IP-Table again
Results 1 to 8 of 8

Thread: IP-Table again

  1. #1
    Member
    Join Date
    Nov 2003
    Posts
    30

    IP-Table again

    I made some search here, and i found many post regarding IPtables. however they were inadequade to my problem.

    I am really new to iptable so I have no Idea how to use it. I want to block the ports that I am not using.
    I have
    25 SMTP, I want to use it only to send no to receive, is that possible?
    53 I guess this one I can do anything can I?
    not 80.
    what hell is 515 printer listening to and 578 submission . I also have the higher BIND port 953 open
    I wonder. I have mysql l3306 open. but only my pc use it., when I tried to start mysql with the --skip-network apache wouldn't work. so could I just block all the traffic from outside?and I also tried to start my Xserver with --no-listen somethink like that, to avoid any listening.

    man I have a lot of open ports.

    By the way I am using
    Slackware, apache,mysql,bind,smtp to support my webserver
    Thanks Prophet
    You are what you have conquered not what you have!

  2. #2
    They call me the Hunted foxyloxley's Avatar
    Join Date
    Nov 2003
    Location
    3rd Rock from Sun
    Posts
    2,528
    I'm no expert ? But I would suggest that for the first step:
    Close ALL ports.
    Then as your apps apply to go online, you can allow / disallow them as you see fit.
    This way is a bit messy, BUT it will show you EXACTLY which app requires which port.

    edit< if in doubt; DISALLOW, you can always change your mind later > end edit
    55 - I'm fiftyfeckinfive and STILL no wiser,
    OLDER yes
    Beware of Geeks bearing GIF's
    come and waste the day :P at The Taz Zone

  3. #3
    Senior Member
    Join Date
    Dec 2003
    Location
    Pacific Northwest
    Posts
    1,675
    Good Day,

    Sometimes it's easier to relate open ports to services and then uninstall or shutdown the services you don't need. Thus the ports will be closed as well.

    New distro's come with gui utilities to painlessly walk you through the process.

    Also programs like Bastille will assist as well. www.google.com or www.bastille-linux.org/

    However you should still be able to shutdown any unwanted service using a terminal. The following is very generic and as always, when you are root, if you don't understand the process, study up before you type a command and press enter.

    In a terminal: type "ps -x" after the command prompt and you will get your list. For those services that are not critical, note the PID, and then on your terminal type: "kill -9 &lt;process ID&gt;"

    Of course you can also edit /etc/inetd.conf and comment out the servers with a "#" without actually uninstalling them. Good to do in case you want to use them later. (might need to killall -HUP inetd or /etc/rc.d/ineted restart after you're done as well)

    However, if these don't work with your distro, you should visit the thread below and follow the links they supplied if you want to make your slack as secure as possible.

    http://www.antionline.com/showthread...ring+slackware

    have a great one

  4. #4
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255
    Yes, you can run an SMTP server that can only make outbound connections. You only need the server to receive connections if you are receiving emails for a domain (there are other reasons, but none that apply to your situation).

    In addition to the links provided above:
    You can use PHP and MySQL over unix sockets. How to secure MySQL/PHP:
    http://www.linuxsecurity.com/feature...story-130.html

    Here's the Netfilter packet-filtering howto (In Portugese):
    http://www.netfilter.org/documentati...ing-HOWTO.html
    You may not want/need to do any packet filtering if you are only running the services you want on the box, but I know some people like to run things like Webmin, VNC, and so forth.
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

  5. #5
    Member
    Join Date
    Nov 2003
    Posts
    30
    is this right?
    #dialog --msgbox "Cleaning the current policy" 5 50
    iptables -F
    #dialog --msgbox "Blocking all internal packges" 5 50
    iptables -A FORWARD -i eth0 -j DROP
    #dialog --msgbox "Blocking IPUNT for: 25, 111, 515,587,3306,6000" 6 50
    iptables -A INPUT -i eth0 -p tcp --dport 25 -j DROP
    iptables -A INPUT -i eth0 -p tcp --dport 111 -j DROP
    iptables -A INPUT -i eth0 -p tcp --dport 515 -j DROP
    iptables -A INPUT -i eth0 -p tcp --dport 587 -j DROP
    iptables -A INPUT -i eth0 -p tcp --dport 3306 -j DROP
    or shoul I do the reverse? block all and allow the ones I am using.
    You are what you have conquered not what you have!

  6. #6
    Member
    Join Date
    Nov 2003
    Posts
    30
    What is wrong in this one?

    #dialog --msgbox "Cleaning the current policy" 5 50
    iptables -F
    iptables -A FORWARD -j DROP
    iptables -A INPUT -j DROP
    iptables -A OUTPUT -j DROP

    #INPUT
    iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
    iptables -A INPUT -i eth0 -p tcp --dport 53 -j ACCEPT

    #OUTPU
    iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
    iptables -A OUTPUT -m tcp -p tcp --dport 53 -j ACCEPT
    iptables -A OUTPUT -m tcp -p tcp --dport 25 -j ACCEPT
    You are what you have conquered not what you have!

  7. #7
    Senior Member
    Join Date
    Dec 2003
    Location
    Pacific Northwest
    Posts
    1,675
    I don't have iptables up right now, but from what I remember. You need to flush all the rules separately first. I.E.

    IPTABLES -P FORWARD DROP
    IPTABLES -F FORWARD
    IPTABLES -P INPUT DROP
    IPTABLES -F INPUT
    IPTABLES -P OUTPUT DROP
    IPTABLES -F OUTPUT


    instead of

    iptables -F
    iptables -A FORWARD -j DROP
    iptables -A INPUT -j DROP
    iptables -A OUTPUT -j DROP


    edit: Looks like your remaining syntax and switches are appropriate also.

  8. #8
    Senior Member
    Join Date
    Apr 2003
    Posts
    147
    Here's my try. Customize the logging, and add your ports, but the rest should work fine.
    As far as I know, for a regular box, all you need to customize is the INPUT chain. Do a 'iptables -L OUTPUT' to see if there's anything blocking outbound stuff. As far as I know, there usually isn't. This should be mostly all that's needed. I'm open to more knowledgable advice.

    /etc/mysimplepolicy
    -------------------------------
    #!/bin/bash

    #Flush of course. We're only concerned with INPUT now.
    iptables -F INPUT

    #Log new connections to any ports that need it. You may not want to log ports that get alot of new connections.
    #Uncomment it if you want to use it of course.
    #iptables -A INPUT -p TCP --destination-port &lt;port or service name&gt; -m state --state NEW -j LOG --log-level info --log-prefix "New &lt;your service&gt; connection:"

    #Now let in each port that is allowed in.
    iptables -A INPUT -p TCP --destination-port &lt;port or service name&gt; -j ACCEPT

    #repeat for each port that's allowed in.

    #You can also log all connection attempts to ports that shouldn't be connected to
    #iptables -A INPUT -p TCP -m state --state NEW -j LOG --log-level info --log-prefix "Filteredconnattempt:"

    #Now, to block all other new TCP connections, you may want to block some UDP or ICMP stuff, but you didnt' say anything about that.
    iptables -A INPUT -p TCP -m state --state NEW -j REJECT --reject-with icmp-port-unreachable
    --------------------------

    Again, your outbound connections probably will not be blocked. Just check your OUTBOUND chain.

    Hope this helps.

    - UpperCell.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •