Page 28 of 29 FirstFirst ... 1826272829 LastLast
Results 271 to 280 of 286

Thread: HOWTO: Set a custom firewall (iptables) and Tips [Beginners edition]

  1. #271
    Join Date
    Jun 2005
    Location
    France
    Beans
    7,100
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: HOWTO: Set a custom firewall (iptables) and Tips [Beginners edition]

    As SSH is a bit specific, i mean ssh server security must be as strong as possible, i will advice you to write the rule in the way to prevent the so called "brute force" attacks.

    So add these lines as the last ones of the TRUSTED chain :
    Code:
    iptables -A TRUSTED -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
    iptables -A TRUSTED -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP
    Using these rules you will allow only 8 connections per one minute window on port 22 preventing thus "brute force" attacks as well as opening port 22

  2. #272
    Join Date
    Dec 2007
    Location
    Florida (US)
    Beans
    240
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: HOWTO: Set a custom firewall (iptables) and Tips [Beginners edition]

    I would like to add my appreciation for this "how-to" Very Good !!
    DΞLL Precision M6500 "Big Dog": i7-820QM w/USB 3.0, 8.0GB DDR3-1333, 500GB 7200.3, nVidia Quadro FX 3800M 1.0GB DDR3, RGBLED, Intel 6300
    .debBlog (cheat sheets)
    IRS Problems?

  3. #273
    Join Date
    Mar 2007
    Beans
    157

    Re: HOWTO: Set a custom firewall (iptables) and Tips [Beginners edition]

    I have been referencing your how to for my iptables and I am kinda stuck. I have an internet VPN set-up (like bananavpn.com or strongvpn.com) and I want to still use my firewall but I can't punch a hole in it properly. I connect fine to the VPN without the firewall up.

    From googling it looks like I need port 1723 and 47 open for pptp to pass through properly. Also, I do not know the VPN servers address just the gateway (or is that the same thing?) I also have port forwarded the ports on my router so I don't think that is the issue

    I originally (without the firewall enabled) just used Network Manger to set it up, put in the gateway address, my username and password and i connected no problem.

    Thanks for the help!

  4. #274
    Join Date
    Apr 2005
    Beans
    22

    Re: HOWTO: Set a custom firewall (iptables) and Tips [Beginners edition]

    How can I block all outside traffic? I just want my home machines accessing my server using Samba and ssh for maintenance. I will also be using my server as a web development machine as well (ie - no need to access the web).
    Last edited by centered effect; February 18th, 2010 at 10:31 PM.

  5. #275
    Join Date
    Jun 2005
    Location
    France
    Beans
    7,100
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: HOWTO: Set a custom firewall (iptables) and Tips [Beginners edition]

    You are a good candidate for my other tutorial, be warned it's a bit more tricky and require more debug effort, nothing impossible though:
    http://ubuntuforums.org/showthread.php?t=668148

  6. #276
    Join Date
    Mar 2010
    Beans
    20

    Iptable for Dynamic ips

    Here am attaching the documentation for dyniptable
    Attached Files Attached Files

  7. #277
    Join Date
    Aug 2008
    Beans
    360
    Distro
    Kubuntu

    Re: HOWTO: Set a custom firewall (iptables) and Tips [Beginners edition]

    Quote Originally Posted by frodon View Post
    2.2- Maching commands

    The character "!" can be used to specify the oposite. For example a command to avoid all incomming tcp traffic except from the IP 10.42.42.42 is written as follow :
    Code:
    iptables -A INPUT -p tcp --source ! 10.42.42.42 -j DROP
    Just an update for your guide. This command returns an error reading

    Using intrapositioned negation ('--option ! this') is deprecated in favor of extrapositioned ('! --option this')
    Had to swap the "!" and the "--source"
    And the thread title of the year award goes to...
    " Supositories not working - On the verge of losing it here - help!"

  8. #278
    Join Date
    Jun 2005
    Location
    France
    Beans
    7,100
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: HOWTO: Set a custom firewall (iptables) and Tips [Beginners edition]

    Thanks for the head up i will update this right now.

  9. #279
    Join Date
    Aug 2008
    Beans
    360
    Distro
    Kubuntu

    Re: HOWTO: Set a custom firewall (iptables) and Tips [Beginners edition]

    Quote Originally Posted by frodon View Post
    Thanks for the head up i will update this right now.
    You're welcome, thanks for the great guide. iptables can be very confusing and one of the harder parts of Linux to find info on. This made setting up a basic set of rules nice and easy.
    And the thread title of the year award goes to...
    " Supositories not working - On the verge of losing it here - help!"

  10. #280
    Join Date
    Nov 2009
    Location
    Warsaw, Poland
    Beans
    79
    Distro
    Xubuntu 13.04 Raring Ringtail

    Re: HOWTO: Set a custom firewall (iptables) and Tips [Beginners edition]

    Still can not get it to work.

    nmap local:
    Starting Nmap 5.00 ( http://nmap.org ) at 2010-09-09 11:30 CEST
    Warning: Hostname localhost resolves to 2 IPs. Using 127.0.0.1.
    Interesting ports on localhost (127.0.0.1):
    Not shown: 991 closed ports
    PORT STATE SERVICE
    22/tcp open ssh
    53/tcp open domain
    80/tcp open http
    111/tcp open rpcbind
    139/tcp open netbios-ssn
    445/tcp open microsoft-ds
    2049/tcp open nfs
    3306/tcp open mysql
    9091/tcp open unknown
    Scanning from other machine:
    Code:
    san@eeepc:~$ nmap 192.168.2.25 -PN
    
    Starting Nmap 5.00 ( http://nmap.org ) at 2010-09-09 11:29 CEST
    Interesting ports on serwer.inet (192.168.2.25):
    Not shown: 993 filtered ports
    PORT     STATE SERVICE
    22/tcp   open  ssh
    53/tcp   open  domain
    111/tcp  open  rpcbind
    139/tcp  open  netbios-ssn
    445/tcp  open  microsoft-ds
    2049/tcp open  nfs
    9091/tcp open  unknown
    No ping response.

    I am trying to set up NFS but it wont connect:
    Code:
    san@eeepc:~$ sudo mount 192.168.2.25:/home/publiczny /home/san/Publiczny -vvvvvvvvvvvvvv
    mount: fstab path: "/etc/fstab"
    mount: mtab path:  "/etc/mtab"
    mount: lock path:  "/etc/mtab~"
    mount: temp path:  "/etc/mtab.tmp"
    mount: UID:        0
    mount: eUID:       0
    mount: no type was given - I'll assume nfs because of the colon
    mount: spec:  "192.168.2.25:/home/publiczny"
    mount: node:  "/home/san/Publiczny"
    mount: types: "nfs"
    mount: opts:  "(null)"
    mount: external mount: argv[0] = "/sbin/mount.nfs"
    mount: external mount: argv[1] = "192.168.2.25:/home/publiczny"
    mount: external mount: argv[2] = "/home/san/Publiczny"
    mount: external mount: argv[3] = "-v"
    mount: external mount: argv[4] = "-o"
    mount: external mount: argv[5] = "rw"
    mount.nfs: timeout set for Thu Sep  9 11:35:17 2010
    mount.nfs: text-based options: 'addr=192.168.2.25'
    mount.nfs: mount(2): Connection timed out
    mount.nfs: text-based options: 'addr=192.168.2.25'
    mount.nfs: mount(2): Connection timed out
    mount.nfs: Connection timed out
    and it DOES work from local.

    As you can see, i put here everything..:
    san@serwer:~$ cat /etc/firewall.bash
    #!/bin/bash

    # No spoofing
    if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
    then
    for filtre in /proc/sys/net/ipv4/conf/*/rp_filter
    do
    echo 0 > $filtre
    done
    fi

    # No icmp
    echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
    echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

    #load some modules you may need
    modprobe ip_tables
    modprobe ip_nat_ftp
    modprobe ip_nat_irc
    modprobe iptable_filter
    modprobe iptable_nat
    modprobe ip_conntrack_irc
    modprobe ip_conntrack_ftp

    # Remove all rules and chains
    iptables -F
    iptables -X

    # first set the default behaviour => accept connections
    iptables -P INPUT ACCEPT
    iptables -P OUTPUT ACCEPT
    iptables -P FORWARD ACCEPT

    # Create 2 chains, it allows to write a clean script
    iptables -N FIREWALL
    iptables -N TRUSTED

    # Allow ESTABLISHED and RELATED incoming connection
    iptables -A FIREWALL -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
    # Allow loopback traffic
    iptables -A FIREWALL -i lo -j ACCEPT
    # Send all package to the TRUSTED chain
    iptables -A FIREWALL -j TRUSTED
    # DROP all other packets
    iptables -A FIREWALL -j DROP

    # Send all INPUT packets to the FIREWALL chain
    iptables -A INPUT -j FIREWALL
    # DROP all forward packets, we don't share internet connection in this example
    iptables -A FORWARD -j DROP

    #SSH
    iptables -A TRUSTED -i eth0 -p udp -m udp --dport 22 -j ACCEPT
    iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT

    #Transmission-WEB
    iptables -A TRUSTED -i eth0 -p udp -m udp --dport 9091 -j ACCEPT
    iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 9091 -j ACCEPT

    #HTTP
    #iptables -A TRUSTED -i eth0 -p udp -m udp --dport 80 -j ACCEPT
    #iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT

    #NFS
    iptables -A TRUSTED -i eth0 -p udp -m udp --dport 2049 -j ACCEPT
    iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 2049 -j ACCEPT

    #???
    iptables -A TRUSTED -i eth0 -p udp -m udp --dport 53 -j ACCEPT
    iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT

    iptables -A TRUSTED -i eth0 -p udp -m udp --dport 111 -j ACCEPT
    iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 111 -j ACCEPT

    iptables -A TRUSTED -i eth0 -p udp -m udp --dport 139 -j ACCEPT
    iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 139 -j ACCEPT

    iptables -A TRUSTED -i eth0 -p udp -m udp --dport 445 -j ACCEPT
    iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 445 -j ACCEPT

    iptables -A TRUSTED -i eth0 -p udp -m udp --dport 135 -j ACCEPT
    iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 135 -j ACCEPT

    #MPD
    iptables -A TRUSTED -i eth0 -p udp -m udp --dport 135 -j ACCEPT
    iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 135 -j ACCEPT

    #iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 5348 -j ACCEPT

    # Allow bittorrent
    #iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 6881:6889 -j ACCEPT

    # End message
    echo " [End iptables rules setting]"
    edit.
    Transmission-web works, ssh too, but nfs and mpd does not.

    edit.
    Forget it!
    I just added ports from 'rpcinfo -p', and added right ports for MPD. Now it works just fine.

    Many thanks!
    Last edited by e-San; September 9th, 2010 at 10:54 AM.

Page 28 of 29 FirstFirst ... 1826272829 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •