Thread: Any suggestions ?

hello people

any suggestion on adding to my iptables script ? my current script is quite crappy but it closes ports i will post my current script and you can make suggestions to add to it if you feel like it

#!/bin/bash
./iptables -A INPUT -p tcp --dport 111 -j REJECT
./iptables -A INPUT -p tcp --dport 515 -j REJECT
./iptables -A INPUT -p tcp --dport 6000 -j REJECT
./iptables -A INPUT -p tcp --dport 32768 -j REJECT
./iptables -A INPUT -p tcp --dport 32769 -j REJECT

all im doing is closing open port so any suggestion on stuff to add to this ?

Hey there. str34m3r wrote a pretty good tut on this one. Check it out here
This one is a little more comprehensive than what you were creating, but it's effective.

Hope this helps, and regards.

hey chefer thanks for the link but i was looking for people to post as to what they would add to it
if they were securing there own box

I know what I would do to it but I am one of those people who has to look up the commands as I was doing it. First I would deny access to all ports, then allow access only to the ones I needed (as a pose to just blocking the ones that are open). Doing it this way stops you missing things if you add a program that opens another port. Other than that I would use 'DROP' rather than deny, I don't like people knowing I am here, lol.

I know what I would do to it but I am one of those people who has to look up the commands as I was doing it. First I would deny access to all ports, then allow access only to the ones I needed (as a pose to just blocking the ones that are open). Doing it this way stops you missing things if you add a program that opens another port. Other than that I would use 'DROP' rather than deny, I don't like people knowing I am here, lol.

UKnetsec that is the kind of replys i was looking for thanks man

how would you add the DROP rule to that script ?

As far as I know you would just replace the word 'DENY' with 'DROP' for all the ports you don't want to reply at all, which for me is all of them. Try it, and go to a site like sygate (www.sygate.com) and do a udp scan of yourself, that way you can see easily if your computer is replying. If it doesn't work, just change it back, you haven't lost anything

thanks again UKnetsec i have been messing around with diffrent scripts but im not getting any better results unless you call hardening your box that no input or out put goes in or out proggress

any 1 else have any suggestions that i could put in that script maybe some examples from poeple using iptables could help a bit

Ok, this page (http://morizot.net/firewall/gen/ ) has a web based firewall script generator, it is very basic, just really meant for home machines by the look of it. If you tick the box at the bottom to allow incoming services, after you click the 'Generate Firewall' button it will give you a choice of incoming services to allow. That way you can look at the script and see how it works. Other than that you could be a bit lazy like me and get a program like Firestarter ( www.firestarter.sourceforge.net ) or Guarddog ( www.simonzone.com/software/guarddog ). Both of those will probably generate better scripts than that webpage to be honest, but I like to give all the options I can think of