View previous topic :: View next topic |
Author |
Message |
Cornfed n00b
Joined: 22 Dec 2003 Posts: 59
|
Posted: Wed Feb 02, 2005 3:37 pm Post subject: HOWTO: Quick/Simple Personal Firewall |
|
|
IPTables Personal Firewall How-To
This guide is written for people that just want a personal firewall running on their workstations. You might be running Gentoo at work, and would like some protection from a crazy co-worker. Or, you might like some added protection on your internal servers.
This is mostly from the wiki site:
http://gentoo-wiki.com/HOWTO_Iptables_for_newbies
The script itself was really just taken from:
http://www2.warwick.ac.uk/services/its/safe/diy/linux/iptables/
Kernel Config
As for the kernel all you must do is enable iptable support.
Quote: | Device Drivers--->
Networking Support--->
Networking Options---->
Network Packet Filtering (replace Ipchains)--->
Netfilter Configuration |
I enabled all the options as modules (in case I want to test other options later) and added ip_tables to my modules.autoload. This loads several modules as dependencies. Later you may want the ip_conntrack for logging. Don't forget to "modprobe ip_tables" before running scripts
Necessary Utilities
Next you must emerge the userland tools for cofiguring iptables:
Scripting
Now to the fun part.....iptables. We going to simply allow everything out, and nothing in. Create a file (vi or nano my-rules, or whatever name your script), and put this in there:
Code: | #!/bin/sh
# Set location of iptables
IPTABLES=/sbin/iptables
# Define interfaces
PUBLIC_IF="eth0"
# Flush current rules
$IPTABLES -t nat -F
$IPTABLES -t filter -F
$IPTABLES -t mangle -F
# Delete custom chains
$IPTABLES -t nat -X
$IPTABLES -t filter -X
$IPTABLES -t mangle -X
# Set default policies
$IPTABLES -t filter -P INPUT DROP
$IPTABLES -t filter -P FORWARD DROP
$IPTABLES -t filter -P OUTPUT ACCEPT
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P INPUT ACCEPT
$IPTABLES -t mangle -P FORWARD ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -t mangle -P POSTROUTING ACCEPT
# Allow traffic from trusted interfaces
$IPTABLES -A INPUT -i lo -j ACCEPT
# Allow traffic from established connections
$IPTABLES -A INPUT -i $PUBLIC_IF -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow typical ICMP responses
$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT
$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT
$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT |
Save, and chmod 700 the file. (or 755 if you wish. I don't like anyone else to run my scripts so I keep it at 700 or sometimes 500). Execute the script.
Code: | chmod 700 my-rules
./my-rules |
Now let's save it.
Code: | /etc/init.d/iptables save |
And than back up your working configuration in case you bork something later you can quickly revert:
Code: | cp /var/lib/iptables/rules-save /var/lib/iptables/rules.working |
Now check up your iptables start-up script before adding iptables to your default runlevel:
Code: | /etc/init.d/iptables start; /etc/init.d/iptables stop; /etc/init.d/iptables start |
The reason we start, than stop, than start again is because we haven't yet started the iptables script...so we must set the initialized status before stopping. Stopping essentially erases all settings and puts you back to zero. Restarting will show you whether your network will still work after rebooting. Assuming success, we add iptables to our default runlevel:
Code: | rc-update add iptables default |
That should be the end of it. Now if you want to add SSH, you can add this to your script:
Code: | # Allow traffic to sshd (TCP, port 22)
$IPTABLES -A INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT
|
Just make sure you re-run the script, and restart iptables if you modify your script
If you are interested in logging connections, you can add this to the end of your script:
Code: | # Log stuff we might be interested in
$IPTABLES -A INPUT -p tcp -d x.x.x.x -i $PUBLIC_IF -j LOG
|
I'm really only interested in people trying to ssh to my wrokstation, or probing for services. I used "-p tcp" to rule out UDP packets. I used "-d x.x.x.x" (where x.x.x.x is my IP address) because I'm only interested in packets destined for my machine.
If anyone knows a better logging rule, please feel free to post. |
|
Back to top |
|
|
nick58b n00b
Joined: 09 Nov 2002 Posts: 30 Location: Santa Barbara, CA
|
Posted: Wed Feb 02, 2005 7:18 pm Post subject: |
|
|
Thank you!
It (appears to) work perfectly, and is exactly what I've been putting off doing on all my workstations.
Copy, paste, run a couple of commands, I think it took me 30 seconds to get it running.
Thanks again. |
|
Back to top |
|
|
Naib Watchman
Joined: 21 May 2004 Posts: 6051 Location: Removed by Neddy
|
Posted: Wed Feb 02, 2005 7:53 pm Post subject: |
|
|
you should check out firehol - generates iptable firewall with very easy script
Code: |
root@Fluid ~ # cat /etc/firehol/firehol.conf
#!/usr/sbin/firehol
FIREHOL_LOG_MODE="LOG"
FIREHOL_LOG_LEVEL="2"
FIREHOL_LOG_BURST="5"
FIREHOL_LOG_FREQUENCY="10/minute"
interface eth0 home
server dns accept
server ftp accept
server dhcp accept
server http accept
server netbios_ssn deny
server microsoft_ds reject with tcp-reset
server samba deny
server cups deny
client all accept
protection strong
policy reject
server ident reject with tcp-reset
|
_________________
Quote: | Removed by Chiitoo |
|
|
Back to top |
|
|
monotux l33t
Joined: 09 Sep 2003 Posts: 751 Location: Stockholm, Sweden
|
Posted: Thu Feb 03, 2005 4:16 pm Post subject: |
|
|
Your ruleset wasn't that smart...
I "optimized" it a bit
Code: | #!/usr/sbin/firehol
interface eth0 home
policy drop
server "dns ftp dhcp http" accept
server "microsoft_ds ident" reject with tcp-reset
client all accept
protection strong |
_________________ Computer science is no more about computers than astronomy is about telescopes. |
|
Back to top |
|
|
wswartzendruber Veteran
Joined: 23 Mar 2004 Posts: 1261 Location: Idaho, USA
|
Posted: Thu Feb 03, 2005 9:26 pm Post subject: |
|
|
Awesome Howto! That's just what I need and nothing else. _________________ Git has obsoleted SVN.
10mm Auto has obsoleted 45 ACP. |
|
Back to top |
|
|
Naib Watchman
Joined: 21 May 2004 Posts: 6051 Location: Removed by Neddy
|
Posted: Thu Feb 03, 2005 9:39 pm Post subject: |
|
|
furiorc wrote: | Your ruleset wasn't that smart...
I "optimized" it a bit
Code: | #!/usr/sbin/firehol
interface eth0 home
policy drop
server "dns ftp dhcp http" accept
server "microsoft_ds ident" reject with tcp-reset
client all accept
protection strong |
|
true that is actually alot better!!
However, I am now getting this occuring again:
https://forums.gentoo.org/viewtopic.php?t=289426 _________________
Quote: | Removed by Chiitoo |
|
|
Back to top |
|
|
piwacet Guru
Joined: 30 Dec 2004 Posts: 486
|
Posted: Sat Feb 05, 2005 4:46 am Post subject: |
|
|
Noob question - will this script make all my ports "stealth" to the outside world, in other words, when I do the "shieldsup" test at:
https://grc.com/x/ne.dll?bh0bkyd2
Will I pass? (get all stealth ports - i.e., the computer does not respond to any requests for access to any port - neither denies nor accepts, simply is quiet and pretends there's no computer at that IP address, and certainly won't allow any connections; and also does not respond to ping requests.)
Thanks! |
|
Back to top |
|
|
tom56 Guru
Joined: 27 Apr 2004 Posts: 325 Location: united kingdom
|
Posted: Sat Feb 05, 2005 11:42 am Post subject: |
|
|
Another alternative is firestarter for those like me who even find this too daunting. _________________ "A million surplus Maggies are willing to bear the yoke; And a woman is only a woman, but a good cigar is a Smoke" -- Rudyard Kipling (on why he chose cigars over his wife) |
|
Back to top |
|
|
outspoken Guru
Joined: 14 Feb 2004 Posts: 464 Location: orlando, fl
|
Posted: Thu Feb 10, 2005 4:09 pm Post subject: |
|
|
i find it easier to deal with iptables directly by making my own scripts like the one in the first post here. once you get into using programs like firestarter, firehol, shorewall, or one of the other hundred programs out there you begin to lose sight of what is really going on and you then have to rely on a 3rd party program which is scrambling everything that is really going on. in order for you to make iptables work you have to edit a script for a program which in turn then interfaces with iptables for you, you have just added a middleman which is really not needed. now if something happens and you need to figure out what is really going on with your iptables rules your going to be lost, unless you can call upon your scripting program.
it is a good idea to stick with learning the iptables commands as they will be used the same across any system. whereas if you learn firehol, firestarter, etc, when you sit down or login to some remote machine and have to alter the chains your going to be stuck stratching your head asking the admin if he could please install firestarter. (yes if your allowed to look at the scripts most likely you will have root access and the ability to install firestarter).
just my opinion on the subject of these 3rd party programs. |
|
Back to top |
|
|
Gauss_Cleric Tux's lil' helper
Joined: 30 Aug 2004 Posts: 85
|
Posted: Thu Feb 10, 2005 8:31 pm Post subject: |
|
|
Hi there, I think this is the right place to post this.
I have a local network managed by my ADSL modem/router. I configured it to let all ports open so I can fine-tune the firewall direcly from the PCs in the LAN.
This is the iptables scipts I've got with the help from kmyfirewall (excelent app BTW):
Code: |
#!/bin/sh
#
# copyright (c) the KMyFirewall developers 2002
# mail to: Christian Hubinger <e9806056@student.tuwien.ac.at>
#
# KMyFirewall v0.9.6.2
# This is an automatic generated file DO NOT EDIT
#
IPT="/sbin/iptables"
MOD="/sbin/modprobe"
status="0"
startFirewall() {
echo
echo "Starting firewall..."
# Define all custom chains
echo -n "Create custom chains... "
echo "Done."
# Rules:
echo "Settup Rules in Table FILTER:
"
# Define Rules for Chain: INPUT
echo -n "Create Rules for Chain: INPUT "
$IPT -t filter -A INPUT --protocol tcp --destination-port 53 -j ACCEPT || { status="1"; echo "Setting up Rule: DNS_TCP_SERVER FAILED !!!"; exit 1; }
$IPT -t filter -A INPUT --protocol udp --destination-port 53 -j ACCEPT || { status="1"; echo "Setting up Rule: DNS_UDP_SERVER FAILED !!!"; exit 1; }
$IPT -t filter -A INPUT --protocol tcp --destination-port 80 -j ACCEPT || { status="1"; echo "Setting up Rule: WWW_SERVER FAILED !!!"; exit 1; }
$IPT -t filter -A INPUT --protocol tcp --destination-port 8080 -j ACCEPT || { status="1"; echo "Setting up Rule: WWW-PROXY_SERVER FAILED !!!"; exit 1; }
$IPT -t filter -A INPUT --protocol tcp --destination-port 443 -j ACCEPT || { status="1"; echo "Setting up Rule: SEC_WWW_SERVER FAILED !!!"; exit 1; }
$IPT -t filter -A INPUT --protocol tcp --destination-port 110 -j ACCEPT || { status="1"; echo "Setting up Rule: POP3_SERVER FAILED !!!"; exit 1; }
$IPT -t filter -A INPUT --protocol tcp --destination-port 25 -j ACCEPT || { status="1"; echo "Setting up Rule: SMTP_SERVER FAILED !!!"; exit 1; }
$IPT -t filter -A INPUT --protocol tcp --destination-port 21 -j ACCEPT || { status="1"; echo "Setting up Rule: FTP_SERVER FAILED !!!"; exit 1; }
$IPT -t filter -A INPUT --protocol tcp --destination-port 23 -j ACCEPT || { status="1"; echo "Setting up Rule: TELNET_SERVER FAILED !!!"; exit 1; }
$IPT -t filter -A INPUT --protocol tcp --destination-port 22 -j ACCEPT || { status="1"; echo "Setting up Rule: SSH_SERVER FAILED !!!"; exit 1; }
$IPT -t filter -A INPUT --protocol tcp --destination-port 137 -j ACCEPT || { status="1"; echo "Setting up Rule: SMB_NS_SERVER FAILED !!!"; exit 1; }
$IPT -t filter -A INPUT --protocol tcp --destination-port 138 -j ACCEPT || { status="1"; echo "Setting up Rule: SMB_DGM_SERVER FAILED !!!"; exit 1; }
$IPT -t filter -A INPUT --protocol tcp --destination-port 139 -j ACCEPT || { status="1"; echo "Setting up Rule: SMB_SSN_SERVER FAILED !!!"; exit 1; }
$IPT -t filter -A INPUT --protocol tcp --destination-port 2049 -j ACCEPT || { status="1"; echo "Setting up Rule: NFS_TCP_SERVER FAILED !!!"; exit 1; }
$IPT -t filter -A INPUT --protocol udp --destination-port 2049 -j ACCEPT || { status="1"; echo "Setting up Rule: NFS_UDP_SERVER FAILED !!!"; exit 1; }
$IPT -t filter -A INPUT --protocol tcp --destination-port 27960:27970 -j ACCEPT || { status="1"; echo "Setting up Rule: Custom_ET_TCP FAILED !!!"; exit 1; }
$IPT -t filter -A INPUT --protocol udp --destination-port 27960:27970 -j ACCEPT || { status="1"; echo "Setting up Rule: Custom_ET_UDP FAILED !!!"; exit 1; }
$IPT -t filter -A INPUT --protocol tcp --destination-port 4660:4670 -j ACCEPT || { status="1"; echo "Setting up Rule: Custom_aMule_TCP FAILED !!!"; exit 1; }
$IPT -t filter -A INPUT --protocol udp --destination-port 4670:4680 -j ACCEPT || { status="1"; echo "Setting up Rule: Custom_aMule_UDP FAILED !!!"; exit 1; }
$IPT -t filter -A INPUT --protocol tcp --destination-port 6680:6690 -j ACCEPT || { status="1"; echo "Setting up Rule: Custom_Azureus_TCP FAILED !!!"; exit 1; }
$IPT -t filter -A INPUT --protocol udp --destination-port 6680:6690 -j ACCEPT || { status="1"; echo "Setting up Rule: Custom_Azureus_UDP FAILED !!!"; exit 1; }
$IPT -t filter -A INPUT --protocol icmp --icmp-type echo-request --match limit --limit 5/minute -j ACCEPT || { status="1"; echo "Setting up Rule: PING_INPUT FAILED !!!"; exit 1; }
$IPT -t filter -A INPUT --match state --state RELATED,ESTABLISHED -j ACCEPT || { status="1"; echo "Setting up Rule: CONNRACK_INPUT FAILED !!!"; exit 1; }
$IPT -t filter -A INPUT --destination 127.0.0.1 --in-interface lo -j ACCEPT || { status="1"; echo "Setting up Rule: LOOPBACK_INPUT FAILED !!!"; exit 1; }
$IPT -t filter -A INPUT -m limit --limit 1/second --limit-burst 5 -j LOG --log-prefix "KMF: " || { status="1"; echo "Setting up Rule: Chain: INPUT Drop Logging FAILED !!!"; exit 1; }
$IPT -t filter -P INPUT DROP || { status="1"; echo "Setting up Rule: Chain: INPUT Default Target FAILED !!!"; exit 1; }
echo "Done."
# Define Rules for Chain: OUTPUT
echo -n "Create Rules for Chain: OUTPUT "
$IPT -t filter -P OUTPUT ACCEPT || { status="1"; echo "Setting up Rule: Chain: OUTPUT Default Target FAILED !!!"; exit 1; }
echo "Done."
# Define Rules for Chain: FORWARD
echo -n "Create Rules for Chain: FORWARD "
$IPT -t filter -P FORWARD ACCEPT || { status="1"; echo "Setting up Rule: Chain: FORWARD Default Target FAILED !!!"; exit 1; }
echo "Done."
echo -n "Disable IP Forwarding. "
echo 0 > /proc/sys/net/ipv4/ip_forward
echo "Done.
"
echo -n "Enable Reverse Path Filtering "
for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
echo 2 > $i
done
echo "Done."
echo -n "Enable log_martians (logging). "
for i in /proc/sys/net/ipv4/conf/*/log_martians ; do
echo 1 > $i
done
echo "Done."
echo -n "Enable Syn Cookies. "
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo "Done."
}
stopFirewall() {
echo -n "Shutdown KMyFirewall... "
$IPT -t filter -F || status="1"
$IPT -t filter -X || status="1"
$IPT -t filter -P INPUT ACCEPT || status="1"
$IPT -t filter -P OUTPUT ACCEPT || status="1"
$IPT -t filter -P FORWARD ACCEPT || status="1"
echo "Done."
}
case $1 in
start)
stopFirewall
startFirewall
;;
stop)
stopFirewall
;;
restart)
stopFirewall
startFirewall
;;
*)
echo "Usage: sh kmyfirewall.sh { start | stop | restart } "
;;
esac
if [ "$status" = "1" ]; then
exit 1
else
exit 0
fi
|
Now, if I turn this on the WindowsXP box in the LAN stops seeing by samba shares. You can see in the code above that there are rules of exception fro the SMB ports. I guess there are other that should be left open but I missed it!
So, what ports must I leave open so that the samba clients in the LAN can acess my shares?
Cheers, |
|
Back to top |
|
|
deprave n00b
Joined: 14 May 2004 Posts: 63 Location: Flint, Michigan
|
Posted: Thu Feb 10, 2005 11:05 pm Post subject: |
|
|
Nice Tutorial, But here is another realy easy way to do it, do everything above upto scripting then once you get to the scripting part of the tut do this instead.
Then
Code: | #/etc/init.d/gshield start |
Works realy well for all kinds of things, Its the method ive been using lately for routing even
the config is /etc/gshield/gshield.conf
but it works right out of portage no scripting nessecary _________________ http://www.migamer.com |
|
Back to top |
|
|
tommy_fila Guru
Joined: 19 Nov 2003 Posts: 450 Location: Phoenix, AZ
|
Posted: Wed Mar 30, 2005 9:55 pm Post subject: |
|
|
A quick and simple question:
It says that the script allows "everything out and nothing in". But my internet still works? It doesn't seem like everything coming in is being blocked. Which part of the script is allowing things in? _________________ "What goes on in life, that goes for eternity." |
|
Back to top |
|
|
iainel Tux's lil' helper
Joined: 28 Feb 2005 Posts: 94
|
Posted: Thu Mar 31, 2005 6:41 pm Post subject: |
|
|
piwacet wrote: | Noob question - will this script make all my ports "stealth" to the outside world, in other words, when I do the "shieldsup" test at:
https://grc.com/x/ne.dll?bh0bkyd2
Will I pass? (get all stealth ports - i.e., the computer does not respond to any requests for access to any port - neither denies nor accepts, simply is quiet and pretends there's no computer at that IP address, and certainly won't allow any connections; and also does not respond to ping requests.)
Thanks! |
It didn't for me.
No ports were open, 9 were stealthed and the rest were closed.
It also says I failed the test on... Solicited TCP Packets: RECEIVED (FAILED) and Ping Reply: RECEIVED (FAILED).
Can anybody post lines of code to add to the file to help pass the test or stealth all ports?
Don't worry you're not the only noob at iptables |
|
Back to top |
|
|
nitroburn n00b
Joined: 26 Jan 2004 Posts: 32
|
Posted: Fri Apr 01, 2005 5:38 am Post subject: only one |
|
|
I want to lock down client machines so that they can get to only one website...I have been reading and trying different combinations in firehol ....can someone give me an example of what to do?! |
|
Back to top |
|
|
zeb Tux's lil' helper
Joined: 19 Apr 2002 Posts: 79 Location: Finland
|
Posted: Fri Apr 01, 2005 9:01 am Post subject: Re: only one |
|
|
nitroburn wrote: | I want to lock down client machines so that they can get to only one website...I have been reading and trying different combinations in firehol ....can someone give me an example of what to do?! |
This should do it:
Code: |
interface eth0 net
policy reject
client dns accept
client http accept dst "forums.gentoo.org www.gentoo.org"
|
Only name lookup and http access to some gentoo.org servers allowed. |
|
Back to top |
|
|
tommy_fila Guru
Joined: 19 Nov 2003 Posts: 450 Location: Phoenix, AZ
|
Posted: Fri Apr 01, 2005 5:06 pm Post subject: |
|
|
I'm sorry to ask again, but how do websites work in the original script. I thought the script blocked all incoming traffic. So how can programs such as Gaim, IRC, etc all work on my computer? _________________ "What goes on in life, that goes for eternity." |
|
Back to top |
|
|
zeb Tux's lil' helper
Joined: 19 Apr 2002 Posts: 79 Location: Finland
|
Posted: Fri Apr 01, 2005 7:06 pm Post subject: |
|
|
tommy_fila wrote: | I'm sorry to ask again, but how do websites work in the original script. I thought the script blocked all incoming traffic. So how can programs such as Gaim, IRC, etc all work on my computer? |
There is this line in the script:
Code: |
# Allow traffic from established connections
$IPTABLES -A INPUT -i $PUBLIC_IF -m state --state RELATED,ESTABLISHED -j ACCEPT
|
Traffic related to established connections is allowed in, so once your browser (or irc client/gaim/...) has connected out, incoming packets from that connection are allowed through. |
|
Back to top |
|
|
tommy_fila Guru
Joined: 19 Nov 2003 Posts: 450 Location: Phoenix, AZ
|
Posted: Fri Apr 01, 2005 10:37 pm Post subject: |
|
|
Sweet. Thanks for the explanation. _________________ "What goes on in life, that goes for eternity." |
|
Back to top |
|
|
elusive-dragon n00b
Joined: 29 Mar 2005 Posts: 39 Location: jax, fl
|
Posted: Mon Apr 04, 2005 2:24 am Post subject: |
|
|
i use Guarddog. pretty simple to use, id like to learn more about routers and make better use of my wireless ap. _________________ Mike - elusive-dragon
"a waste is a terrible thing to mind"
my system:
Gentoo box
Athlon Xp 2000
512mb pc 133 ram
10gb ide hard drive
120gb Samsung ide drive
3dfx agp video card
built in NIC
Turtle Beach 5.1 USB sound |
|
Back to top |
|
|
Syph3r n00b
Joined: 22 Sep 2004 Posts: 6
|
Posted: Mon Apr 04, 2005 1:12 pm Post subject: |
|
|
iainel wrote: | piwacet wrote: | Noob question - will this script make all my ports "stealth" to the outside world, in other words, when I do the "shieldsup" test at:
https://grc.com/x/ne.dll?bh0bkyd2
Will I pass? (get all stealth ports - i.e., the computer does not respond to any requests for access to any port - neither denies nor accepts, simply is quiet and pretends there's no computer at that IP address, and certainly won't allow any connections; and also does not respond to ping requests.)
Thanks! |
It didn't for me.
No ports were open, 9 were stealthed and the rest were closed.
It also says I failed the test on... Solicited TCP Packets: RECEIVED (FAILED) and Ping Reply: RECEIVED (FAILED).
Can anybody post lines of code to add to the file to help pass the test or stealth all ports?
Don't worry you're not the only noob at iptables |
If you run 'iptables -L' what is the output? |
|
Back to top |
|
|
Koala Kid Guru
Joined: 09 May 2003 Posts: 382
|
Posted: Tue Apr 05, 2005 3:41 pm Post subject: |
|
|
Guys, what should I write in this script to allow another users to download from me in Nicotine/Amule ?
Thank you. _________________ "People are the worst, the worst thing about music is that people play it". M. Patton. |
|
Back to top |
|
|
iainel Tux's lil' helper
Joined: 28 Feb 2005 Posts: 94
|
Posted: Tue Apr 05, 2005 4:58 pm Post subject: |
|
|
Syph3r wrote: | If you run 'iptables -L' what is the output? |
Code: |
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- 10.0.0.9 anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP icmp -- anywhere anywhere icmp destination-unreachable
DROP icmp -- anywhere anywhere icmp source-quench
DROP icmp -- anywhere anywhere icmp time-exceeded
DROP icmp -- anywhere anywhere icmp parameter-problem
DROP icmp -- anywhere anywhere icmp echo-reply
DROP icmp -- anywhere anywhere icmp echo-request
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 10.0.0.9 anywhere
|
It's the script from the original post by Cornfed. |
|
Back to top |
|
|
Syph3r n00b
Joined: 22 Sep 2004 Posts: 6
|
Posted: Sat Apr 09, 2005 12:02 am Post subject: |
|
|
iainel wrote: | Syph3r wrote: | If you run 'iptables -L' what is the output? |
Code: |
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- 10.0.0.9 anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP icmp -- anywhere anywhere icmp destination-unreachable
DROP icmp -- anywhere anywhere icmp source-quench
DROP icmp -- anywhere anywhere icmp time-exceeded
DROP icmp -- anywhere anywhere icmp parameter-problem
DROP icmp -- anywhere anywhere icmp echo-reply
DROP icmp -- anywhere anywhere icmp echo-request
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 10.0.0.9 anywhere
|
It's the script from the original post by Cornfed. |
The problem is the first line "ACCEPT all -- anywhere anywhere". Get rid of that rule and it should work. |
|
Back to top |
|
|
AussieAndrew n00b
Joined: 10 Apr 2005 Posts: 14
|
Posted: Tue Apr 12, 2005 3:40 am Post subject: |
|
|
iainel wrote: | piwacet wrote: | Noob question - will this script make all my ports "stealth" to the outside world, in other words, when I do the "shieldsup" test at:
https://grc.com/x/ne.dll?bh0bkyd2
Will I pass? (get all stealth ports - i.e., the computer does not respond to any requests for access to any port - neither denies nor accepts, simply is quiet and pretends there's no computer at that IP address, and certainly won't allow any connections; and also does not respond to ping requests.)
Thanks! |
It didn't for me.
No ports were open, 9 were stealthed and the rest were closed.
It also says I failed the test on... Solicited TCP Packets: RECEIVED (FAILED) and Ping Reply: RECEIVED (FAILED).
Can anybody post lines of code to add to the file to help pass the test or stealth all ports?
Don't worry you're not the only noob at iptables |
I guess my (D-link) router is doing it's job... all tests passed, all ports stealth |
|
Back to top |
|
|
Ashe n00b
Joined: 14 Nov 2003 Posts: 34 Location: Sheffield, UK
|
Posted: Wed Apr 13, 2005 10:22 pm Post subject: |
|
|
I think, as much as ShieldsUp has contributed to making the net safer, and can be a useful tool, it has also engendered a certain amount of paranoia amongst certain people.
Sometimes, ports are going to be open. It's a fact. Hell, if you run any kind of external-facing server, you're going to need certain ports to be unscreened. Same with many p2p apps. What matters in these cases is making sure the software that is world-facing is as up to date and secure as it can be. A firewall is an important part of your computer security, yes, but it's only a part.
That said, does anyone know if any of the newer (multiport/multi-address) iptables stuff is any good? _________________ "Every problem in the universe can be solved by finding the right long-haired prettyboy, and beating the crap out of him." |
|
Back to top |
|
|
|