View previous topic :: View next topic |
Author |
Message |
gentian Tux's lil' helper
Joined: 26 Mar 2012 Posts: 113
|
|
Back to top |
|
|
aCOSwt Bodhisattva
Joined: 19 Oct 2007 Posts: 2537 Location: Hilbert space
|
Posted: Thu May 10, 2012 9:15 am Post subject: |
|
|
I cannot tell about this one but, while being a gentooer, why not The Gentoo's one ? _________________
|
|
Back to top |
|
|
gentian Tux's lil' helper
Joined: 26 Mar 2012 Posts: 113
|
Posted: Thu May 10, 2012 9:17 am Post subject: |
|
|
aCOSwt wrote: | I cannot tell about this one but, while being a gentooer, why not The Gentoo's one ? |
I was always dubious about the gentoo-wiki validity and status, as it is not an official gentoo.org source. I think that the Arch wiki entries are phenomenal and very simplistic. Just wondering if it covers the ground better? |
|
Back to top |
|
|
PaulBredbury Watchman
Joined: 14 Jul 2005 Posts: 7310
|
Posted: Thu May 10, 2012 10:25 am Post subject: |
|
|
Both pages seem reasonable. My advice is:
1. Beware - there's lots of gotchas, in iptables rules, and networking.
2. No one document tells you everything - you have to google a lot, and experiment a lot.
3. You're not the NSA, so don't need to be as paranoid as some of the docs are.
4. ICMP is needed for e.g. MTU negotiation, so be very careful if you choose to selectively block/rate-limit it. |
|
Back to top |
|
|
Goverp Advocate
Joined: 07 Mar 2007 Posts: 2006
|
Posted: Fri May 11, 2012 8:54 am Post subject: |
|
|
If you're just after a simple firewall, rather than learning iptables, try net-firewall/ufw (and perhaps kde-misc/kcm-ufw). They make configuring a simple firewall really easy. _________________ Greybeard |
|
Back to top |
|
|
gentian Tux's lil' helper
Joined: 26 Mar 2012 Posts: 113
|
Posted: Fri May 11, 2012 9:00 am Post subject: |
|
|
Goverp wrote: | If you're just after a simple firewall, rather than learning iptables, try net-firewall/ufw (and perhaps kde-misc/kcm-ufw). They make configuring a simple firewall really easy. | I tried installing ufw and I got: Code: | * CONFIG_NETFILTER_XT_MATCH_COMMENT: is not set when it should be.
* CONFIG_IP6_NF_MATCH_HL: is not set when it should be.
* CONFIG_NETFILTER_XT_MATCH_LIMIT: is not set when it should be.
* CONFIG_NETFILTER_XT_MATCH_MULTIPORT: is not set when it should be.
* CONFIG_NETFILTER_XT_MATCH_RECENT: is not set when it should be.
* CONFIG_NETFILTER_XT_MATCH_ADDRTYPE: is not set when it should be.
* Please check to make sure these options are set correctly.
* Failure to do so may cause unexpected problems. | It installed fine, but I cannot set simple default rules. Maybe I need to recompile my kernel including the missing options? |
|
Back to top |
|
|
Goverp Advocate
Joined: 07 Mar 2007 Posts: 2006
|
Posted: Sat May 12, 2012 5:48 am Post subject: |
|
|
gentian wrote: | I tried installing ufw and I got: Code: | * CONFIG_NETFILTER_XT_MATCH_COMMENT: is not set when it should be.
* CONFIG_IP6_NF_MATCH_HL: is not set when it should be.
* CONFIG_NETFILTER_XT_MATCH_LIMIT: is not set when it should be.
* CONFIG_NETFILTER_XT_MATCH_MULTIPORT: is not set when it should be.
* CONFIG_NETFILTER_XT_MATCH_RECENT: is not set when it should be.
* CONFIG_NETFILTER_XT_MATCH_ADDRTYPE: is not set when it should be.
* Please check to make sure these options are set correctly.
* Failure to do so may cause unexpected problems. | It installed fine, but I cannot set simple default rules. Maybe I need to recompile my kernel including the missing options? | Yes, to use UFW you need to configure the appropriate kernel options. I installed it some time back, and then it stopped working - turned out I'd missed similar warning messages when an upgrade of UFW required new options in the later version of the kernel I was by then running.
I don't know what those setting actually mean, and whether you could build a decent firewall without them (not using UFW). That's either a strength or a drawback of using a package - it may be making a good decision on your behalf, or it may just be bloating the kernel for a few irrelevant edge cases. I've better things to do than read the code to find out so I just did as UFW asked.
Whether or not those settings are the actual cause of UFW not working for you is a different question. Try changing the kernel. If that doesn't cure the problem, what are the symptoms of its failure? _________________ Greybeard |
|
Back to top |
|
|
gentian Tux's lil' helper
Joined: 26 Mar 2012 Posts: 113
|
Posted: Sat May 12, 2012 10:56 am Post subject: |
|
|
Goverp wrote: | gentian wrote: | I tried installing ufw and I got: Code: | * CONFIG_NETFILTER_XT_MATCH_COMMENT: is not set when it should be.
* CONFIG_IP6_NF_MATCH_HL: is not set when it should be.
* CONFIG_NETFILTER_XT_MATCH_LIMIT: is not set when it should be.
* CONFIG_NETFILTER_XT_MATCH_MULTIPORT: is not set when it should be.
* CONFIG_NETFILTER_XT_MATCH_RECENT: is not set when it should be.
* CONFIG_NETFILTER_XT_MATCH_ADDRTYPE: is not set when it should be.
* Please check to make sure these options are set correctly.
* Failure to do so may cause unexpected problems. | It installed fine, but I cannot set simple default rules. Maybe I need to recompile my kernel including the missing options? | Yes, to use UFW you need to configure the appropriate kernel options. I installed it some time back, and then it stopped working - turned out I'd missed similar warning messages when an upgrade of UFW required new options in the later version of the kernel I was by then running.
I don't know what those setting actually mean, and whether you could build a decent firewall without them (not using UFW). That's either a strength or a drawback of using a package - it may be making a good decision on your behalf, or it may just be bloating the kernel for a few irrelevant edge cases. I've better things to do than read the code to find out so I just did as UFW asked.
Whether or not those settings are the actual cause of UFW not working for you is a different question. Try changing the kernel. If that doesn't cure the problem, what are the symptoms of its failure? | I just need to setup a really simple - basic firewall setup. I am not sure how can this be easily acomplished using IPTABLES. I basically need to achieve the ufw rules of denying incoming connections, except from ssh and allow all outcoming. |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54236 Location: 56N 3W
|
Posted: Sat May 12, 2012 11:28 am Post subject: |
|
|
gentian,
I like shorewall. There is no need to wrestle with raw iptables and it saves some of the learning.
That are other tools like it too.
Maybe I'm nore paranoid than many as nothing is allowed in or out of my network without a rule to permit it.
This keeps nasty things out and stops them phoning home if they do get in.
Security is like layers of an onion. The idea is not to make it absolutly impossible to break in, just difficult enough so casual attackers will give up and move on.
You set the bar where you like.
One of the biggest threats today is a combination of nasty websites and social engineering. You firewall cannot protect you against them. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
gentian Tux's lil' helper
Joined: 26 Mar 2012 Posts: 113
|
Posted: Sat May 12, 2012 11:37 am Post subject: |
|
|
NeddySeagoon wrote: | gentian,
I like shorewall. There is no need to wrestle with raw iptables and it saves some of the learning.
That are other tools like it too.
Maybe I'm nore paranoid than many as nothing is allowed in or out of my network without a rule to permit it.
This keeps nasty things out and stops them phoning home if they do get in.
Security is like layers of an onion. The idea is not to make it absolutly impossible to break in, just difficult enough so casual attackers will give up and move on.
You set the bar where you like.
One of the biggest threats today is a combination of nasty websites and social engineering. You firewall cannot protect you against them. | From a first look on the howto, it looks more complicated and defeats the purpose of what I want to accomplish, which is a really simple firewall that blocks all input connections, even ssh for now and allows outcoming connections, coming from my box. Same mentality as the ufw default rules apply. Then the next step, would be to "play" on my vm with some more IPTABLES rules and see what are my main objectives/connections and how I interact with the net on a daily basis and then adjust the rules to my needs. |
|
Back to top |
|
|
logical_guy Apprentice
Joined: 18 Sep 2007 Posts: 268
|
|
Back to top |
|
|
khayyam Watchman
Joined: 07 Jun 2012 Posts: 6227 Location: Room 101
|
Posted: Wed Jul 11, 2012 5:19 pm Post subject: |
|
|
gentian et al ...
In my opinion Oskar Andreasson's iptables tutorial is the best resource there is on the subject. It is through and detailed but doesn't make too many assumptions about the user. The resources provided in the the netfilter documentation section are directed at more advanced users but none-the-less there is some useful examples there.
As for a "basic" script, well, this depends on what the starting point is ... some people consider it basic to do both ingress and egress filtering, with a default policy of DROP on INPUT, OUTPUT and FORWARD, if you don't need to allow much traffic such rulesets can be fairly staightforward. Then there are scripts that have DROP but ACCEPT on OUTPUT with --state ESTABLISHED,RELATED on INPUT. Different focuses but neither are particularly complex.
Anyhow ... I think your looking for something like the following:
Code: | # clear current ruleset
iptables -F
iptables -X
iptables -Z
# set the default policy
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# allow traffic on the loopback interface
iptables -A INPUT -i lo -j ACCEPT
# accept incomming traffic based on established connections
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# allow connections to port 22
iptables -A INPUT -p tcp -i eth0 --dport 22 -m state --state NEW -j ACCEPT
# allow icmp (if you want hosts to be able to ping)
iptables -A INPUT -p icmp -j ACCEPT
# drop broadcast/mulitcast packets (these will only fill the log file)
iptables -A INPUT -d 255.255.255.255/0.0.0.255 -j DROP
iptables -A INPUT -d 224.0.0.1 -j DROP
# log everything else
iptables -A INPUT -j LOG |
... comment the rule for port 22 to disallow incoming ssh connections.
HTH & best ...
khay |
|
Back to top |
|
|
Fitzcarraldo Advocate
Joined: 30 Aug 2008 Posts: 2034 Location: United Kingdom
|
Posted: Wed Mar 20, 2013 12:02 pm Post subject: |
|
|
I came across the following HowTo on IPTABLES on the Web a few weeks ago, and thought it would be worth posting the link, as it looks quite helpful: IPTABLES - A Beginner's Tutorial. _________________ Clevo W230SS: amd64, VIDEO_CARDS="intel modesetting nvidia".
Compal NBLB2: ~amd64, xf86-video-ati. Dual boot Win 7 Pro 64-bit.
OpenRC udev elogind & KDE on both.
Fitzcarraldo's blog
Last edited by Fitzcarraldo on Tue Mar 26, 2013 2:49 pm; edited 2 times in total |
|
Back to top |
|
|
nix213 n00b
Joined: 08 Feb 2013 Posts: 23 Location: Illinois
|
Posted: Wed Mar 20, 2013 1:33 pm Post subject: |
|
|
It looks like a great link; thanks for sharing!
building your own firewall can be a great learning experience _________________ "Wherever you go, go with all your heart." -Confucius |
|
Back to top |
|
|
|