Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
HOWTO: Quick/Simple Personal Firewall
View unanswered posts
View posts from last 24 hours

Goto page 1, 2  Next  
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
Cornfed
n00b
n00b


Joined: 22 Dec 2003
Posts: 59
Location: MA, USA

PostPosted: Wed Feb 02, 2005 3:37 pm    Post subject: HOWTO: Quick/Simple Personal Firewall Reply with quote

IPTables Personal Firewall How-To

This guide is written for people that just want a personal firewall running on their workstations. You might be running Gentoo at work, and would like some protection from a crazy co-worker. Or, you might like some added protection on your internal servers.

This is mostly from the wiki site:
http://gentoo-wiki.com/HOWTO_Iptables_for_newbies
The script itself was really just taken from:
http://www2.warwick.ac.uk/services/its/safe/diy/linux/iptables/


Kernel Config
As for the kernel all you must do is enable iptable support.
Quote:
Device Drivers--->
Networking Support--->
Networking Options---->
Network Packet Filtering (replace Ipchains)--->
Netfilter Configuration

I enabled all the options as modules (in case I want to test other options later) and added ip_tables to my modules.autoload. This loads several modules as dependencies. Later you may want the ip_conntrack for logging. Don't forget to "modprobe ip_tables" before running scripts

Necessary Utilities
Next you must emerge the userland tools for cofiguring iptables:
Code:
 emerge iptables

Scripting
Now to the fun part.....iptables. We going to simply allow everything out, and nothing in. Create a file (vi or nano my-rules, or whatever name your script), and put this in there:

Code:
#!/bin/sh

# Set location of iptables
IPTABLES=/sbin/iptables

# Define interfaces
PUBLIC_IF="eth0"

# Flush current rules
$IPTABLES -t nat -F
$IPTABLES -t filter -F
$IPTABLES -t mangle -F

# Delete custom chains
$IPTABLES -t nat -X
$IPTABLES -t filter -X
$IPTABLES -t mangle -X

# Set default policies
$IPTABLES -t filter -P INPUT DROP
$IPTABLES -t filter -P FORWARD DROP
$IPTABLES -t filter -P OUTPUT ACCEPT
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P INPUT ACCEPT
$IPTABLES -t mangle -P FORWARD ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -t mangle -P POSTROUTING ACCEPT

# Allow traffic from trusted interfaces
$IPTABLES -A INPUT -i lo -j ACCEPT

# Allow traffic from established connections
$IPTABLES -A INPUT -i $PUBLIC_IF -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow typical ICMP responses
$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT
$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT
$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

Save, and chmod 700 the file. (or 755 if you wish. I don't like anyone else to run my scripts so I keep it at 700 or sometimes 500). Execute the script.
Code:
chmod 700 my-rules
./my-rules

Now let's save it.
Code:
/etc/init.d/iptables save

And than back up your working configuration in case you bork something later you can quickly revert:
Code:
cp /var/lib/iptables/rules-save /var/lib/iptables/rules.working

Now check up your iptables start-up script before adding iptables to your default runlevel:
Code:
 /etc/init.d/iptables start; /etc/init.d/iptables stop; /etc/init.d/iptables start

The reason we start, than stop, than start again is because we haven't yet started the iptables script...so we must set the “initialized” status before stopping. Stopping essentially erases all settings and puts you back to zero. Restarting will show you whether your network will still work after rebooting. Assuming success, we add iptables to our default runlevel:
Code:
 rc-update add iptables default

That should be the end of it. Now if you want to add SSH, you can add this to your script:
Code:
# Allow traffic to sshd (TCP, port 22)
$IPTABLES -A INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT

Just make sure you re-run the script, and restart iptables if you modify your script

If you are interested in logging connections, you can add this to the end of your script:
Code:
# Log stuff we might be interested in
$IPTABLES -A INPUT  -p tcp -d x.x.x.x -i $PUBLIC_IF -j LOG


I'm really only interested in people trying to ssh to my wrokstation, or probing for services. I used "-p tcp" to rule out UDP packets. I used "-d x.x.x.x" (where x.x.x.x is my IP address) because I'm only interested in packets destined for my machine.

If anyone knows a better logging rule, please feel free to post.
Back to top
View user's profile Send private message
nick58b
n00b
n00b


Joined: 09 Nov 2002
Posts: 30
Location: Santa Barbara, CA

PostPosted: Wed Feb 02, 2005 7:18 pm    Post subject: Reply with quote

Thank you!

It (appears to) work perfectly, and is exactly what I've been putting off doing on all my workstations.

Copy, paste, run a couple of commands, I think it took me 30 seconds to get it running.

Thanks again.
Back to top
View user's profile Send private message
Naib
Advocate
Advocate


Joined: 21 May 2004
Posts: 4126
Location: Removed by Neddy

PostPosted: Wed Feb 02, 2005 7:53 pm    Post subject: Reply with quote

you should check out firehol - generates iptable firewall with very easy script

Code:

root@Fluid ~ # cat /etc/firehol/firehol.conf
#!/usr/sbin/firehol

FIREHOL_LOG_MODE="LOG"
FIREHOL_LOG_LEVEL="2"
FIREHOL_LOG_BURST="5"
FIREHOL_LOG_FREQUENCY="10/minute"


interface eth0 home
        server  dns     accept 
        server  ftp     accept 
        server  dhcp    accept 
        server  http    accept 

        server  netbios_ssn     deny
        server  microsoft_ds    reject  with    tcp-reset
        server  samba           deny
        server  cups            deny


        client  all     accept

        protection      strong
        policy          reject
        server  ident   reject  with    tcp-reset


_________________
A free press is the unsleeping guardian of every other right that free men prize; it is the most dangerous foe of tyranny. Where men have the habit of liberty, the Press will continue to be the vigilant guardian of the rights of the ordinary citizen.
Back to top
View user's profile Send private message
monotux
l33t
l33t


Joined: 09 Sep 2003
Posts: 751
Location: Stockholm, Sweden

PostPosted: Thu Feb 03, 2005 4:16 pm    Post subject: Reply with quote

Your ruleset wasn't that smart...
I "optimized" it a bit :)

Code:
#!/usr/sbin/firehol
interface eth0 home
        policy drop
        server "dns  ftp dhcp http" accept
        server "microsoft_ds ident" reject with tcp-reset
        client all accept
        protection strong

_________________
Computer science is no more about computers than astronomy is about telescopes.
Back to top
View user's profile Send private message
wswartzendruber
Veteran
Veteran


Joined: 23 Mar 2004
Posts: 1224
Location: Jefferson, USA

PostPosted: Thu Feb 03, 2005 9:26 pm    Post subject: Reply with quote

Awesome Howto! That's just what I need and nothing else. :)
Back to top
View user's profile Send private message
Naib
Advocate
Advocate


Joined: 21 May 2004
Posts: 4126
Location: Removed by Neddy

PostPosted: Thu Feb 03, 2005 9:39 pm    Post subject: Reply with quote

furiorc wrote:
Your ruleset wasn't that smart...
I "optimized" it a bit :)

Code:
#!/usr/sbin/firehol
interface eth0 home
        policy drop
        server "dns  ftp dhcp http" accept
        server "microsoft_ds ident" reject with tcp-reset
        client all accept
        protection strong



true that is actually alot better!!
However, I am now getting this occuring again:

http://forums.gentoo.org/viewtopic.php?t=289426
_________________
A free press is the unsleeping guardian of every other right that free men prize; it is the most dangerous foe of tyranny. Where men have the habit of liberty, the Press will continue to be the vigilant guardian of the rights of the ordinary citizen.
Back to top
View user's profile Send private message
piwacet
Guru
Guru


Joined: 30 Dec 2004
Posts: 486

PostPosted: Sat Feb 05, 2005 4:46 am    Post subject: Reply with quote

Noob question - will this script make all my ports "stealth" to the outside world, in other words, when I do the "shieldsup" test at:

https://grc.com/x/ne.dll?bh0bkyd2

Will I pass? (get all stealth ports - i.e., the computer does not respond to any requests for access to any port - neither denies nor accepts, simply is quiet and pretends there's no computer at that IP address, and certainly won't allow any connections; and also does not respond to ping requests.)

Thanks!
Back to top
View user's profile Send private message
tom56
Guru
Guru


Joined: 27 Apr 2004
Posts: 325
Location: united kingdom

PostPosted: Sat Feb 05, 2005 11:42 am    Post subject: Reply with quote

Another alternative is firestarter for those like me who even find this too daunting.
_________________
"A million surplus Maggies are willing to bear the yoke; And a woman is only a woman, but a good cigar is a Smoke" -- Rudyard Kipling (on why he chose cigars over his wife)
Back to top
View user's profile Send private message
outspoken
Guru
Guru


Joined: 14 Feb 2004
Posts: 464
Location: orlando, fl

PostPosted: Thu Feb 10, 2005 4:09 pm    Post subject: Reply with quote

i find it easier to deal with iptables directly by making my own scripts like the one in the first post here. once you get into using programs like firestarter, firehol, shorewall, or one of the other hundred programs out there you begin to lose sight of what is really going on and you then have to rely on a 3rd party program which is scrambling everything that is really going on. in order for you to make iptables work you have to edit a script for a program which in turn then interfaces with iptables for you, you have just added a middleman which is really not needed. now if something happens and you need to figure out what is really going on with your iptables rules your going to be lost, unless you can call upon your scripting program.

it is a good idea to stick with learning the iptables commands as they will be used the same across any system. whereas if you learn firehol, firestarter, etc, when you sit down or login to some remote machine and have to alter the chains your going to be stuck stratching your head asking the admin if he could please install firestarter. (yes if your allowed to look at the scripts most likely you will have root access and the ability to install firestarter).

just my opinion on the subject of these 3rd party programs.
Back to top
View user's profile Send private message
Gauss_Cleric
Tux's lil' helper
Tux's lil' helper


Joined: 30 Aug 2004
Posts: 85

PostPosted: Thu Feb 10, 2005 8:31 pm    Post subject: Reply with quote

Hi there, I think this is the right place to post this.

I have a local network managed by my ADSL modem/router. I configured it to let all ports open so I can fine-tune the firewall direcly from the PCs in the LAN.

This is the iptables scipts I've got with the help from kmyfirewall (excelent app BTW):

Code:

#!/bin/sh
#
# copyright (c) the KMyFirewall developers 2002
#      mail to: Christian Hubinger <e9806056@student.tuwien.ac.at>
#
# KMyFirewall v0.9.6.2
# This is an automatic generated file DO NOT EDIT
#
IPT="/sbin/iptables"
MOD="/sbin/modprobe"
status="0"
startFirewall() {
echo
echo "Starting firewall..."
#  Define all custom chains
echo -n "Create custom chains...                "
  echo "Done."
#  Rules:
echo "Settup Rules in Table FILTER:
"
#  Define Rules for Chain: INPUT
echo -n "Create Rules for Chain: INPUT                    "
$IPT -t filter -A INPUT --protocol tcp  --destination-port 53 -j ACCEPT  || { status="1"; echo "Setting up Rule: DNS_TCP_SERVER FAILED !!!"; exit 1; }
$IPT -t filter -A INPUT --protocol udp  --destination-port 53 -j ACCEPT  || { status="1"; echo "Setting up Rule: DNS_UDP_SERVER FAILED !!!"; exit 1; }
$IPT -t filter -A INPUT --protocol tcp  --destination-port 80 -j ACCEPT  || { status="1"; echo "Setting up Rule: WWW_SERVER FAILED !!!"; exit 1; }
$IPT -t filter -A INPUT --protocol tcp  --destination-port 8080 -j ACCEPT  || { status="1"; echo "Setting up Rule: WWW-PROXY_SERVER FAILED !!!"; exit 1; }
$IPT -t filter -A INPUT --protocol tcp  --destination-port 443 -j ACCEPT  || { status="1"; echo "Setting up Rule: SEC_WWW_SERVER FAILED !!!"; exit 1; }
$IPT -t filter -A INPUT --protocol tcp  --destination-port 110 -j ACCEPT  || { status="1"; echo "Setting up Rule: POP3_SERVER FAILED !!!"; exit 1; }
$IPT -t filter -A INPUT --protocol tcp  --destination-port 25 -j ACCEPT  || { status="1"; echo "Setting up Rule: SMTP_SERVER FAILED !!!"; exit 1; }
$IPT -t filter -A INPUT --protocol tcp  --destination-port 21 -j ACCEPT  || { status="1"; echo "Setting up Rule: FTP_SERVER FAILED !!!"; exit 1; }
$IPT -t filter -A INPUT --protocol tcp  --destination-port 23 -j ACCEPT  || { status="1"; echo "Setting up Rule: TELNET_SERVER FAILED !!!"; exit 1; }
$IPT -t filter -A INPUT --protocol tcp  --destination-port 22 -j ACCEPT  || { status="1"; echo "Setting up Rule: SSH_SERVER FAILED !!!"; exit 1; }
$IPT -t filter -A INPUT --protocol tcp  --destination-port 137 -j ACCEPT  || { status="1"; echo "Setting up Rule: SMB_NS_SERVER FAILED !!!"; exit 1; }
$IPT -t filter -A INPUT --protocol tcp  --destination-port 138 -j ACCEPT  || { status="1"; echo "Setting up Rule: SMB_DGM_SERVER FAILED !!!"; exit 1; }
$IPT -t filter -A INPUT --protocol tcp  --destination-port 139 -j ACCEPT  || { status="1"; echo "Setting up Rule: SMB_SSN_SERVER FAILED !!!"; exit 1; }
$IPT -t filter -A INPUT --protocol tcp  --destination-port 2049 -j ACCEPT  || { status="1"; echo "Setting up Rule: NFS_TCP_SERVER FAILED !!!"; exit 1; }
$IPT -t filter -A INPUT --protocol udp  --destination-port 2049 -j ACCEPT  || { status="1"; echo "Setting up Rule: NFS_UDP_SERVER FAILED !!!"; exit 1; }
$IPT -t filter -A INPUT --protocol tcp  --destination-port 27960:27970 -j ACCEPT  || { status="1"; echo "Setting up Rule: Custom_ET_TCP FAILED !!!"; exit 1; }
$IPT -t filter -A INPUT --protocol udp  --destination-port 27960:27970 -j ACCEPT  || { status="1"; echo "Setting up Rule: Custom_ET_UDP FAILED !!!"; exit 1; }
$IPT -t filter -A INPUT --protocol tcp  --destination-port 4660:4670 -j ACCEPT  || { status="1"; echo "Setting up Rule: Custom_aMule_TCP FAILED !!!"; exit 1; }
$IPT -t filter -A INPUT --protocol udp  --destination-port 4670:4680 -j ACCEPT  || { status="1"; echo "Setting up Rule: Custom_aMule_UDP FAILED !!!"; exit 1; }
$IPT -t filter -A INPUT --protocol tcp  --destination-port 6680:6690 -j ACCEPT  || { status="1"; echo "Setting up Rule: Custom_Azureus_TCP FAILED !!!"; exit 1; }
$IPT -t filter -A INPUT --protocol udp  --destination-port 6680:6690 -j ACCEPT  || { status="1"; echo "Setting up Rule: Custom_Azureus_UDP FAILED !!!"; exit 1; }
$IPT -t filter -A INPUT --protocol icmp   --icmp-type echo-request --match limit --limit 5/minute -j ACCEPT  || { status="1"; echo "Setting up Rule: PING_INPUT FAILED !!!"; exit 1; }
$IPT -t filter -A INPUT --match state --state RELATED,ESTABLISHED -j ACCEPT  || { status="1"; echo "Setting up Rule: CONNRACK_INPUT FAILED !!!"; exit 1; }
$IPT -t filter -A INPUT --destination 127.0.0.1 --in-interface lo -j ACCEPT  || { status="1"; echo "Setting up Rule: LOOPBACK_INPUT FAILED !!!"; exit 1; }
$IPT -t filter -A INPUT -m limit --limit 1/second --limit-burst 5 -j LOG --log-prefix "KMF: " || { status="1"; echo "Setting up Rule: Chain: INPUT Drop Logging FAILED !!!"; exit 1; }
$IPT -t filter -P INPUT DROP || { status="1"; echo "Setting up Rule: Chain: INPUT Default Target FAILED !!!"; exit 1; }
echo "Done."
#  Define Rules for Chain: OUTPUT
echo -n "Create Rules for Chain: OUTPUT                    "
$IPT -t filter -P OUTPUT ACCEPT || { status="1"; echo "Setting up Rule: Chain: OUTPUT Default Target FAILED !!!"; exit 1; }
echo "Done."
#  Define Rules for Chain: FORWARD
echo -n "Create Rules for Chain: FORWARD                    "
$IPT -t filter -P FORWARD ACCEPT || { status="1"; echo "Setting up Rule: Chain: FORWARD Default Target FAILED !!!"; exit 1; }
echo "Done."
echo -n "Disable IP Forwarding.  "
echo 0 > /proc/sys/net/ipv4/ip_forward
echo "Done.
"
 echo -n "Enable Reverse Path Filtering      "
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 2 > $i
done
echo "Done."
 echo -n "Enable log_martians (logging).             "
for i in /proc/sys/net/ipv4/conf/*/log_martians ; do
echo 1 > $i
done
echo "Done."
 echo -n "Enable Syn Cookies.          "
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo "Done."
}
stopFirewall() {
  echo -n "Shutdown KMyFirewall...       "
  $IPT -t filter -F || status="1"
  $IPT -t filter -X || status="1"
  $IPT -t filter -P INPUT ACCEPT || status="1"
  $IPT -t filter -P OUTPUT ACCEPT || status="1"
  $IPT -t filter -P FORWARD ACCEPT || status="1"
 echo "Done."
}
case $1 in
  start)
  stopFirewall
  startFirewall
  ;;
  stop)
  stopFirewall
  ;;
  restart)
  stopFirewall
  startFirewall
  ;;
  *)
  echo "Usage: sh kmyfirewall.sh { start | stop | restart } "
  ;;
  esac
if [ "$status" = "1" ]; then
  exit 1
else
  exit 0
fi


Now, if I turn this on the WindowsXP box in the LAN stops seeing by samba shares. :? You can see in the code above that there are rules of exception fro the SMB ports. I guess there are other that should be left open but I missed it!

So, what ports must I leave open so that the samba clients in the LAN can acess my shares?

Cheers,
Back to top
View user's profile Send private message
deprave
n00b
n00b


Joined: 14 May 2004
Posts: 63
Location: Flint, Michigan

PostPosted: Thu Feb 10, 2005 11:05 pm    Post subject: Reply with quote

Nice Tutorial, But here is another realy easy way to do it, do everything above upto scripting then once you get to the scripting part of the tut do this instead.
Code:

#emerge gshield


Then

Code:
#/etc/init.d/gshield start


Works realy well for all kinds of things, Its the method ive been using lately for routing even

the config is /etc/gshield/gshield.conf

but it works right out of portage no scripting nessecary :)
_________________
http://www.migamer.com
Back to top
View user's profile Send private message
tommy_fila
Guru
Guru


Joined: 19 Nov 2003
Posts: 450
Location: Phoenix, AZ

PostPosted: Wed Mar 30, 2005 9:55 pm    Post subject: Reply with quote

A quick and simple question:

It says that the script allows "everything out and nothing in". But my internet still works? It doesn't seem like everything coming in is being blocked. Which part of the script is allowing things in?
_________________
"What goes on in life, that goes for eternity."
Back to top
View user's profile Send private message
iainel
Tux's lil' helper
Tux's lil' helper


Joined: 28 Feb 2005
Posts: 94

PostPosted: Thu Mar 31, 2005 6:41 pm    Post subject: Reply with quote

piwacet wrote:
Noob question - will this script make all my ports "stealth" to the outside world, in other words, when I do the "shieldsup" test at:

https://grc.com/x/ne.dll?bh0bkyd2

Will I pass? (get all stealth ports - i.e., the computer does not respond to any requests for access to any port - neither denies nor accepts, simply is quiet and pretends there's no computer at that IP address, and certainly won't allow any connections; and also does not respond to ping requests.)

Thanks!


It didn't for me. :?

No ports were open, 9 were stealthed and the rest were closed.

It also says I failed the test on... Solicited TCP Packets: RECEIVED (FAILED) and Ping Reply: RECEIVED (FAILED).

Can anybody post lines of code to add to the file to help pass the test or stealth all ports?

Don't worry you're not the only noob at iptables :P
Back to top
View user's profile Send private message
nitroburn
n00b
n00b


Joined: 26 Jan 2004
Posts: 32

PostPosted: Fri Apr 01, 2005 5:38 am    Post subject: only one Reply with quote

I want to lock down client machines so that they can get to only one website...I have been reading and trying different combinations in firehol ....can someone give me an example of what to do?!
Back to top
View user's profile Send private message
zeb
Tux's lil' helper
Tux's lil' helper


Joined: 19 Apr 2002
Posts: 79
Location: Finland

PostPosted: Fri Apr 01, 2005 9:01 am    Post subject: Re: only one Reply with quote

nitroburn wrote:
I want to lock down client machines so that they can get to only one website...I have been reading and trying different combinations in firehol ....can someone give me an example of what to do?!


This should do it:
Code:

interface eth0 net
        policy reject
        client dns accept
        client http accept dst "forums.gentoo.org www.gentoo.org"


Only name lookup and http access to some gentoo.org servers allowed.
Back to top
View user's profile Send private message
tommy_fila
Guru
Guru


Joined: 19 Nov 2003
Posts: 450
Location: Phoenix, AZ

PostPosted: Fri Apr 01, 2005 5:06 pm    Post subject: Reply with quote

I'm sorry to ask again, but how do websites work in the original script. I thought the script blocked all incoming traffic. So how can programs such as Gaim, IRC, etc all work on my computer?
_________________
"What goes on in life, that goes for eternity."
Back to top
View user's profile Send private message
zeb
Tux's lil' helper
Tux's lil' helper


Joined: 19 Apr 2002
Posts: 79
Location: Finland

PostPosted: Fri Apr 01, 2005 7:06 pm    Post subject: Reply with quote

tommy_fila wrote:
I'm sorry to ask again, but how do websites work in the original script. I thought the script blocked all incoming traffic. So how can programs such as Gaim, IRC, etc all work on my computer?


There is this line in the script:
Code:

# Allow traffic from established connections
$IPTABLES -A INPUT -i $PUBLIC_IF -m state --state RELATED,ESTABLISHED -j ACCEPT


Traffic related to established connections is allowed in, so once your browser (or irc client/gaim/...) has connected out, incoming packets from that connection are allowed through.
Back to top
View user's profile Send private message
tommy_fila
Guru
Guru


Joined: 19 Nov 2003
Posts: 450
Location: Phoenix, AZ

PostPosted: Fri Apr 01, 2005 10:37 pm    Post subject: Reply with quote

Sweet. Thanks for the explanation.
_________________
"What goes on in life, that goes for eternity."
Back to top
View user's profile Send private message
elusive-dragon
n00b
n00b


Joined: 29 Mar 2005
Posts: 39
Location: jax, fl

PostPosted: Mon Apr 04, 2005 2:24 am    Post subject: Reply with quote

i use Guarddog. pretty simple to use, id like to learn more about routers and make better use of my wireless ap.
_________________
Mike - elusive-dragon

"a waste is a terrible thing to mind"

my system:
Gentoo box
Athlon Xp 2000
512mb pc 133 ram
10gb ide hard drive
120gb Samsung ide drive
3dfx agp video card
built in NIC
Turtle Beach 5.1 USB sound
Back to top
View user's profile Send private message
Syph3r
n00b
n00b


Joined: 22 Sep 2004
Posts: 6

PostPosted: Mon Apr 04, 2005 1:12 pm    Post subject: Reply with quote

iainel wrote:
piwacet wrote:
Noob question - will this script make all my ports "stealth" to the outside world, in other words, when I do the "shieldsup" test at:

https://grc.com/x/ne.dll?bh0bkyd2

Will I pass? (get all stealth ports - i.e., the computer does not respond to any requests for access to any port - neither denies nor accepts, simply is quiet and pretends there's no computer at that IP address, and certainly won't allow any connections; and also does not respond to ping requests.)

Thanks!


It didn't for me. :?

No ports were open, 9 were stealthed and the rest were closed.

It also says I failed the test on... Solicited TCP Packets: RECEIVED (FAILED) and Ping Reply: RECEIVED (FAILED).

Can anybody post lines of code to add to the file to help pass the test or stealth all ports?

Don't worry you're not the only noob at iptables :P

If you run 'iptables -L' what is the output?
Back to top
View user's profile Send private message
Koala Kid
Guru
Guru


Joined: 09 May 2003
Posts: 377

PostPosted: Tue Apr 05, 2005 3:41 pm    Post subject: Reply with quote

Guys, what should I write in this script to allow another users to download from me in Nicotine/Amule ?

Thank you.
_________________
Digital Gunfire
Back to top
View user's profile Send private message
iainel
Tux's lil' helper
Tux's lil' helper


Joined: 28 Feb 2005
Posts: 94

PostPosted: Tue Apr 05, 2005 4:58 pm    Post subject: Reply with quote

Syph3r wrote:
If you run 'iptables -L' what is the output?


Code:

Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere           
ACCEPT     all  --  10.0.0.9             anywhere           
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
DROP       icmp --  anywhere             anywhere            icmp destination-unreachable
DROP       icmp --  anywhere             anywhere            icmp source-quench
DROP       icmp --  anywhere             anywhere            icmp time-exceeded
DROP       icmp --  anywhere             anywhere            icmp parameter-problem
DROP       icmp --  anywhere             anywhere            icmp echo-reply
DROP       icmp --  anywhere             anywhere            icmp echo-request

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  10.0.0.9             anywhere


It's the script from the original post by Cornfed.
Back to top
View user's profile Send private message
Syph3r
n00b
n00b


Joined: 22 Sep 2004
Posts: 6

PostPosted: Sat Apr 09, 2005 12:02 am    Post subject: Reply with quote

iainel wrote:
Syph3r wrote:
If you run 'iptables -L' what is the output?


Code:

Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere           
ACCEPT     all  --  10.0.0.9             anywhere           
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
DROP       icmp --  anywhere             anywhere            icmp destination-unreachable
DROP       icmp --  anywhere             anywhere            icmp source-quench
DROP       icmp --  anywhere             anywhere            icmp time-exceeded
DROP       icmp --  anywhere             anywhere            icmp parameter-problem
DROP       icmp --  anywhere             anywhere            icmp echo-reply
DROP       icmp --  anywhere             anywhere            icmp echo-request

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  10.0.0.9             anywhere


It's the script from the original post by Cornfed.

The problem is the first line "ACCEPT all -- anywhere anywhere". Get rid of that rule and it should work.
Back to top
View user's profile Send private message
AussieAndrew
n00b
n00b


Joined: 10 Apr 2005
Posts: 14

PostPosted: Tue Apr 12, 2005 3:40 am    Post subject: Reply with quote

iainel wrote:
piwacet wrote:
Noob question - will this script make all my ports "stealth" to the outside world, in other words, when I do the "shieldsup" test at:

https://grc.com/x/ne.dll?bh0bkyd2

Will I pass? (get all stealth ports - i.e., the computer does not respond to any requests for access to any port - neither denies nor accepts, simply is quiet and pretends there's no computer at that IP address, and certainly won't allow any connections; and also does not respond to ping requests.)

Thanks!


It didn't for me. :?

No ports were open, 9 were stealthed and the rest were closed.

It also says I failed the test on... Solicited TCP Packets: RECEIVED (FAILED) and Ping Reply: RECEIVED (FAILED).

Can anybody post lines of code to add to the file to help pass the test or stealth all ports?

Don't worry you're not the only noob at iptables :P


I guess my (D-link) router is doing it's job... all tests passed, all ports stealth :)
Back to top
View user's profile Send private message
Ashe
n00b
n00b


Joined: 14 Nov 2003
Posts: 34
Location: Sheffield, UK

PostPosted: Wed Apr 13, 2005 10:22 pm    Post subject: Reply with quote

I think, as much as ShieldsUp has contributed to making the net safer, and can be a useful tool, it has also engendered a certain amount of paranoia amongst certain people.

Sometimes, ports are going to be open. It's a fact. Hell, if you run any kind of external-facing server, you're going to need certain ports to be unscreened. Same with many p2p apps. What matters in these cases is making sure the software that is world-facing is as up to date and secure as it can be. A firewall is an important part of your computer security, yes, but it's only a part.

That said, does anyone know if any of the newer (multiport/multi-address) iptables stuff is any good?
_________________
"Every problem in the universe can be solved by finding the right long-haired prettyboy, and beating the crap out of him."
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum