOCOL --dport $IN_PORTS -j DNAT --to-destination $DEST:$PORTS
iptables -t mangle -A PREROUTING -d $ADDRESS -i ${INTERFACE_TAB[$COUNT]} -s $NETWORK \
-p $PROTOCOL --dport $IN_PORTS -j MARK --set-mark "$COUNT"
done
done
done
done
# Configure NAT
if [ "$IS_ROUTER" == "yes" ]; then
COUNT="0"
for INTERFACE in $STATIC_NAT_INTERFACES; do
COUNT=$((COUNT + 1))
ADDRESS=`echo "$NAT_ADDRESSES" | cut -d\ -f$COUNT`
if [ -n "$DYNAMIC_INTERNAL_INTERFACES" ]; then
iptables -t nat -A POSTROUTING -o $INTERFACE -j SNAT --to-source $ADDRESS
else
for NETWORK in $INTERNAL_NETWORKS $ADDITIONAL_ROUTED_NETWORKS; do
iptables -t nat -A POSTROUTING -s $NETWORK -o $INTERFACE -j SNAT --to-source $ADDRESS
done
fi
done
for INTERFACE in $DYNAMIC_NAT_INTERFACES; do
if [ -n "$DYNAMIC_INTERNAL_INTERFACES" ]; then
iptables -t nat -A POSTROUTING -o $INTERFACE -j MASQUERADE
else
for NETWORK in $INTERNAL_NETWORKS $ADDITIONAL_ROUTED_NETWORKS; do
iptables -t nat -A POSTROUTING -s $NETWORK -o $INTERFACE -j MASQUERADE
done
fi
done
fi
# Print exit message.
if [ -z "$EXTERNAL_ADDRESSES" ]; then
echo "-> Successfully configured firewall."
else
echo "-> Successfully secured the following addresses: `echo $EXTERNAL_ADDRESSES | sed s/\ /,\ /g`."
fi
if [ "$IS_ROUTER" == "yes" ]; then
if [ -n "$DYNAMIC_EXTERNAL_INTERFACES" ]; then
echo "-> Successfully secured the following external interfaces: `echo $DYNAMIC_EXTERNAL_INTERFACES | sed s/\ /,\ /g`."
fi
if [ -n "$INTERNAL_NETWORKS" ] || [ -n "$ADDITIONAL_ROUTED_NETWORKS" ]; then
echo "-> Routing is enabled for the following networks: `echo $INTERNAL_NETWORKS $ADDITIONAL_ROUTED_NETWORKS | \
sed s/\ /,\ /g`."
fi
if [ -n "$DYNAMIC_INTERNAL_INTERFACES" ]; then
echo "-> Alert! Routing is enabled for ALL connections through: `echo $DYNAMIC_INTERNAL_INTERFACES \
| sed s/\ /,\ /g`."
fi
fi
# Done! |
But when I go to http://scan.sygatetech.com/ and perform a quick scan ICMP port is shown as open. If I do a UDP scan, most ports are called closed but a few including NetBios are found to be open. The question is, should I worry about this? And if so how do I close my machine off to hackers. I am running a single user machine connected via cable modem, hooked up to eth0.
EDIT (rac): put bodacious code listing into a code block |
|
Back to top |
|
|
nitro322 Guru
Joined: 24 Jul 2002 Posts: 594 Location: USA
|
Posted: Thu Aug 29, 2002 4:12 am Post subject: |
|
|
I haven't read through your existing script (as it's REALLY long), but this should drop all ICMP and netbios packets:
Code: | iptables -A INPUT -i eth0 -s 0/0 -d 0/0 -p icmp -j DROP
iptables -A INPUT -i eth0 -s 0/0 -d 0/0 -p tcp --dport 137:139 -j DROP
iptables -A INPUT -i eth0 -s 0/0 -d 0/0 -p tcp --dport 137:139 -j DROP |
|
|
Back to top |
|
|
pilla Bodhisattva
Joined: 07 Aug 2002 Posts: 7729 Location: Underworld
|
Posted: Thu Aug 29, 2002 1:55 pm Post subject: nessus |
|
|
nessus is a good tool to find vulnerabilities in your system. It scans your ports and generates reports about vulnerabilities and proposes some remedies, sometimes =) |
|
Back to top |
|
|
Zu` l33t
Joined: 26 May 2002 Posts: 716 Location: BE
|
Posted: Thu Aug 29, 2002 4:00 pm Post subject: Re: nessus |
|
|
Bloody Bastard wrote: | nessus is a good tool to find vulnerabilities in your system. It scans your ports and generates reports about vulnerabilities and proposes some remedies, sometimes =) |
Is it easy to set up? |
|
Back to top |
|
|
pilla Bodhisattva
Joined: 07 Aug 2002 Posts: 7729 Location: Underworld
|
Posted: Thu Aug 29, 2002 4:57 pm Post subject: Re: nessus |
|
|
It's not very hard... you need to:
1) setup a new user for nessus -- "nessus-adduser"
2) run "nessud" as root
3) run "nessus" (the GUI) as normal user and then login in as the user you added in (1)
4)choose the options you want to scan
5)choose the hosts you want to scan (Target Selection)
6) Run!
(I hope I haven't forgotten something importat...)
Zu` wrote: | Bloody Bastard wrote: | nessus is a good tool to find vulnerabilities in your system. It scans your ports and generates reports about vulnerabilities and proposes some remedies, sometimes =) |
Is it easy to set up? |
|
|
Back to top |
|
|
nitro322 Guru
Joined: 24 Jul 2002 Posts: 594 Location: USA
|
Posted: Thu Aug 29, 2002 9:46 pm Post subject: Re: nessus |
|
|
Bloody Bastard wrote: | 1) setup a new user for nessus -- "nessus-adduser"
2) run "nessud" as root
3) run "nessus" (the GUI) as normal user and then login in as the user you added in (1)
4)choose the options you want to scan
5)choose the hosts you want to scan (Target Selection)
6) Run! |
You'll also probably have to run nessus-mkcert to create a certificate. Also, you'll probably want to start it with 'nessusd -D' instead, so it gets forked to the background. |
|
Back to top |
|
|
Zu` l33t
Joined: 26 May 2002 Posts: 716 Location: BE
|
Posted: Mon Sep 02, 2002 3:29 pm Post subject: Re: nessus |
|
|
Bloody Bastard wrote: | It's not very hard... you need to:
1) setup a new user for nessus -- "nessus-adduser"
2) run "nessud" as root
3) run "nessus" (the GUI) as normal user and then login in as the user you added in (1)
4)choose the options you want to scan
5)choose the hosts you want to scan (Target Selection)
6) Run!
(I hope I haven't forgotten something importat...)
Zu` wrote: | Bloody Bastard wrote: | nessus is a good tool to find vulnerabilities in your system. It scans your ports and generates reports about vulnerabilities and proposes some remedies, sometimes =) |
Is it easy to set up? |
|
Thanks, I'll try it out. |
|
Back to top |
|
|
TuxFriend Apprentice
Joined: 14 Aug 2002 Posts: 151
|
Posted: Mon Sep 02, 2002 7:41 pm Post subject: Re: Configuring iptables |
|
|
rajendra82 wrote: | ICMP port is shown as open |
change RFC_1122_COMPLIANT="yes" to RFC_1122_COMPLIANT="no"
TuxFriend |
|
Back to top |
|
|
network n00b
Joined: 05 Sep 2002 Posts: 7
|
Posted: Thu Sep 05, 2002 2:25 pm Post subject: Security |
|
|
How exactly does not sending ICMP echo-requests and port-unreach packets back qualify as being more secure? IMO these scanning website are giving new firewall users misleading information. By default NO services are availalble to external machines, though yes, the firewall does send icmp-port-unreach packets (telling the connecting host that the port is not available...) as per internet standards.
I invite insightful responses.
Scott Bartlett
Projectfiles.com Linux Firewall Maintainer |
|
Back to top |
|
|
mglauche Retired Dev
Joined: 25 Apr 2002 Posts: 564 Location: Germany
|
Posted: Thu Sep 05, 2002 2:55 pm Post subject: |
|
|
filtering icmp in gereral is a bad idea (but it seems popular along novice firewall users)
icmp is good for a various things from admin-usage (does that host work ?) to Congestion-Controll-Messages (ECN, Excpicit Congestion Notify, can be send by a router(!) to sender, much better behaviour during congestion !)
However .. limiting icmp messages is good (also blocking unnormal large packets, etc) but does not help much if you are a end user ... |
|
Back to top |
|
|
TuxFriend Apprentice
Joined: 14 Aug 2002 Posts: 151
|
Posted: Thu Sep 05, 2002 7:41 pm Post subject: Re: Security |
|
|
network wrote: | How exactly does not sending ICMP echo-requests and port-unreach packets back qualify as being more secure? I invite insightful responses. |
It's good to be able to use ping when you are the originator. I agree that letting ICMP trough the firewall isn't a huge security risk, however the best security is if unknown people don't know that your machine exist. The counterpart of security is functionality so I wonder what functionality do you want to provide to unknown people by letting them know that your machine exist? If you are not able to answer that question it's better to drop ICMP.
TuxFriend |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|