-
April 10th, 2004, 11:43 PM
#1
Member
IP-Table again
I made some search here, and i found many post regarding IPtables. however they were inadequade to my problem.
I am really new to iptable so I have no Idea how to use it. I want to block the ports that I am not using.
I have
25 SMTP, I want to use it only to send no to receive, is that possible?
53 I guess this one I can do anything can I?
not 80.
what hell is 515 printer listening to and 578 submission . I also have the higher BIND port 953 open
I wonder. I have mysql l3306 open. but only my pc use it., when I tried to start mysql with the --skip-network apache wouldn't work. so could I just block all the traffic from outside?and I also tried to start my Xserver with --no-listen somethink like that, to avoid any listening.
man I have a lot of open ports.
By the way I am using
Slackware, apache,mysql,bind,smtp to support my webserver
Thanks Prophet
You are what you have conquered not what you have!
-
April 11th, 2004, 01:39 AM
#2
I'm no expert ? But I would suggest that for the first step:
Close ALL ports.
Then as your apps apply to go online, you can allow / disallow them as you see fit.
This way is a bit messy, BUT it will show you EXACTLY which app requires which port.
edit< if in doubt; DISALLOW, you can always change your mind later > end edit
so now I'm in my SIXTIES FFS
WTAF, how did that happen, so no more alterations to the sig, it will remain as is now
Beware of Geeks bearing GIF's
come and waste the day :P at The Taz Zone
-
April 11th, 2004, 06:05 PM
#3
Good Day,
Sometimes it's easier to relate open ports to services and then uninstall or shutdown the services you don't need. Thus the ports will be closed as well.
New distro's come with gui utilities to painlessly walk you through the process.
Also programs like Bastille will assist as well. www.google.com or www.bastille-linux.org/
However you should still be able to shutdown any unwanted service using a terminal. The following is very generic and as always, when you are root, if you don't understand the process, study up before you type a command and press enter.
In a terminal: type "ps -x" after the command prompt and you will get your list. For those services that are not critical, note the PID, and then on your terminal type: "kill -9 <process ID>"
Of course you can also edit /etc/inetd.conf and comment out the servers with a "#" without actually uninstalling them. Good to do in case you want to use them later. (might need to killall -HUP inetd or /etc/rc.d/ineted restart after you're done as well)
However, if these don't work with your distro, you should visit the thread below and follow the links they supplied if you want to make your slack as secure as possible.
http://www.antionline.com/showthread...ring+slackware
have a great one
-
April 11th, 2004, 07:30 PM
#4
Yes, you can run an SMTP server that can only make outbound connections. You only need the server to receive connections if you are receiving emails for a domain (there are other reasons, but none that apply to your situation).
In addition to the links provided above:
You can use PHP and MySQL over unix sockets. How to secure MySQL/PHP:
http://www.linuxsecurity.com/feature...story-130.html
Here's the Netfilter packet-filtering howto (In Portugese):
http://www.netfilter.org/documentati...ing-HOWTO.html
You may not want/need to do any packet filtering if you are only running the services you want on the box, but I know some people like to run things like Webmin, VNC, and so forth.
Chris Shepherd
The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
\"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
Is your whole family retarded, or did they just catch it from you?
-
April 11th, 2004, 07:46 PM
#5
Member
is this right?
#dialog --msgbox "Cleaning the current policy" 5 50
iptables -F
#dialog --msgbox "Blocking all internal packges" 5 50
iptables -A FORWARD -i eth0 -j DROP
#dialog --msgbox "Blocking IPUNT for: 25, 111, 515,587,3306,6000" 6 50
iptables -A INPUT -i eth0 -p tcp --dport 25 -j DROP
iptables -A INPUT -i eth0 -p tcp --dport 111 -j DROP
iptables -A INPUT -i eth0 -p tcp --dport 515 -j DROP
iptables -A INPUT -i eth0 -p tcp --dport 587 -j DROP
iptables -A INPUT -i eth0 -p tcp --dport 3306 -j DROP
or shoul I do the reverse? block all and allow the ones I am using.
You are what you have conquered not what you have!
-
April 11th, 2004, 08:10 PM
#6
Member
What is wrong in this one?
#dialog --msgbox "Cleaning the current policy" 5 50
iptables -F
iptables -A FORWARD -j DROP
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP
#INPUT
iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 53 -j ACCEPT
#OUTPU
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -m tcp -p tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -m tcp -p tcp --dport 25 -j ACCEPT
You are what you have conquered not what you have!
-
April 11th, 2004, 08:34 PM
#7
I don't have iptables up right now, but from what I remember. You need to flush all the rules separately first. I.E.
IPTABLES -P FORWARD DROP
IPTABLES -F FORWARD
IPTABLES -P INPUT DROP
IPTABLES -F INPUT
IPTABLES -P OUTPUT DROP
IPTABLES -F OUTPUT
instead of
iptables -F
iptables -A FORWARD -j DROP
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP
edit: Looks like your remaining syntax and switches are appropriate also.
-
April 11th, 2004, 09:06 PM
#8
Here's my try. Customize the logging, and add your ports, but the rest should work fine.
As far as I know, for a regular box, all you need to customize is the INPUT chain. Do a 'iptables -L OUTPUT' to see if there's anything blocking outbound stuff. As far as I know, there usually isn't. This should be mostly all that's needed. I'm open to more knowledgable advice.
/etc/mysimplepolicy
-------------------------------
#!/bin/bash
#Flush of course. We're only concerned with INPUT now.
iptables -F INPUT
#Log new connections to any ports that need it. You may not want to log ports that get alot of new connections.
#Uncomment it if you want to use it of course.
#iptables -A INPUT -p TCP --destination-port <port or service name> -m state --state NEW -j LOG --log-level info --log-prefix "New <your service> connection:"
#Now let in each port that is allowed in.
iptables -A INPUT -p TCP --destination-port <port or service name> -j ACCEPT
#repeat for each port that's allowed in.
#You can also log all connection attempts to ports that shouldn't be connected to
#iptables -A INPUT -p TCP -m state --state NEW -j LOG --log-level info --log-prefix "Filteredconnattempt:"
#Now, to block all other new TCP connections, you may want to block some UDP or ICMP stuff, but you didnt' say anything about that.
iptables -A INPUT -p TCP -m state --state NEW -j REJECT --reject-with icmp-port-unreachable
--------------------------
Again, your outbound connections probably will not be blocked. Just check your OUTBOUND chain.
Hope this helps.
- UpperCell.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|