Ubuntu Security :: Clarification On Firewall Rules?
May 9, 2010
I have a set of iptables rules generated by Firestarter, and i'm in the process of trying to familiarise myself with iptables itself, but there's one particular rule which is confusing me, perhaps somebody could explain it to me
My INPUT chain reads as follows:
Code:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- cdns01.plus.net anywhere tcp flags:!FIN,SYN,RST,ACK/SYN
ACCEPT udp -- cdns01.plus.net anywhere
ACCEPT tcp -- cdns02.plus.net anywhere tcp flags:!FIN,SYN,RST,ACK/SYN
[Code]...
Given that the firewall is actually blocking packets, it can't be this simple, so what am I missing?
View 1 Replies
ADVERTISEMENT
Jun 6, 2011
I have my own internal bind9 server, for my local domain, and I forward internal requests for public domains to OpenDNS servers. This server is not in a DMZ, but is instead behind an dynamic NAT. I do not accept queries from the public network, only responses. I understand that DNS is primarilly a UDP protocol, so it can't pass through a stateful/nat. without a firewall allow.
I've done a little reading and learned that bind9 does not run 53 <-> 53 anymore (is now >1024 <-> 53), and modified my config so it works like bind4 did, but I am concerned that this makes me less secure. additionally, I'd really rather not have a completely open 53 rule, but it seems that if I constrain 53 traffic to my known forwarders, it interfers with some of my network services like transmission. so, what firewall rules would you guys recommend for recieving forwarded DNS query responses to my server?
View 1 Replies
View Related
Jan 12, 2011
having trouble understanding selinux. the domain is cluster containing permissions. a type is nothing more than a label applied to something like a file,right? so instead of applying the permission set of foo domain to the /etc/shadow file it would be apply label shadow_t to /etc/shadow and make the shadow_t apart of the foo domain?
View 1 Replies
View Related
Nov 29, 2010
Even though I've set up HTTPS to be trusted, it still blocks my school's https site: "mnsu.edu/eservices" same with SAMBA and SSH.
If enter the GUI and authenticate as root, change anything and apply, then exit: it works fine and so does SAMBA. However, after restarting, everything stops working again.
yet secure firewall configuration that doesn't require any login or headaches.
View 6 Replies
View Related
Aug 26, 2010
can I deny the access to my server for a specific OS? I have one PC which I want to give it acces from winxp, but if it's boot into ubuntu I want to deny all access to my server, same IP, same ethernet card
View 8 Replies
View Related
Apr 7, 2010
I just install 1 firewall using Iptables.
Firewall includes 2 NIC:
NIC1 <IP PUBLIC>
NIC2 192.168.10.1
I installed 1 web server IP: 192.168.10.2
I have some PC IP range: 192.168.10.10->20
I set rules NAT on firewall and PC & web server can connect internet good, but I have problems:
When PC access to web server with IP 192.168.10.2 that ok, but PC can't access to web server when using IP Public. But outside internet, I can access to web server using IP Public.
Rules on IPTables
Code:
# Generated by iptables-save v1.3.5 on Sun Mar 7 21:01:16 2010
*nat
:PREROUTING ACCEPT [950:126970]
:POSTROUTING ACCEPT [89:5880]
:OUTPUT ACCEPT [19:1342]
-A PREROUTING -d 209.99.242.124 -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.10.2:80
-A POSTROUTING -s 192.168.10.0/24 -o eth0 -j SNAT --to-source 209.99.242.124
*filter
:INPUT DROP [1599:157409]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [232:34452]
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -d 192.168.10.2 -p tcp --dport 80 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth1 -j ACCEPT
COMMIT
View 2 Replies
View Related
Jun 7, 2011
every now and then Firewall Builder fails to open rules (*.fwb)and I have to use some old backup. it does load 'object libraries' but the main 'currently editing policy' panel is empty.(in gnome, debian testing amd64)
View 1 Replies
View Related
Oct 10, 2013
Consolidate several lines of a CSV file with firewall rules, in order to parse them easier?
I have a .csv file, which I created using an HTML export from a Check Point firewall. The objective is to have all the firewall configuration lines where a given host is present. I have to do this for a few hundred, manually is not a reasonable option. I'm going to write a simple Python script for this.
The problem is that the output from the Check Point firewall is complicated to work with. If a firewall rule works with several source or destination hosts, services or other configurations, instead of having them separated with a symbol other than a comma, I get a new line.
This prevents me from exporting the line where the host is present, since I would be missing info.
Let me show you an example, hostnames are modified, of course:
NO.;NAME;SOURCE;DESTINATION;VPN**;SERVICE;ACTION;TRACK;INSTALL ON;TIME;COMMENT
1;;fwxcluster;mcast_vrrp;;vrrp;accept;Log;fwxcluster;Any;"VRRP;;*Comment suppressed*
;;;;;igmp;;;;;
2;;fwxcluster;fwxcluster;;FireWall;accept;Log;fwxcluster;Any;"Management FWg;*Comment suppressed*
;;fwmgmpe;fwmgmpe;;ssh;;;;;
;;fwmgm;fwmgm;;;;;;;
3;NTP;G_NTP_Clients;cmm_ntpserver_pe01;;ntp;accept;None;fwxcluster;Any;*Comment suppressed*
;;;cmm_ntpserver_pe02;;;;;;;
View 0 Replies
View Related
May 12, 2011
I need assistance with my Snort Installation. I used Bodhi Zazen's Network Intrusion Detection System post and found it easier than the previous time I had done it. I am currently running Ubuntu 10.04 server and Snort 2.8.6.1 with BASE 1.4.5. I followed Bodhi Zazen's instructions and when I tested snort it ended with a Fatal Error due to ERROR: /etc/snort/rules/exploit.rules(264) => 'fast_pattern' does not take an argument
Fatal Error, Quitting.. Here is the entire output once I ran the test command: snort -c /etc/snort/snort.con -T Running in Test mode
[Code]...
View 2 Replies
View Related
Oct 11, 2013
I have a CSV file, which I created using an HTML export from a Check Point firewall policy. Each rule is represented as several lines, in some cases. That occurs when a rule has several address sources, destinations or services.
I need the output to have each rule described in only one line. It's easy to distinguish when each rule begins. In the first column, there's the rule ID, which is a number.
Here's an example. In green are marked the strings that should be moved:
See example. The strings that should be moved are in bold:
NO.;NAME;SOURCE;DESTINATION;SERVICE;ACTION;
1;;fwgcluster;mcast_vrrp;vrrp;accept;
;;;;igmp;;
2;Testing;fwgcluster;fwgcluster;FireWall;accept;
;;fwmgmpe;fwmgmpe;ssh;;
;;fwmgm;fwmgm;;;
What I need ,explained in pseudo code, is this:
Read the first column of the next line. If there's a number:
Evaluate the first column of the next line. If there's no number there, concatenate (separating with a comma) the strings in the columns of this line with the last one and eliminate the text in the current one
The output should be something like this. The strings in bold are the ones that were moved:
NO.;NAME;SOURCE;DESTINATION;SERVICE;ACTION;
1;;fwgcluster;mcast_vrrp;vrrp-igmp;accept;
;;;;;;
2;Testing;fwgcluster-fwmgmpe-fwmgm;fwgcluster-fwmgmpe-fwmgm;FireWall-ssh;accept;
;;;;;;
The empty lines are there only to be more clear, I don't actually need them.
View 1 Replies
View Related
May 9, 2011
Can we use iptables as firewall instead of Juniper firewall
View 2 Replies
View Related
Jan 8, 2010
I am booting centos 5.4 on machine. The system hangs at line "Applying iptables firewall rules".Is there any way to skip starting iptables service during boot or disable it during boot so the system finally reboots.
View 1 Replies
View Related
Jul 17, 2010
IPtables creates an error during startup as well as when I try to restart it: Here's the output of:
[Code]....
View 11 Replies
View Related
Jun 9, 2010
I googled this question, no relevant results. I don't samba, ssh, or any P2P file sharing. Is udp neccesary for general web browsing/file downloading? What would be the best general ufw rules to set for above conditions and varying ip address? I know how to use the full ufw syntax in command line.
View 5 Replies
View Related
Sep 12, 2010
I've configured iptables to act as a stateful firewall, but instead of simply rejecting packets I'd like to waste a potenial hackers time by droping any packet that would otherwise be returned. Are my rules sufficient or have I somehow opened myself up to an attacker by trying to write these rules myself?
View 3 Replies
View Related
Jul 9, 2011
what do the following two commands do? Do they modify the iptables rules in any way?
sudo /sbin/iptables -L -n
sudo /sbin/ip6tables -L -n
View 5 Replies
View Related
Sep 23, 2010
I have a Suse11 box with 2 network cards:
I have squid as a proxy on the Suse box, and with the default firewall I have to enable masquerading to allow clients on the eth3:1-3 to send and receive mail through the Suse box. I found the Suse firewall completely inadequate (all P2P software/connections are allowed once you enable masquerading) and had to install ConfigServer Security & Firewall. In die configuration of csf I could get my way around getting smtp to work for the eth3:1-3 clients, but pop3 connections does not go through the box. I know I need to allow port 110 and 995 to masquerade of NAT (or something) and then the same for port 22
View 2 Replies
View Related
Jun 4, 2010
I greet you at the same time ask me to help with a problem I have and I could not solve. Within the requirements I have is to connect a network that is connected by VPN to my LAN.The detail is I could have connection to the network by adding a network card (eth3) on the firewall and connect to the VPN router (DLINK) cable network, but I can not reach the other estin that are in the VPN.
It should be noted if I add a station within the network: 10.30.1.X/24 has no problems connecting with the other destinations.Physically this router is inside my 10.30.1.X DATA CENTER another wan.
View 1 Replies
View Related
May 2, 2010
my ufw rules have been loaded and active yet using iptraf i see tcp connections on ports that were never allowed by ufw. can anyone explain this too me does ufw just not work?
View 6 Replies
View Related
May 30, 2010
When I upgraded to 10.4LT I agreed to something that stopped snort, after days decided to just re-do with new snort version. Used bodhi.zazen's MySql instruction version (which is what I used in the past) Everything went pretty well except for figuring out that I needed to delete all the lib_sfdynamic_preprocessor_example?? files (I also deleted all the lib_sfdynamic_example?? files too just to be safe). Used my original Oinkmaster with updated rules version and downloaded the emerging threats too (as I had in the past) and snort won't run with some of the emerging threat rules because it's lookning for snortsam (fwsam). I read up and snortsam looks like a good idea (if I'm wrong somebody just let me know)
if this seems dumb, but I really don't understand, the snortsam directions are HORRIBLE, the snortsam src looks like a windows file when unpacked with all the .dll files(but they say for all OS's), it builds but you need to copy the binary to /usr/local/bin (what in ubuntu would be a binary?).
the snortsam-patch-2.8.tar.gz won't unpack and the Snort 2.8.6 patch is a file, not a package (have no clue where to put it or what to call it if I got the 2.8.tar.gz to unpack so I could build it)
View 3 Replies
View Related
Jun 22, 2011
I recently set up a ftp server in my house running a dyndns service so I can get to it from the outside. I called my isp to get some help in setting up the router to forward port 21 from the outside to that box, and in short we had some problems. Long story short, they ended up bypassing the router itself, and now the line running to the box is its own fixed external ip. Naturally I want a pretty darn good iptables setup for this. The box runs proftpd and so far my iptables only accepts local loopback and port-21. (I left port 80 closed as its only purpose is to be a standalone ftp server) But I know there must be a safer rule for port 21, as right now its just wide open. Anyone have any ideas on how to make this a bit safer? Also would that command be fine for any of the linux machines im connecting to it from the outside too?
View 3 Replies
View Related
Dec 21, 2010
on a fresh Fedora 2.6.35.9-64.fc14.x86_64 installation I have little trouble with chrony. I love that tool for synchronyzing my clock. SELinux complains, that /usr/sbin/chronyd like to read/write to chronyd.pid. Further I find entries in /var/log/messages, that /var/lib/chrony/drift could not be opened. As I'm completely new to SELinux - I'd like to get some help setting the Security Rules. PS: Should the rules be quite fine from the FC-Repo?
View 11 Replies
View Related
Jan 27, 2011
I have a caching dns and SNMP ( MRTG ) both on the same server how can I permit dns and snmp traffic in INPUT chain?? I have tried the following:
iptables -A INPUT -p udp --sport 1024:65535 --dport 53 -j ACCEPT
iptables -A INPUT -p udp --sport 53 --dport 1024:65535 -j ACCEPT
iptables -A INPUT -p udp --sport 1024:65535 --dport 161:162 -j ACCEPT
iptables -A INPUT -p udp --sport 161:162 --dport 1024:65535 -j ACCEPT
View 1 Replies
View Related
Sep 16, 2010
I am trying to program iptable rules for implementing a 1:1 NAT which does the following:
1. Forward all traffic from all ports on a public ip to a private ip
2. Forward traffic from a range of ports (x-->y) on a public ip, to a private ip
I did some google searches for the same, and came up with the following.
iptables -A FORWARD -t filter -o eth0 -m state
state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -t filter -i eth0 -m state
state ESTABLISHED,RELATED -j ACCEPT
View 15 Replies
View Related
Mar 31, 2011
Can someone please let me know strong iptables rules? Below entries are in iptables file.Here Y.Y.Y.Y is another branch public IP.This server acts as gateway+squid server.Further it will serve company's intranet page also using httpd.OS is CentOS 5.0.
View 1 Replies
View Related
Jan 27, 2011
I am setting my firewall rules using the command iptables.My question is i wanna know what command i can use that list rule 2 and 3 for instance in my table?i want to create rule that: The host is administered using SSH, scp and sftp so allow incoming SSH traffic and securing remote file copying and transferring.
View 2 Replies
View Related
Feb 23, 2011
I tried installing F-prot's linux scanner but it doesn't seem to want to install and I am tired of messing with it.
So I am wondering if I even need it or if there is something else.
I am behind a firewall already with my router if that helps any.
I guess I am having trouble understanding why virus protection is less necessary.
Do people not write viruses for linux systems?
View 7 Replies
View Related
May 6, 2011
How do you delete ufw rules which you didn't make?
I want to block the FTP ports (20 & 21) but even if I put in DENY rules, it appears that these rules are letting traffic through
Code:
9 400 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 21,20 state RELATED,ESTABLISHED
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 21,20 state RELATED,ESTABLISHED
How do I delete these rules? I've tried.
Code:
sudo ufw delete allow 20
sudo ufw delete proto tcp from any to any 20
but I get "Could not delete non-existent rule".
Since I didn't make those rules I have no idea what OpenBSD's PF syntax (what ufw uses) is for them.
View 2 Replies
View Related
May 3, 2009
When I use system-config-firewall, it asks what interfaces to trust. Where does it store that information for iptables (or whatever uses that info)? How iptables knows at what interfaces to use the rules?There is not that kind of information in /etc/sysconf/iptables and iptables-config.
View 2 Replies
View Related
Jul 16, 2011
I don't know if FC15 has the iptable rules like the ones shown below by default or not but I wanted a second opinion about the safety they provide. Why is icmp accepted (INPUT rule 1) from/to all ip? and is it better to remove this rule? When the protocol is all (INPUT rule 2), does it mean from ip layer and above?? and is it required/safe to have this rule? The 3rd rule is to allow tcp-port 22 connections (ssh) to/from all ip. I think this is correctly set and required. The 4th rule in INPUT table rejects pings with the icmp-host-prohibited message; which I don't think is the best solution. Instead it can be set to silently drop icmp packets. Then, the FORWARD table uses reject instead of silent drop for forwarding icmp ping packets.
Code:
what do you think about the new rules and their order?
View 5 Replies
View Related
