Linux Firewall
This is a discussion on Linux Firewall within the Linux Security forums, part of the System Security and Security Related category; Hi all, I run a stand-alone Linux workstation connected to broadband via a nat-enabled router. Does the following ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
05-23-2006
|
|||
|
|||
Linux Firewall
Hi all,
I run a stand-alone Linux workstation connected to broadband via a nat-enabled router. Does the following firewall script make sense to you guys(it seems to work)? Any suggestions and comments would be much appreciated. Also, I have only recently migrated to Linux (Suse) from M$ XP Pro. In XP I could see and stop unnecessary services and I would like to do the same in Suse. Which services are considered a potential security risk in Linux/ Suse and how can they be stopped? Regards, Mark ************************* INTERFACE="eth0" IPADDR="10.0.0.1" BCASTADDR="10.0.0.255" TCP_IN="25 80 110 119 225 443" TCP_OUT="25 80 110 119 225 443" UDP_IN="53 68 123 4569 5060" UDP_OUT="53 67 123 4569 5060" FW="usr/sbin/iptables" NEW="${FW} --append" $FW --flush $FW --delete-chain for ch in INPUT OUTPUT FORWARD; do $FW -P $ch DROP done $NEW OUTPUT -p udp -d ${BCASTADDR} -j DROP $NEW INPUT -i '!' ${INTERFACE} -j ACCEPT $NEW INPUT -s 127.0.0.0/8 -j ACCEPT $NEW OUTPUT -o '!' ${INTERFACE} -j ACCEPT $NEW INPUT -s ${IPADDR} -j DROP $NEW INPUT -d '!' ${IPADDR} -j DROP $NEW INPUT -s 172.16.0.0/16 -j DROP $NEW INPUT -d 172.16.0.0/16 -j DROP $NEW INPUT -s 192.168.0.0/16 -j DROP $NEW INPUT -d 192.168.0.0/16 -j DROP for port in ${TCP_IN}; do $NEW INPUT -p tcp --sport ${port} -m state --state ESTABLISHED -j ACCEPT done for port in ${UDP_IN}; do $NEW INPUT -p udp --sport ${port} -m state --state ESTABLISHED -j ACCEPT done for port in ${TCP_OUT}; do $NEW OUTPUT -p tcp --dport ${port} -m state --state NEW,ESTABLISHED -j ACCEPT done for port in ${UDP_OUT}; do $NEW OUTPUT -p udp --dport ${port} -m state --state NEW,ESTABLISHED -j ACCEPT done $NEW INPUT -p icmp -j DROP $NEW OUTPUT -p icmp -j DROP $NEW INPUT -j DROP $NEW OUTPUT -j DROP *********************************** 
|
|
05-23-2006
|
|||
|
|||
|
Re: Linux Firewall
On Tue, 23 May 2006 14:47:04 +0100, Mark wrote:
> Hi all, > > I run a stand-alone Linux workstation connected to broadband via a > nat-enabled router. > > Does the following firewall script make sense to you guys(it seems to > work)? Any suggestions and comments would be much appreciated. > > Also, I have only recently migrated to Linux (Suse) from M$ XP Pro. In > XP I could see and stop unnecessary services and I would like to do the > same in Suse. Which services are considered a potential security risk in > Linux/ Suse and how can they be stopped? > > Regards, > > Mark > Hello Mark, I'm not an iptables expert so I have no opinion there. I use Guarddog to write a script for me. You tell it what services you want to access from the outside world (http, https, pop, smtp, usenet) and what services you want to offer to the outside world (none) and it writes the script for you. (Yes, I know real men write their own iptables scripts). I think the correct answer about what services to run is *none*. Shut them off by making their startup scripts non executable. You should really disconnect the internet connection until you get this accomplished. use this command to see if you have anything listening: netstat -taun [enter] if you see the word "listen" you have a risk factor, which may be exploitable depending on the existence of weaknesses in the software that is doing the listening. It is best if you don't see the word "listen" at all. hth. John
|
|
05-23-2006
|
|||
|
|||
|
Re: Linux Firewall
On Tue, 23 May 2006 14:47:04 +0100, Mark <me4all@gmx.net> wrote:
>Hi all, > >I run a stand-alone Linux workstation connected to broadband via a >nat-enabled router. > >Does the following firewall script make sense to you guys(it seems to >work)? Any suggestions and comments would be much appreciated. Look at the results of your script with iptables-save, your script is unreadable for a casual review (as is mine, it is the result that counts ;) > >Also, I have only recently migrated to Linux (Suse) from M$ XP Pro. In >XP I could see and stop unnecessary services Not all of them ;) winxp does some sneaky 'call home' to odd servers that I block at the 'real' linux based firewall with deft (perhaps daft) use of dnsmasq. > and I would like to do the >same in Suse. Which services are considered a potential security risk in >Linux/ Suse and how can they be stopped? a) don't start the services you not offering to public; b) with iptables, deny all, then let in new connections to services you offer from your site; c) if you're not offering services to the public, let the modem/router do the firewalling for you (assuming *DSL modem). Grant. -- WinXP: Access Start->Turn Off Computer, then while holding Ctrl-Alt-Shift, left click on Cancel. This terminates Windows Explorer...
|
|
05-24-2006
|
|||
|
|||
|
Re: Linux Firewall
John <John@somewhere.com>:
> On Tue, 23 May 2006 14:47:04 +0100, Mark wrote: > > > > I run a stand-alone Linux workstation connected to broadband via a > > nat-enabled router. > > > > Does the following firewall script make sense to you guys(it seems to > > work)? Any suggestions and comments would be much appreciated. > > > > Also, I have only recently migrated to Linux (Suse) from M$ XP Pro. In > > XP I could see and stop unnecessary services and I would like to do the > > same in Suse. Which services are considered a potential security risk in > > Linux/ Suse and how can they be stopped? > > use this command to see if you have anything listening: > > netstat -taun [enter] > > if you see the word "listen" you have a risk factor, which may be > exploitable depending on the existence of weaknesses in the software that > is doing the listening. It is best if you don't see the word "listen" at > all. (0) heretic [root] /root_ netstat -taun Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:515 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:2628 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:783 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:113 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:793 0.0.0.0:* LISTEN tcp 0 0 172.16.27.244:47228 72.14.203.104:80 ESTABLISHED tcp 32 0 172.16.27.244:47205 198.80.55.250:119 CLOSE_WAIT tcp 1 0 172.16.27.244:47227 199.239.138.200:80 CLOSE_WAIT udp 0 0 0.0.0.0:787 0.0.0.0:* udp 0 0 0.0.0.0:790 0.0.0.0:* udp 0 0 0.0.0.0:68 0.0.0.0:* udp 0 0 0.0.0.0:111 0.0.0.0:* udp 0 0 172.16.27.244:123 0.0.0.0:* udp 0 0 127.0.0.1:123 0.0.0.0:* udp 0 0 0.0.0.0:123 0.0.0.0:* udp6 0 0 :::123 :::* grep 515 /etc/services printer 515/tcp spooler # line printer spooler grep 2628 /etc/services dict 2628/tcp # Dictionary server dict 2628/udp Ports 3306, 783, 25, and 123 are only listening to localhost. portmap (111) is configured to only listen to localhost. I've no idea what 783 is doing; I don't run SA locally. 172.16.27.244 is my ADSL IP. Currently, I'm connected to ISP's newsserver via slrn, and ISP's OpenWebMail via Firefox. fauxident.py (113) provides ident services, and lies. I pop mail with fetchmail, send to smarthost with exim4. My ISP firewalls me. I don't run named, IMAP, or sshd. 68?!? What's that doing there!?! Not worried. Paranoia is over valued. Trust, but verify. Strength and honour. -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling Linux Counter #80292 - - Spammers! http://www.spots.ab.ca/~keeling/emails.html http://www.ietf.org/rfc/rfc1855.txt
|
|
05-24-2006
|
|||
|
|||
|
Re: Linux Firewall
On 23/05/06 17:31, John wrote:
I think the correct answer about what services to run is *none*. Shut them off by making their startup scripts non executable. You should really disconnect the internet connection until you get this accomplished. use this command to see if you have anything listening: netstat -taun [enter] Running netstat -taun returns: 127.0.0.1 listening on ports 2544 (novell-zen) and 25 (smtp) ::1:25 listening on port 25 (smtp) Can I, and if so, how do I, terminate these services? Obviously I use e-mail, but I don't want suse to listen for smtp all the time. Mark
|
|
05-24-2006
|
|||
|
|||
|
Re: Linux Firewall
On 23/05/06 21:40, Grant wrote:
Not all of them ;) winxp does some sneaky 'call home' to odd servers that I block at the 'real' linux based firewall with deft (perhaps daft) use of dnsmasq. You obviously know much more about these things than I do. I wasn't aware this was going on. How can you tell? Anyway, ignorance is bliss. a) don't start the services you not offering to public; b) with iptables, deny all, then let in new connections to services you offer from your site; c) if you're not offering services to the public, let the modem/router do the firewalling for you (assuming *DSL modem). I do use the gateway router to firewall and want to limit the offered services to a minimum. See my e-mail to John. Mark
|
|
05-24-2006
|
|||
|
|||
|
Re: Linux Firewall
On Wed, 24 May 2006 18:23:49 +0100, Mark wrote:
> On 23/05/06 17:31, John wrote: > > I think the correct answer about what services to run is *none*. Shut > them off by making their startup scripts non executable. You should > really disconnect the internet connection until you get this accomplished. > > use this command to see if you have anything listening: > > netstat -taun [enter] > > Running netstat -taun returns: > > 127.0.0.1 listening on ports 2544 (novell-zen) and 25 (smtp) > ::1:25 listening on port 25 (smtp) > > Can I, and if so, how do I, terminate these services? > > Obviously I use e-mail, but I don't want suse to listen for smtp all the > time. > > Mark We need a Suse/Novell expert to explain exactly how to shut them down. All I can suggest is to follow the details of the startup scripts until you find out how they start. On a debian machine, the startup scripts are all located in /etc/init.d so I just go there and make the ones I don't want to run non executable like this: #chmod -x somescript Then the startup/shutdown sequence will try to run the script and you will see "permission denied" messages. Messy, but it works. I don't know what "novell-zen" is and I don't know how to interpret "::1:25". Can someone explain?
|
|
05-24-2006
|
|||
|
|||
|
Re: Linux Firewall
Mark wrote:
> Hi all, > > I run a stand-alone Linux workstation connected to broadband via a > nat-enabled router. > > Does the following firewall script make sense to you guys(it seems to > work)? Any suggestions and comments would be much appreciated. IMHO, one can obtain a reasonably good iptables script here: http://easyfwgen.morizot.net/gen/ (if you think there are reasons to protect a machine with a 10.x.x.x address). -- Mikhail
|
|
05-24-2006
|
|||
|
|||
|
Re: Linux Firewall
On Wed, 24 May 2006 18:32:54 +0100, Mark wrote:
> You obviously know much more about these things than I do. I wasn't aware > this was going on. How can you tell? Anyway, ignorance is bliss. dl a copy of the free app called ActivePorts. Set it to run in split screen mode with your other apps and watch the WinFun begin!
|
Linear Mode
