| View previous topic :: View next topic |
| Author |
Message |
Dale__
n00b
Joined: 18 Apr 2015
Posts: 55
|
 Posted: Wed May 06, 2015 1:23 am Post subject: firewall suggestions |
 |
|
my computer is behind a cable router
I want a software firewall too
I used to be able to create a rules based firewall on Windows
I know what a protocol and port is
I want to drop or reject incoming requests, I don't know the difference between drop and reject, I don't think I need incoming requests, ... do I?
I only want outgoing connections for protocols/ports for applications I use, preferably specifying application too |
|
| Back to top |
|
 |
ct85711
Veteran
Joined: 27 Sep 2005
Posts: 1791
|
| Posted: Wed May 06, 2015 5:33 am Post subject: |
|
|
Well, I can't really help you on making the firewall, but what I do know is that you would want to use DROP instead of REJECT. This causes packets to be silently dropped with no response sent back, while a reject sends a response back that the packet was not accepted.
Secondly, you need to accept some incoming packets. TCP in general works in a back and forth communication. So if you don't accept any incoming packets, how does your computer know your packet was received? The key is to set up your firewall in that it allows incoming communications on channels/ports your computer opened first.
If you know the rules you used on Windows, you can tell us what they were and someone, more knowledgeable than I, will be able to help you convert them to use on linux (including improving the rules too). |
|
| Back to top |
|
|
charles17
Advocate
Joined: 02 Mar 2008
Posts: 3664
|
|
| Back to top |
|
|
el muchacho
Tux's lil' helper
Joined: 26 Mar 2015
Posts: 78
|
| Posted: Wed May 06, 2015 7:56 am Post subject: Re: firewall suggestions |
|
|
| Dale__ wrote: | my computer is behind a cable router
I want a software firewall too
I used to be able to create a rules based firewall on Windows
I know what a protocol and port is
I want to drop or reject incoming requests, I don't know the difference between drop and reject, I don't think I need incoming requests, ... do I?
I only want outgoing connections for protocols/ports for applications I use, preferably specifying application too |
For a home firewall like this, iptables is perfect, you just need a few lines.
1- set the default for INPUT and FORWARD to DROP
2- accept INPUT that are connections you initiated
3- accept loopback
4- set the default for OUTPUT to ALLOW
5- may be you can drop OUTPUT for some users, say you run some applications with their own account and you don't want internet acces for those, iptables can filter packets based on their owner with
| Code: | | -m owner --uid-owner <user> |
You'll find the corresponding command lines in many tutorials online. |
|
| Back to top |
|
|
mv
Watchman
Joined: 20 Apr 2005
Posts: 6747
|
| Posted: Wed May 06, 2015 8:30 am Post subject: |
|
|
The general recommendation to DROP instead of REJECT is not good, since it violates standard and can cause other computers to re-send their messages: Hence, you are unnecessarily producing more traffic.
Of course, there are some stupid programs (usually from MS machines or spammers) which ignore even REJECTS, so you should REJECT in a rate-limited way.
To do all this properly and safely requires that you read a little bit. You might want to have a look at e.g. firewall-mv (from the mv overlay), which is made for such simple cases (and allows simply adding extensions for not too complex cases). |
|
| Back to top |
|
|
pietinger
Moderator
Joined: 17 Oct 2006
Posts: 4146
Location: Bavaria
|
| Posted: Wed May 06, 2015 1:38 pm Post subject: |
|
|
| mv wrote: | | The general recommendation to DROP instead of REJECT is not good, since it violates standard and can cause other computers to re-send their messages: Hence, you are unnecessarily producing more traffic. |
You are right, if you speak from a server. But nobody has to ping my private PC, nor has to scan which ports are open. The recomandation for a private PC is DROP and its the right choose. |
|
| Back to top |
|
|
mv
Watchman
Joined: 20 Apr 2005
Posts: 6747
|
| Posted: Wed May 06, 2015 5:06 pm Post subject: |
|
|
| pietinger wrote: | | You are right, if you speak from a server. |
No, this holds always. It is not visible from the outside whether you are a server or not.
| Quote: | | But nobody has to ping my private PC, nor has to scan which ports are open. |
Exactly. And just for this reason you send the requesting machine a REJECT so that it knows that you are not a server and connection is pointless. Then a (sane) connecting machine will not retry. For the case that it is unsane and retries (or just systematically scans your ports), you will change to DROP.
Be aware that not everybody who connects to your machine does this in a malevolent intention: For instance, if you have a dynamic IP, just a few seconds/minutes/hours ago there might have been a server under your IP. You must tell these people that this server is no longer there and not pretend connection problems... |
|
| Back to top |
|
|
szatox
Advocate
Joined: 27 Aug 2013
Posts: 3133
|
| Posted: Wed May 06, 2015 8:49 pm Post subject: |
|
|
| Quote: | | Be aware that not everybody who connects to your machine does this in a malevolent intention |
no, but those who knock on the door by mistake seem to be relatively uncommon. If someone has just changed his IP and you inherited his, there is a good chance his peer's connections are already timing out anyway. And it's not something that happens very often (once a day in case of most modem connection and never with the rest?), while scanners are testing the whole network all the time, so I don't see a reason to tell them I don't want to talk to them.
If you really want to send a response, perhaps it would be smarter to prettend a router and go for "destination host unreachable" instead 
Last edited by szatox on Wed May 06, 2015 8:49 pm; edited 1 time in total |
|
| Back to top |
|
|
Dale__
n00b
Joined: 18 Apr 2015
Posts: 55
|
| Posted: Wed May 06, 2015 8:49 pm Post subject: |
|
|
I will look for a tutorial for iptables using these suggestions
what I used to do before was to allow my outgoing requests, then block all other traffic
I would like ping, I don't know what loopback is or why I would need it, I have DHCP
I do not have a server, I just want secure POP, SMTP, NNTP, HTTP
from what I recall all connections allowed do not need two way conversation?
I would also like secure IRC using konversation but the servers I am using, irc.frrenode.net, irc.gimp.org don't seem to like the secure IRC settings, so I might need regular ports
I also would like to use amarok internet music
how do I go about logging with iptables?
I am sure I don't want any rules or logs at the packet level? |
|
| Back to top |
|
|
ct85711
Veteran
Joined: 27 Sep 2005
Posts: 1791
|
| Posted: Wed May 06, 2015 11:33 pm Post subject: |
|
|
| You can say that loopback can be considered safe. Loopback is as the name sounds, is a straight loop back, nothing is ever transmitted to the network through it, nor can anything from the network can communicate to that address. That address is the exact same on every device, and is strictly local machine only. There is several services that depend on the loopback to work properly. |
|
| Back to top |
|
|
Dale__
n00b
Joined: 18 Apr 2015
Posts: 55
|
| Posted: Wed May 06, 2015 11:42 pm Post subject: |
|
|
https://forums.gentoo.org/viewtopic-p-7578926.html
the link above has a good example to start with
| Code: |
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/etc/init.d/iptables save
rc-config add iptables
|
this is ipv4
how does ipv6 differ and how do I know if I need ipv6?
would anyone be willing to show me an example of how I can narrow down input to the protocols/ports I want? I will have to look some of them up, so I just need one example to start with.[/url] |
|
| Back to top |
|
|
Dale__
n00b
Joined: 18 Apr 2015
Posts: 55
|
| Posted: Thu May 07, 2015 1:59 am Post subject: |
|
|
| also would like to log drops, the others would be too cumbersome maybe, any suggestions? |
|
| Back to top |
|
|
charles17
Advocate
Joined: 02 Mar 2008
Posts: 3664
|
| Posted: Thu May 07, 2015 4:57 am Post subject: |
|
|
| Dale__ wrote: | this is ipv4
how does ipv6 differ and how do I know if I need ipv6? |
Search for ipv6 in the above mentioned wiki article. |
|
| Back to top |
|
|
pietinger
Moderator
Joined: 17 Oct 2006
Posts: 4146
Location: Bavaria
|
| Posted: Thu May 07, 2015 7:09 am Post subject: |
|
|
| Dale__ wrote: | | also would like to log drops, the others would be too cumbersome maybe, any suggestions? |
logging is simple:
iptables -A INPUT -j LOG --log-prefix "my text: "
| Dale__ wrote: | | would anyone be willing to show me an example of how I can narrow down input to the protocols/ports I want? I will have to look some of them up, so I just need one example to start with.[/url] |
I wrote a bash-script for my initial fw build. In the first part you can see I have some windows pc in my local network ...  Do not worry about the DROP of outgoing packets. You will see the reason in the last part.
| Code: |
#!/bin/sh
#
# initial version for sun
# define general
logit="-j LOG --log-prefix"
# define addresses
ip_gw="192.168.2.1" # DSL-Router
ip_dns1="213.73.91.35" # freier dns-server CCC
ip_dns2="85.214.20.141" # freier dns-server FoeBbuD
ip_ntp="192.53.103.108" # time-server: ptbtime1.ptb.de
ip_hal="192.168.2.3" # Notebook HAL
iptables -F
iptables -X
iptables -Z
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
### Firewall In ###
# accept some ICMP
iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 12 -j ACCEPT
# accept and log ssh from notebook hal
iptables -A INPUT -s ${ip_hal} -p tcp --dport 22 ${logit} "ACCEPT SSH IN "
iptables -A INPUT -s ${ip_hal} -p tcp --dport 22 -j ACCEPT
# drop some windows and ICMP stuff without logging
iptables -A INPUT -p udp --dport 137 -j DROP # netbios-ns
iptables -A INPUT -p udp --dport 138 -j DROP # netbios-dgm
iptables -A INPUT -p udp --dport 67 -j DROP
iptables -A INPUT -p udp --dport 68 -j DROP
iptables -A INPUT -p 2 -j DROP
# log all other
iptables -A INPUT ${logit} "DROP !!! "
|
I dont allow all outgoing traffic. I am surfing in the Internet through a proxy server (privoxy). At least I REJECT all outgoing traffic:
| Code: |
### Firewall Out ###
# accept dns
iptables -A OUTPUT -d ${ip_dns1} -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -d ${ip_dns2} -p udp --dport 53 -j ACCEPT
# accept all http / http-alt / https from privoxy
iptables -A OUTPUT -p tcp --dport 80 -m owner --uid-owner 104 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 8080 -m owner --uid-owner 104 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -m owner --uid-owner 104 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 8085 -m owner --uid-owner 104 -j ACCEPT
# accept mail
iptables -A OUTPUT -d 213.165.67.0/24 -p tcp --dport 587 -j ACCEPT
iptables -A OUTPUT -d 212.227.17.161 -p tcp --dport 995 -j ACCEPT
iptables -A OUTPUT -d 212.227.17.177 -p tcp --dport 995 -j ACCEPT
iptables -A OUTPUT -d 194.25.134.0/24 -p tcp --dport 465 -j ACCEPT
iptables -A OUTPUT -d 194.25.134.0/24 -p tcp --dport 995 -j ACCEPT
# accept ntp to time-server
iptables -A OUTPUT -d ${ip_ntp} -p udp --dport 123 -j ACCEPT
# accept pings
iptables -A OUTPUT -p icmp --icmp-type 8/0 -j ACCEPT
# accept whois
iptables -A OUTPUT -p tcp --dport 43 -j ACCEPT
# accept and log ssh
iptables -A OUTPUT -p tcp --dport 22 ${logit} "ACCEPT SSH "
iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
# accept and log traceroute
iptables -A OUTPUT -p udp --dport 33434:33524 ${logit} "ACCEPT TRCR "
iptables -A OUTPUT -p udp --dport 33434:33524 -j ACCEPT
# .... ....
# reject and log all other
iptables -A OUTPUT ${logit} "REJECT !!! "
iptables -A OUTPUT -j REJECT
|
I hope it helps you.
Edit: P.S.: "!!!" is my search key in the log ... |
|
| Back to top |
|
|
Dale__
n00b
Joined: 18 Apr 2015
Posts: 55
|
| Posted: Thu May 07, 2015 10:39 pm Post subject: |
|
|
Thanks, I'll have to study the script
one question, does a log come after or before a drop |
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21619
|
| Posted: Fri May 08, 2015 1:08 am Post subject: |
|
|
| LOG is a non-terminal target. DROP is a terminal target. |
|
| Back to top |
|
|
mv
Watchman
Joined: 20 Apr 2005
Posts: 6747
|
| Posted: Fri May 08, 2015 6:27 am Post subject: |
|
|
| szatox wrote: | | no, but those who knock on the door by mistake seem to be relatively uncommon. |
My experience is different: Especially with torrent & co., user's machines quite often act as a server and thus are requested.
It doesn't hurt to send a proper REJECT to politely asking machines.
As mentioned, I would not recommend to do this without a rate limit, but with a rate limit (more precisely, a hash limit on a per-host basis), it usually decreases the traffic compared to DROP.
Moreover, you do not shoot yourself in the foot when troubleshooting your network.
I recommend once more to take a look at the firewall-mv script (or at least at the rules it generates). It has some more rate-limits, by default, e.g. for echo-reply and echo-request ICMP.
Moreover, by default, the script builds all rules with one command, thus avoiding possible races for successive "iptables -A"... |
|
| Back to top |
|
|
Dale__
n00b
Joined: 18 Apr 2015
Posts: 55
|
| Posted: Fri May 08, 2015 6:26 pm Post subject: |
|
|
| just in case, how to I delete the rules in iptables and ip6tables? |
|
| Back to top |
|
|
charles17
Advocate
Joined: 02 Mar 2008
Posts: 3664
|
| Posted: Sat May 09, 2015 4:10 am Post subject: |
|
|
| Dale__ wrote: | | just in case, how to I delete the rules in iptables and ip6tables? |
See man 8 iptables and search for --flush, --delete-chain and --zero |
|
| Back to top |
|
|
|
Networking & Security
