1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Firewall?

Discussion in 'Linux and Unix' started by xlanou, Jul 3, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. xlanou

    xlanou Thread Starter

    Joined:
    Jun 13, 2007
    Messages:
    49
    At the moment i don't have an operational Firewall on the computer running Mandriva Spring. Do i really need one? And if so what are the options available that are compatible with Linux. Thanks all.
     
  2. briealeida

    briealeida

    Joined:
    Jun 3, 2007
    Messages:
    650
    Most people will argue that you don't need a personal firewall on your machine. Is there one between your machine and the wild?
     
  3. neos1

    neos1

    Joined:
    Feb 13, 2006
    Messages:
    238
    not to hijack here, but are you meaning a hardware firewall? If so, are you saying that no matter the flavor, a router between computer and the world is enough?
     
  4. briealeida

    briealeida

    Joined:
    Jun 3, 2007
    Messages:
    650
    No, I mean a software firewall. I thought that's what xlanou meant.

    Obviously having nothing between a workstation and the wild is stoopid. A hardware firewall is essential. I wouldn't trust just something like iptables.
     
  5. freebe

    freebe

    Joined:
    Mar 21, 2007
    Messages:
    17
    I have Verizon dsl & the Westell modem/router. I logged into it the 1st week or two so I could switch off the 'wireless'. I notice the hardware firewall was set to the lowest level. ( and my sys was not testing as 'stealth' on ShieldsUp: https://www.grc.com/x/ne.dll?bh0bkyd2 )

    I set it higher & then I passed the test.
     
  6. neos1

    neos1

    Joined:
    Feb 13, 2006
    Messages:
    238

    This if very interesting because I have yet to find extended discussions on linux firewalls.
    Sure would like to be clued in. I'm running Ubuntu.
     
  7. lotuseclat79

    lotuseclat79

    Joined:
    Sep 12, 2003
    Messages:
    20,583
    Hi neos,

    I also run Ubuntu, but from the Live CD, and I initialize an iptables firewall before I dialup to the wild. Since everything runs in RAM (including a faux file system), when I turn off the power everything goes poof! Also, when I am connected to the wild, my disks are unmounted.

    -- Tom
     
  8. neos1

    neos1

    Joined:
    Feb 13, 2006
    Messages:
    238
    You have mentioned running in 'Live' mode before and I was very interested in what you say.
    But at the time it was a different subject thread and it was not pursued. The IPtables and running with disks unmounted part is new to me.

    I run behind a Linksys router running linux WRT firmware and for the life of me I cannot remember the exact nomenclature of the software. (I have hdd with that info turned off because of another challenge I'm facing).

    The IPTables; they are what run on the hardware firewall? I can find this. I'm not asking you to do my work for me.

    Just wanted to make note:)
     
  9. lotuseclat79

    lotuseclat79

    Joined:
    Sep 12, 2003
    Messages:
    20,583
    IPTables is software in Linux.

    Here is my setup for iptables:
    Install the following two bash files /etc (i.e. whether running Live CD or not)
    firewall.bash file (install in /etc), and the initialization script in /etc/init.d: <===============
    !/bin/bash

    # No spoofing
    if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
    then
    for filtre in /proc/sys/net/ipv4/conf/*/rp_filter
    do
    echo 1 > $filtre
    done
    fi

    # No icmp
    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

    #load some modules you may need
    modprobe ip_tables
    modprobe ip_nat_ftp
    modprobe ip_nat_irc
    modprobe iptable_filter
    modprobe iptable_nat

    # Remove all rules and chains
    iptables -F
    iptables -X

    # first set the default behaviour => accept connections
    iptables -P INPUT ACCEPT
    iptables -P OUTPUT ACCEPT
    iptables -P FORWARD ACCEPT

    # Create 2 chains, it allows to write a clean script
    iptables -N FIREWALL
    iptables -N TRUSTED

    # Allow ESTABLISHED and RELATED incoming connection
    iptables -A FIREWALL -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT
    # Send all package to the TRUSTED chain
    iptables -A FIREWALL -j TRUSTED
    # DROP all other packets
    iptables -A FIREWALL -j DROP

    # Send all INPUT packets to the FIREWALL chain
    iptables -A INPUT -j FIREWALL
    # DROP all forward packets, we don't share internet connection in this example
    iptables -A FORWARD -j DROP

    # Allow https
    iptables -A TRUSTED -i ppp0 -p udp -m udp --sport 443 -j ACCEPT
    iptables -A TRUSTED -i ppp0 -p tcp -m tcp --sport 443 -j ACCEPT

    # Allow amule
    #iptables -A TRUSTED -i ppp0 -p udp -m udp --dport 5349 -j ACCEPT
    #iptables -A TRUSTED -i ppp0 -p udp -m udp --dport 5351 -j ACCEPT
    #iptables -A TRUSTED -i ppp0 -p tcp -m tcp --dport 5348 -j ACCEPT

    # Allow IRC IDENT & DCC
    #iptables -A TRUSTED -i ppp0 -p tcp -m tcp --sport 6667 -j ACCEPT
    #iptables -A TRUSTED -i ppp0 -p tcp -m tcp --sport 113 -j ACCEPT

    # Allow bittorrent
    #iptables -A TRUSTED -i ppp0 -p tcp -m tcp --dport 6881:6889 -j ACCEPT

    # End message
    echo " [End iptables rules setting]"

    flush_iptables.bash file (install in /etc): <==================================
    #!/bin/bash

    #
    # Set the default policy
    #
    iptables -P INPUT ACCEPT
    iptables -P FORWARD ACCEPT
    iptables -P OUTPUT ACCEPT

    #
    # Set the default policy for the NAT table
    #
    iptables -t nat -P PREROUTING ACCEPT
    iptables -t nat -P POSTROUTING ACCEPT
    iptables -t nat -P OUTPUT ACCEPT

    #
    # Delete all rules
    #
    iptables -F
    iptables -t nat -F

    #
    # Delete all chains
    #

    iptables -X
    iptables -t nat -X

    # End message
    echo " [End of flush]"

    firewall bash script file (install in /etc/init.d): <===============================
    #!/bin/bash

    RETVAL=0

    # To start the firewall
    start() {
    echo -n "Iptables rules creation: "
    /etc/firewall.bash
    RETVAL=0
    }

    # To stop the firewall
    stop() {
    echo -n "Removing all iptables rules: "
    /etc/flush_iptables.bash
    RETVAL=0
    }

    case $1 in
    start)
    start
    ;;
    stop)
    stop
    ;;
    restart)
    stop
    start
    ;;
    status)
    /sbin/iptables -L
    /sbin/iptables -t nat -L
    RETVAL=0
    ;;
    *)
    echo "Usage: firewall {start|stop|restart|status}"
    RETVAL=1
    esac

    exit

    In order to initialize the iptables firewall, execute (as root): /etc/init.d/firewall start

    Obviously, I have written a script to do all of this which I keep on my hard drive and pull over to my Live CD to execute my initialization. The last part is to reset my local time which I sync with an "atomic" watch and issue the date -u mmddhhmm command from the root account using GMT time - this requires a /etc/localtime symbolic link setting to the /usr/share/zoneinfo/file where file is for your time zone and whether daylight saving time is in effect (also in my script).

    -- Tom
     
  10. briealeida

    briealeida

    Joined:
    Jun 3, 2007
    Messages:
    650
  11. lotuseclat79

    lotuseclat79

    Joined:
    Sep 12, 2003
    Messages:
    20,583
  12. neos1

    neos1

    Joined:
    Feb 13, 2006
    Messages:
    238
    Lotuseclat79,

    It's pretty clear, considering my original question in this thread that I'm clueless as to IPTables, how they work and how exactly to implement them. I've yet to make a script that works. I may have figured out how to download a live iso and burn it to cd and then installing ubuntu but that is only because they have made it nearly idiot proof.

    I've installed firestarter because I could just click to install so that I have some kind of wall between me and the 'wild' and because it takes me about nine times reading through something before it finally begins to stick.

    I own both O'Reilly's Desk Top Reference 'Linux in a Nutshell', and the Linux Cookbook 2nd edition. I'm looking for a 'complete idiot's guide' out there somewhere - you know the kind of book that would actually tell a guy the 'dd' is gallows humor made up years ago for copy. Yea I know data dump. I'm currently reading the Hacker's Dictionary, and am waiting for my copy of the Cathedral and the Bazaar. A late comer - yes. A wannabe - maybe. But I have 'How to ask questions the Right Way' bookmarked on my children's computer running Ubuntu.
    At least they will know there are other choices.

    And sometimes, I just like to ramble.
     
  13. playme123

    playme123

    Joined:
    Jun 20, 2007
    Messages:
    297
    pmsl at me clicked on the link and was ready to work like I was in ubuntu and realised that changed the towers over earlier:D :D :D :D :D :D :D :D :D
     
  14. lotuseclat79

    lotuseclat79

    Joined:
    Sep 12, 2003
    Messages:
    20,583
    Hi neos1,

    Glad to hear you have Firestarter! (y)

    Do an Advanced Search in the Unix/Linux subforum only and use the Titles only selection in the keysord menu to the top left of the Advanced Search webpage.
    Search for the word: book
    in the Titles Only selection of the Keyword input block.

    That should point you to various threads you can look through that may identify a book that qualifies for what you are looking.

    -- Tom
     
  15. LewisL

    LewisL

    Joined:
    Jul 14, 2007
    Messages:
    3
    As I know Mandriva proposes to configure firewall during installation, and has same name settings utility in control center. Anyway iptables rocks.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/591268

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice