Hello,
I did 2 scripts. The second one is, I hope, more secure.
What do you think?
Basic connection (no server, no router, no DHCP and the Ipv6 is disabled)
#######script one
####################
iptables -F
iptables -X -t filter
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
#lo
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
iptables -A OUTPUT -o lo -j ACCEPT
#CONNECTION
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
#PING ACCEPTED AND OPENING PORTS THAT I NEED
iptables -A INPUT -p icmp --icmp-type echo-request -m conntrack --ctstate NEW -m limit --limit 1/s --limit-burst 1 -j ACCEPT
iptables -A INPUT -p tcp --dport xxxx -j ACCEPT
iptables -A INPUT -p udp --dport xxxx -j ACCEPT
#LOG
iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
iptables -A FORWARD -j LOG
######SCRIPT 2 ### SCRIPT (MORE SECURE) #####
#######################
iptables -F
iptables -X -t filter
iptables -P INPUT -j DROP
iptables -P FORWARD DROP
iptables -P OUTPUT -j DROP
modprobe ip-conntrack
#lo
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
iptables -A OUTPUT -o lo -j ACCEPT
#connection
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state ! --state INVALID -j ACCEPT
#PING ACCEPTED AND OPENING PORTS THAT I NEED
iptables -A INPUT -p icmp --icmp-type echo-request -m conntrack --ctstate NEW -m limit --limit 1/s --limit-burst 1 -j ACCEPT
iptables -A INPUT -d 0.0.0.0/0 -p tcp --sport xxxx -m state --state ESTABLISHED -j ACCEPT (I don't know if I must add 0.0.0.0/0 or 192.168.0.0/24)
iptables -A INPUT -m limit --limit 7/s -j LOG
#LOG
iptables -A OUTPUT -m limit --limit 7/s -j LOG
iptables -A FORWARD -m limit --limit 7/s -j LOG
Thanks in advance
I see the line for your DSL router or whatever 192... is. What is your goal? You can inadvertantly block your DNS server that way, for example.
Do not forget that you can render the system almost unusable with one single "interesting" line in your script. If you have iptables enabled now and have access - keep a copy of the current setup.
Hello,
Thanks for your reply.
I wanted to make this rule more secure:
iptables -A INPUT -p tcp --dport xxxx -j ACCEPT
My pc is not acting as a router or a server. If I want to open a port (example: for a vpn), what rule do I need?
Normally the rule is:
iptables -A INPUT -p tcp --dport xxxx -j ACCEPT
But this rule is not very secure because if I well understood, it allows everyone to get my tcp port xxx.
What can I do to make the rule more secure? Is it possible?
Thanks.
tcp ports are dictated by IANA So if you decide to "secure" port 25, nobody will be able to connect using ftp.
This link has 140 pages, just read a few.
Service Name and Transport Protocol Port Number Registry
My point is: you can break all kinds of services without knowing why. And if someone attacks a random port and there is no service behind it to respond, the attacks fails. So no need to block it. This is why attacks go for a lot of known ports. So known ports may require a minor tweak.
Are you trying to harden your box for a reason? A lot of linux boxes have special apps to help you. What OS and version of it do you have?
uname -a will show that, so please post it.
Edit: It is not uncommon to harden a UNIX and break some applications.
2 Likes
Are you trying to harden your box for a reason? A lot of linux boxes have special apps to help you. What OS and version of it do you have?
uname -a will show that, so please post it.
No but you can't be too careful. And sometimes my laptop is connected to free WiFi.
I 've got two laptops: ubuntu and debian
1)Linux 4.4.0-57-generic #78-Ubuntu SMP Fri Dec 9 23:46:51 UTC 2016 i686 i686 i686 GNU/Linux
2)Linux 3.16.0-4-amd64 #1 SMP Debian 3.16.36-1+deb8u2 (2016-10-19) x86_64 GNU/LINUX
My point is: you can break all kinds of services without knowing why. And if someone attacks a random port and there is no service behind it to respond, the attacks fails. So no need to block it. This is why attacks go for a lot of known ports. So known ports may require a minor tweak.
You mean I'do better to change default ports rather than block them?
Thanks.
With 'free wifi' most harmfull stuff is not actually related to your firewall (unless you block everything, which makes no sense).
A person who owns that wifi network in one way or another can :
- Use fake DNS and create fake pages for folks inside that network.
- Sniff network traffic, especially unencrypted/poorly encrypted traffic and analyze it or/and save it for later (perhaps even years, to brute force it later when he gets a new gpu :rolleyes: )
A lot of other things for an imaginative mind.
Conclusion is if the for anything but casual surfing (no banking, no credentials input), unless you know for a fact that no such things exist in that network.
If using be sure to check the certificates of pages you are leaving credentials at, and use strong encryption.
Hope the helps
Regards
Peasant.
1 Like
OK. thanks
@ jim mcnamara
"So known ports may require a minor tweak"
Could you give me an example please?
@Peasant
What do you mean by "use strong encryption"? Modules (https everywhere,...) in firefox or softwares like VPN,...?
I did three scripts.
Are they good? Which is the best?
This rule:
iptables -X -t filter
Some says that I'm referring to a table called "filter" which doesn't exist. What should I add to make the filter table exist?
BASIC CONNECTION (my laptop is acting neither as a server nor as a router; no DHCP and the Ipv6 is disabled)
#######script one
####################
iptables -F
iptables -X -t filter
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
#lo
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
iptables -A OUTPUT -o lo -j ACCEPT
#CONNECTION
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
#PING ACCEPTED AND OPENING PORTS THAT I NEED
iptables -A INPUT -p icmp --icmp-type echo-request -m conntrack --ctstate NEW -m limit --limit 1/s --limit-burst 1 -j ACCEPT
iptables -A INPUT -p tcp --dport xxxx -j ACCEPT
iptables -A INPUT -p udp --dport xxxx -j ACCEPT
#LOG
iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
iptables -A FORWARD -j LOG
######SCRIPT 2 ###
#######################
iptables -F
iptables -X -t filter
iptables -P INPUT -j DROP
iptables -P FORWARD DROP
iptables -P OUTPUT -j DROP
modprobe ip-conntrack
#lo
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
iptables -A OUTPUT -o lo -j ACCEPT
#connection
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state ! --state INVALID -j ACCEPT
#PING ACCEPTED AND OPENING PORTS THAT I NEED
iptables -A INPUT -p icmp --icmp-type echo-request -m conntrack --ctstate NEW -m limit --limit 1/s --limit-burst 1 -j ACCEPT
iptables -A INPUT -p tcp --dport xxxx -j ACCEPT
iptables -A INPUT -p udp --dport xxxx -j ACCEPT
##I deleted this line####
##iptables -A INPUT -d 0.0.0.0/0 -p tcp --sport xxxx -m state --state ESTABLISHED -j ACCEPT (I don't know if I must add 0.0.0.0/0 or 192.168.0.0/24)
#########
#LOG
iptables -A INPUT -m limit --limit 7/s -j LOG
iptables -A OUTPUT -m limit --limit 7/s -j LOG
iptables -A FORWARD -m limit --limit 7/s -j LOG
##SCRIPT 3####
###############
iptables -F
iptables -X
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
#lo
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
iptables -A OUTPUT -o lo -j ACCEPT
#PING ACCEPTED AND OPENING PORTS THAT I NEED
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst 1 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
iptables -A INPUT -p tcp --dport xxxx -j ACCEPT
iptables -A INPUT -p udp --dport xxxx -j ACCEPT
#connection
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state ! --state INVALID -j ACCEPT
#LOG
iptables -A INPUT -m limit --limit 7/s -j LOG --log-prefix "ICATCH:" --log-level info
iptables -A OUTPUT -m limit --limit 7/s -j LOG --log-prefix "OCATCH:" --log-level info
iptables -A FORWARD -m limit --limit 7/s -j LOG --log-prefix "FCATCH:" --log-level info
THANKS IN ADVANCE