Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have been searching for a guide of some sort on how to configure iptables on webmin/linux. I dont't know the difference between chains and rules either. I'm used to using simple Linksys routers to forward ip's and what not. If some one has a link to one of these guides would be great. Quick example of what im doing.
I have a T1 now. A server connected direct to the T1. (will have multiple. Firewall is off on the server since I can't figure out the firewall otherwise I can't do anything on the box. Obvioulsly that is bad. I would like to lock the computer down completely and then for example open ports to on that firewall. The ips are static that I just assign to each computer. I would need like ports 53, 10000, 5900, ssh port. but block everything else. I know it would be dumb to have a router for each ip and connect each server too hehe.
I have been reading the how to of iptables. Anyone who knows it well could someone give me an example command? Lets say which is the 2 most important things i have on the servers I need to get use to here is what I would like while I experiment.
I would like to block all traffic except.
DNS Port 53
Webmin 10000
SSH (I think is 22)
Examples would be awsome for me to better understand the how to. It seems a little confusing at first but I think I can get use to it if I had some examples.
There is a webmin module for iptables, so you *can* do it through webmin. However, as with all GUIs, they are not as flexible as doing it over the commandline or using a script. To use the webmin module I think you click the networking tab. See here for the webmin docs on configuring iptables.
Regarding doing it by the commandline or script, I'd recommend using a base configuration like this:
Code:
#!/bin/sh
#Default Policy Settings
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
#Allow local traffic over loopback adapter
iptables -A INPUT -i lo -j ACCEPT
#Allow replies to connections we initiate
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#Allow connections to services (SSH, Webmin)
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 10000 -j ACCEPT
With that base config, you're restricting incoming traffic but not doing any kind of egress filtering at all. So once you get that working then you may want to consider adding that. I would also recommend doing checks for invalid IPs (ie reserved IP ranges that shouldn't be on the net; aka bogons) and doing checks for illegal packet combinations (eg SYN FIN, null, xmas, etc).
Also one question I had was: what do you need DNS ports for? Is this so that the server can ask its DNS server for hostname lookups or is it actually running a name server on it and other hosts will be asking it for name resolution? Unless you are actually running a name server like BIND on it, then you don't need to open ports in that manner.
There is a webmin module for iptables, so you *can* do it through webmin. However, as with all GUIs, they are not as flexible as doing it over the commandline or using a script. To use the webmin module I think you click the networking tab. See here for the webmin docs on configuring iptables.
Regarding doing it by the commandline or script, I'd recommend using a base configuration like this:
Code:
#!/bin/sh
#Default Policy Settings
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
#Allow local traffic over loopback adapter
iptables -A INPUT -i lo -j ACCEPT
#Allow replies to connections we initiate
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#Allow connections to services (SSH, Webmin)
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 10000 -j ACCEPT
With that base config, you're restricting incoming traffic but not doing any kind of egress filtering at all. So once you get that working then you may want to consider adding that. I would also recommend doing checks for invalid IPs (ie reserved IP ranges that shouldn't be on the net; aka bogons) and doing checks for illegal packet combinations (eg SYN FIN, null, xmas, etc).
Also one question I had was: what do you need DNS ports for? Is this so that the server can ask its DNS server for hostname lookups or is it actually running a name server on it and other hosts will be asking it for name resolution? Unless you are actually running a name server like BIND on it, then you don't need to open ports in that manner.
Yes this is actually a secondary DNS server thats updated from a windows dns. I'm trying to get away from windows for obvious reasons. I would prefer to work command line mode. I just need to continue learning it. I'm assuming the first lines block all traffic then the remain lines open whats allowed?
I'm assuming the first lines block all traffic then the remain lines open whats allowed?
The first 2 rules set the default policies for the INPUT and FORWARD chains (notice the -P option which means Policy). The default policy is basically what happens to the packet if none of the other firewall rules match it. So a packet will come in and be checked against each rule until it matches one, if it doesn't match any then the default policy handles it (in your case, drop the packet). So logically you can summarizes this type of firewall as a "deny anything that I do not specifically allow" type. The third rule is the OUTPUT chain default policy which describes how outbound traffic should be handled, in this case we are not filtering traffic with any rules, so all packets will go through the default policy of ACCEPT, so all outbound traffic is allowed. From a convenience standpoint that is good, because all your traffic (stuff you initiate) will be allowed, which makes things easier. From a security standpoint, it's a little less secure. So if you want to tightening things up, you can add that in later once you get things to your liking.
Quote:
Originally Posted by kitek
Yes this is actually a secondary DNS server thats updated from a windows dns.
Ok, in that case you will need to allow inbound traffic to port 53, so you'll need to add:
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
Last edited by Capt_Caveman; 04-21-2007 at 07:04 PM.
The first 2 rules set the default policies for the INPUT and FORWARD chains (notice the -P option which means Policy). The default policy is basically what happens to the packet if none of the other firewall rules match it. So a packet will come in and be checked against each rule until it matches one, if it doesn't match any then the default policy handles it (in your case, drop the packet). So logically you can summarizes this type of firewall as a "deny anything that I do not specifically allow" type. The third rule is the OUTPUT chain default policy which describes how outbound traffic should be handled, in this case we are not filtering traffic with any rules, so all packets will go through the default policy of ACCEPT, so all outbound traffic is allowed. From a convenience standpoint that is good, because all your traffic (stuff you initiate) will be allowed, which makes things easier. From a security standpoint, it's a little less secure. So if you want to tightening things up, you can add that in later once you get things to your liking.
Ok, in that case you will need to allow inbound traffic to port 53, so you'll need to add:
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -P INPUT DROP
Every since I typed this in the commandlind all traffic is stopped apparently. I did service iptables status and it says its off. Im not able too ssh and its not responding to DNS queries either. So at this point i'm trying to turn it back off to get it back going to I can make another attempt.
Distribution: RedHat, Slackware, Experimenting with FreeBSD
Posts: 222
Rep:
The line: iptables -P INPUT DROP
sets the default policy of the INPUT chain to DROP. You won't be able to disable this remotely. Login locally on the server and type:
iptables -P INPUT ACCEPT
The policy line should be placed only after you've entered all the ACCEPT rules, otherwise you'll be locking yourself out of the system. You might also consider placing the default policy as the last rule on the chain. This achieves the same thing:
iptables -A INPUT -j DROP
But don't append any ACCEPT rules after this statement. Insert them with the -I INPUT option instead. This way if you ever need to flush your rules with iptables -F, you won't be locked out of the system. If your default policy is set to DROP with the iptables -P option, you will not be able to flush your rules remotely.
The line: iptables -P INPUT DROP
sets the default policy of the INPUT chain to DROP. You won't be able to disable this remotely. Login locally on the server and type:
iptables -P INPUT ACCEPT
The policy line should be placed only after you've entered all the ACCEPT rules, otherwise you'll be locking yourself out of the system. You might also consider placing the default policy as the last rule on the chain. This achieves the same thing:
iptables -A INPUT -j DROP
But don't append any ACCEPT rules after this statement. Insert them with the -I INPUT option instead. This way if you ever need to flush your rules with iptables -F, you won't be locked out of the system. If your default policy is set to DROP with the iptables -P option, you will not be able to flush your rules remotely.
Okay that makes since. It just looks at each rule from top to bottom then once it sees the last one being the iptables -A INPUT -j DROP.
The weird thing was I did have to go the the server locally and check service iptables stats and it returned it Firewall stopped. Should that have even went into affect until I started iptables ? I rebooted the machine and it was okay. I didn't understand why the rule would go into affect if the service is stopped ?
Distribution: RedHat, Slackware, Experimenting with FreeBSD
Posts: 222
Rep:
Quote:
Originally Posted by kitek
The weird thing was I did have to go the the server locally and check service iptables stats and it returned it Firewall stopped. Should that have even went into affect until I started iptables ? I rebooted the machine and it was okay. I didn't understand why the rule would go into affect if the service is stopped ?
Stopping iptables with service iptables stop is in actuality equivalent to flushing the rules. Iptables is still very much active. The defaults are just set to ACCEPT. Typing iptables -P INPUT DROP just sets the default policy to DROP. When you rebooted the system, the default rules were just read in from a script; possibly /etc/sysconfig/iptables or rc.firewall.
iptables -P INPUT DROP
Every since I typed this in the commandlind all traffic is stopped apparently. I did service iptables status and it says its off. Im not able too ssh and its not responding to DNS queries either. So at this point i'm trying to turn it back off to get it back going to I can make another attempt.
I kept getting errors at the command prompt bust was able to get webmin to open up ports 22, 10000, and 53. It appears block wan request is on. How would I enable the server servers ip to be ping able?
Distribution: RedHat, Slackware, Experimenting with FreeBSD
Posts: 222
Rep:
Quote:
Originally Posted by kitek
I kept getting errors at the command prompt bust was able to get webmin to open up ports 22, 10000, and 53. It appears block wan request is on. How would I enable the server servers ip to be ping able?
Thanks man I'm learnging. I have my output default set to Accept. I tried to run yum and couldnt get it to work. So I added a rule to allow yum on port 80 to get out. Am I going to need to do this with everything I want to request from the internet or is there a way to set it like regular router where as long as you requested the connection it allowed the incoming. Also I have forwarding set to drop as well. The only reason I want wan request enable so that solarwinds can monitor the pc. Im new to the expensive world of solarwinds, but it seems to only way to show the node up if its pingable. That dosen't even give me enough information. I would really like to monitor a specific service from a computer on the network such as dns if say ns1.example.net:53 was down rather than the ip itself. Any suggestions or am I stuck with it this way?
Distribution: RedHat, Slackware, Experimenting with FreeBSD
Posts: 222
Rep:
Quote:
Originally Posted by kitek
Thanks man I'm learnging. I have my output default set to Accept. I tried to run yum and couldnt get it to work. So I added a rule to allow yum on port 80 to get out. Am I going to need to do this with everything I want to request from the internet or is there a way to set it like regular router where as long as you requested the connection it allowed the incoming.
You will need to place the following rules so that the localhost can initiate and maintain connections without interference:
Also I have forwarding set to drop as well. The only reason I want wan request enable so that solarwinds can monitor the pc. Im new to the expensive world of solarwinds, but it seems to only way to show the node up if its pingable. That dosen't even give me enough information. I would really like to monitor a specific service from a computer on the network such as dns if say ns1.example.net:53 was down rather than the ip itself. Any suggestions or am I stuck with it this way?
You could run nmap to check if a specific port is active on a remote machine. For example if I wanted to continuously monitor if ssh was up on a remote server:
watch nmap -sT -p 22 <remote IP>
the status could be one of the following:
filtered - port protected by firewall closed - no service active on this port (daemon is likely not running) open - The port is accessible and has a service listening on it
Last edited by SlackDaemon; 04-24-2007 at 11:29 PM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.