This is a static archive of the old Zorin Forum.

The information below may be outdated. Visit the new Zorin Forum here ›

If you have registered on the old forum, you will need to create an account on the new forum.

Doubts firewall!

spain

Sat Aug 27, 2011 4:12:23 pm

Good people. We apologize for 1 is if I'm not well understood, since I'm using the translator google.Pues While the question I have is turning on the firewall itself is protected or already have to do something else? Greetings from Spain and enorabuena by Zorin :!:

Wolfman

Sun Aug 28, 2011 10:23:35 am

Hi spain,

you can set-up the firewall in the control center, just go to the system section and you can configure it there!!.

Regards Wolfman :D

maxmm5

Sun Aug 28, 2011 12:00:52 pm

Hi spain, Turning on or just enabling the firewall is not enough, you must add rules to it; on the Firewall window make sure the Actual Status Enabled check box is check, the Incoming is set to Deny, Outgoing is set to Allow and click the button +Add. From Firewall:Add Rule there are 3 tabs to choice (Preconfigured, Simple and Advance). I advice you to make some search about firewall on Wikipedia, so you can make the wise choice setting your firewall. Please see attach file...

spain

Sun Aug 28, 2011 4:27:39 pm

Well, if that is the firewall that I meant I would recommend firestarter yo.Cual or mentioned above?. Greetings

Obsidian1723

Sun Aug 28, 2011 9:00:36 pm

I highly recommend learning iptables from the command line because it will serve you in all distros of Linux and because there are options only available via the command line. ufw-gtk and other front ends lack these options. I personally code a firewall into a bash file. Here's a very simple one, which is still effective for most people.... Simply copy this into a gedit text file and save it as "simple-firewall.sh" without the quotes. Now you need to open the terminal and cd over towhere you save it atl. Then $ sudo chmod +x simple-firewall.sh && sudo ./simple-firewall.sh

The first command changes it to an executable script while the send command after the double & sign will run the shell script.

#!/bin/bash
#
# Simple Firewall (ipv4)
#
iptables -F
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --sport 80 -j ACCEPT
iptables -A INPUT -p udp --sport 53 -j ACCEPT
iptables -A INPUT -j DROP
iptables -A OUTPUT -j ACCEPT

Now for a much more comphrensive iptables script, (which includes support for both ipv4 and ipv6), I personally use the one below. It's well-commented in, meaning I explain what something is and does quite clearly so that someone new to iptables can not only use this "as is", but also to learn from. I'm by no means an "iptables expert" or "guru", only a fellow student of the art.

Before I do that, I must add that whichever iptables script you use or create for yourself, whether you use my work or not, you will want to make sure that iptables loads on boot. This is done via modifying /etc/network/interfaces

Paste this in it and save the "interfaces" file (without the quotes)

# ===========================================================================
#
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5)
#
# ===========================================================================
# ===========================================================================
#
# The loopback network interface which you don't ever need to really edit
#
auto lo
iface lo inet loopback
#
# ===========================================================================
# ===========================================================================
#
# The primary network interface
# The default setup is to use DHCP but if you wish to set it to be Static
# then all you need to do is comment out the four lines below followed by
# UNCOMMENTING the information in the Static IP Section; and then lastly
# completing the process by restarting the network services.
#
# ---------------------------------------------------------------------------
auto eth0
iface eth0 inet dhcp
pre-up iptables-restore < /etc/iptables.rules
pre-up ip6tables-restore < /etc/ip6tables.rules
#
# ===========================================================================
# Static IP Setup
# ===========================================================================
#
# auto eth0
# iface eth0 inet static
# pre-up iptables-restore < /etc/iptables.rules
# pre-up ip6tables-restore < /etc/ip6tables.rules
# address 192.168.1.*** <---== Edit the *** to be your actual static IP
# netmask 255.255.255.0
# network 192.168.1.0
# broadcast 192.168.1.255
# gateway 192.168.1.1
#

Now for that much more detailed iptables script, see below......

#! /bin/bash
#
# #######################################################################################################################
# iptables Setup and Configuration 1.42
# #######################################################################################################################
#
# The following is a script for setting up and configuring iptables on a desktop computer running Ubuntu.
#
# #######################################################################################################################
# Flushing Tables - Standard Default Setup
# #######################################################################################################################
#
iptables -F
#
# #######################################################################################################################
# Setting up tables - Standard Default Setup
# #######################################################################################################################
#
iptables -N LOGDROP
iptables -N OUTPUT
#
# #######################################################################################################################
# Logging INVALID packets - Standard Default Setup
# #######################################################################################################################
#
iptables -A INPUT -m state --state INVALID -j LOG --log-level 4 --log-prefix 'INVALID-DROP '
iptables -A INPUT -m state --state INVALID -j DROP
#
# #######################################################################################################################
# Loopback - INPUT - Standard Default Setup
# #######################################################################################################################
#
iptables -A INPUT -i lo -j ACCEPT
#
# #######################################################################################################################
# Logging of income packets - IN-DROP - Part 1 - Standard Default Setup
# #######################################################################################################################
#
iptables -A INPUT -m limit --limit 2/min -j LOG --log-level 4 --log-prefix 'IN-DROP '
#
# #######################################################################################################################
# Banned IP Addresses - Standard Default Setup
# #######################################################################################################################
#
iptables -A INPUT -s 203.194.0.0/18 -j LOGDROP
iptables -A INPUT -s 60.208.0.0/12 -j LOGDROP
iptables -A INPUT -s 202.96.0.0/12 -j LOGDROP
iptables -A INPUT -s 60.0.0.0/11 -j LOGDROP
iptables -A INPUT -s 222.192.0.0/11 -j LOGDROP
iptables -A INPUT -s 203.193.128.0/18 -j LOGDROP
#
# #######################################################################################################################
# Accepted INPUT - SECTION 1 - General - Standard Default Setup
# #######################################################################################################################
#
iptables -A INPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#
iptables -A INPUT -p tcp --sport 80 -j ACCEPT
iptables -A INPUT -p udp --sport 53 -j ACCEPT
#
# \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
# |||||||||||||||||||||||||||||||||||||||||||| ----- CUSTOM ----- ||||||||||||||||||||||||||||||||||||||||||||||||||||||
# //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
#
# #######################################################################################################################
# Accepted INPUT - SECTION 2 - Port Forwarding (INPUT)
# #######################################################################################################################
#
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 113 -j ACCEPT
#
# #######################################################################################################################
# Accepted INPUT - SECTION 3 - icmp, INPUT and ports setup
# #######################################################################################################################
#
iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 4 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 10/second -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 12 -j ACCEPT
iptables -A INPUT -p icmp -j REJECT --reject-with icmp-port-unreachable
#
# #######################################################################################################################
# Accepted INPUT - SECTION 4 - Securing Input (INPUT)
# #######################################################################################################################
#
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP
iptables -A INPUT -p tcp -m tcp --tcp-flags ACK,URG URG -j DROP
iptables -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
#
# #######################################################################################################################
# #######################################################################################################################
#
# The folowing part of this iptables setup script falls into two sections with each section being broken down into two
# sub-sections:
#
# SEC-1-A - SECURE - Remote Access via SSH and VNC
# SEC-1-B - NON-SECURE - Remote Access via SSH and VNC
#
# SEC-2-A - SECURE - Server Daemons, Ports and Processes
# SEC-2-B - NON-SECURE - Server Daemons, Ports and Processes
#
# The more secure method of "SEC-1-A - SECURE - Remote Access via SSH and VNC" is enabled by default, which forces eth0
# to be used for VNC and SSH ports, with SSH using a custom port number versus the default one of 22. If you're using a
# wireless setup, eth0 will need to be changed to whatever your wireless NIC is, such as wifi0.
#
# If you wish to use VNC and SSH where it's not bound to a certain interface and isn't as secure, then simply comment
# out everything in SEC-1-A and UNCOMMENT everything in SEC-1-B.
#
# SEC-2-A deals with various servers (daemons) and their ports, which are bound to eth0. By default, both of sections
# SEC-2-A and SEC-2-B are commented out, with the exception of IPERF on port 5001. Simply uncomment out whatever you
# want available either from SEC-2-A for the more secure method where it is bound to eth0 or from SEC-2-B where it is
# not bound to eth0. Again, if you are using wireless, this will need to be changed in SEC-2-A from eth0 to whatever
# your wirless NIC is such as wifi0
#
# #######################################################################################################################
# SEC-1-A - SECURE - Remote Access via SSH and VNC ( **** SECURE METHOD **** )
# #######################################################################################################################
#
# This method is much more secure for SSH
iptables -A INPUT -i eth0 -p tcp --dport 9922 -m state --state NEW -m recent --set --name SSH
iptables -A INPUT -i eth0 -p tcp --dport 9922 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP
#
# This method is much more secure for VNC on port 5500
iptables -A INPUT -i eth0 -p tcp --dport 5500 -m state --state NEW -m recent --set --name VNC5500
iptables -A INPUT -i eth0 -p tcp --dport 5500 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name VNC5500 -j DROP
#
# This method is much more secure for VNC on port 5800
iptables -A INPUT -i eth0 -p tcp --dport 5800 -m state --state NEW -m recent --set --name VNC5800
iptables -A INPUT -i eth0 -p tcp --dport 5800 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name VNC5800 -j DROP
#
# This method is much more secure for VNC on port 5900
iptables -A INPUT -i eth0 -p tcp --dport 5900 -m state --state NEW -m recent --set --name VNC5900
iptables -A INPUT -i eth0 -p tcp --dport 5900 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name VNC5900 -j DROP
#
# #######################################################################################################################
# SEC-1-B - NON-SECURE - Remote Access via SSH and VNC - (NON-SECURE METHOD)
# #######################################################################################################################
#
# For VNC
# iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 5500 -j ACCEPT
# iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 5800 -j ACCEPT
# iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 5900 -j ACCEPT
#
# For SSH
# iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 9922 -j ACCEPT
#
# #######################################################################################################################
# SEC-2-A - SECURE - Server Daemons, Ports and Processes - Uncomment As Needed - ( **** SECURE METHOD **** )
# #######################################################################################################################
#
# This method is much more secure for FTP on ports 20 and 21
# iptables -A INPUT -i eth0 -p tcp --dport 20 -m state --state NEW -m recent --set --name FTP20
# iptables -A INPUT -i eth0 -p tcp --dport 20 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name FTP20 -j DROP
#
# iptables -A INPUT -i eth0 -p tcp --dport 21 -m state --state NEW -m recent --set --name FTP21
# iptables -A INPUT -i eth0 -p tcp --dport 21 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name FTP21 -j DROP
#
# Enable if you have an SMTP server - HIGHLY SUGGEST BLOCKING PORT 25 AND USING AN ALTERNATIVE SECURED PORT FOR SMTP
# iptables -A INPUT -i eth0 -p tcp --dport 25 -m state --state NEW -m recent --set --name SMTP25
# iptables -A INPUT -i eth0 -p tcp --dport 25 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SMTP25 -j DROP
#
# Enable if you have a HTTP server
# iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW -m recent --set --name HTTP80
# iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name HTTP80 -j DROP
#
# Enable if you have a POP server
# iptables -A INPUT -i eth0 -p tcp --dport 110 -m state --state NEW -m recent --set --name POP110
# iptables -A INPUT -i eth0 -p tcp --dport 110 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name POP110 -j DROP
#
# Enable if you have OTRS
# iptables -A INPUT -i eth0 -p tcp --dport 888 -m state --state NEW -m recent --set --name OTRS888
# iptables -A INPUT -i eth0 -p tcp --dport 888 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name OTRS888 -j DROP
#
# This method is much more secure for NTOP on port 3000
# iptables -A INPUT -i eth0 -p tcp --dport 3000 -m state --state NEW -m recent --set --name NTOP3000
# iptables -A INPUT -i eth0 -p tcp --dport 3000 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name NTOP3000 -j DROP
#
# This method is much more secure for IPERF on port 5001
iptables -A INPUT -i eth0 -p tcp --dport 5001 -m state --state NEW -m recent --set --name IPERF5001
iptables -A INPUT -i eth0 -p tcp --dport 5001 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name IPERF5001 -j DROP
#
# -----------------------------------------------------------------------------------------------------------------------
# Enable if you have a Nagios Setup
# iptables -A INPUT -i eth0 -p tcp --dport 3998 -m state --state NEW -m recent --set --name NAGIOS3998
# iptables -A INPUT -i eth0 -p tcp --dport 3998 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name NAGIOS3998 -j DROP
#
# *** SPECIAL NOTE: Port 10000 is also used for WebMin so enable it if you use WebMin and/or Nagios ***
#
# iptables -A INPUT -i eth0 -p tcp --dport 10000 -m state --state NEW -m recent --set --name NAGIOS10000
# iptables -A INPUT -i eth0 -p tcp --dport 10000 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name NAGIOS10000 -j DROP
#
# iptables -A INPUT -i eth0 -p tcp --dport 12489 -m state --state NEW -m recent --set --name NAGIOS12489
# iptables -A INPUT -i eth0 -p tcp --dport 12489 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name NAGIOS12489 -j DROP
# -----------------------------------------------------------------------------------------------------------------------
#
# Enable if you have a Usermin Setup
# This method is much more secure for USERMIN on port 20000
# iptables -A INPUT -i eth0 -p tcp --dport 20000 -m state --state NEW -m recent --set --name USERMIN20000
# iptables -A INPUT -i eth0 -p tcp --dport 20000 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name USERMIN20000 -j DROP
#
# #######################################################################################################################
# SEC-2-B - NON-SECURE - Server Daemons, Ports and Processes - Uncomment As Needed - (NON-SECURE METHOD)
# #######################################################################################################################
#
# Enable if you are running an FTP server
# iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 20 -j ACCEPT
# iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
#
# Enable if you have an SMTP server - HIGHLY SUGGEST BLOCKING PORT 25 AND USING AN ALTERNATIVE SECURED PORT FOR SMTP
# iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
#
# Enable if you have a HTTP server
# iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
#
# Enable if you have a POP server
# iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT
#
# Enable if you have OTRS
# iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 888 -j ACCEPT
#
# For ntop
# iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 3000 -j ACCEPT
#
# Enable if you have a Nagios Setup
# SPECIAL NOTE: Port 10000 is also used for WebMin so enable it if you use WebMin and/or Nagios
#
# For iperf
# iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 5001 -j ACCEPT
#
# iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 3998 -j ACCEPT
# iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 10000 -j ACCEPT
# iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 12489 -j ACCEPT
#
# Enable if you have a Usermin Setup
# iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 20000 -j ACCEPT
#
# \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
# ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
# //////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
#
# #######################################################################################################################
# Enable IP Forwarding - Standard Default Setup
# #######################################################################################################################
#
echo 1 > /proc/sys/net/ipv4/ip_forward
#
# #######################################################################################################################
# IP Masquerading - Standard Default Setup
# #######################################################################################################################
#
# (not needed if intranet is not using private ip-addresses)
iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE
#
# #######################################################################################################################
# iptables-anti-attack-measures-policies - Standard Default Setup
# #######################################################################################################################
#
# In the following section set it 1 to enable the feature or 0 to disable the feature
#
# TCP SYN cookie protection from SYN floods
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
#
# Drop ICMP echo-request messages sent to broadcast or multicast addresses
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#
# Drop ICMP echo-request messages (Permenantly block ICMP)
# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
#
# Drop source routed packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
#
# Don't accept ICMP redirect messages
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
#
# Don't send ICMP redirect messages
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
#
# Enable source address spoofing protection
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
#
# Log packets with impossible source addresses
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
#
# #######################################################################################################################
# Logging of income packets - IN-DROP - Part 2 - Standard Default Setup
# #######################################################################################################################
#
iptables -A INPUT -j LOG --log-level 4 --log-prefix 'IN-DROP '
iptables -A INPUT -j DROP
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -m limit --limit 6/hour -j LOG --log-level 4 --log-prefix 'allowed-out '
iptables -A OUTPUT -j ACCEPT
iptables -A LOGDROP -j LOG --log-level 4 --log-prefix '*** HACKERS *** '
iptables -A LOGDROP -j DROP
#
# #######################################################################################################################
# iptables-save workaround - Standard Default Setup
# #######################################################################################################################
#
sudo iptables-save -c > $HOME/$user/iptables.rules
sudo iptables-restore < $HOME/$user/iptables.rules
sudo cp -f $HOME/$user/iptables.rules /etc/iptables.rules
sleep 3s
sudo rm -f $HOME/$user/iptables.rules
#

spain

Mon Aug 29, 2011 10:39:43 am

Thank you very much for explaining so clearly! for now I have no doubt thank you very much :mrgreen:

Obsidian1723

Mon Aug 29, 2011 12:11:43 pm

spain wrote:Thank you very much for explaining so clearly! for now I have no doubt thank you very much :mrgreen:


You are most welcome :)

I must add one addendum............ for the simple-firewall.sh add this at the bottom of it:

sudo iptables-save -c > $HOME/$user/iptables.rules
sudo iptables-restore < $HOME/$user/iptables.rules
sudo cp -f $HOME/$user/iptables.rules /etc/iptables.rules
sleep 3s
sudo rm -f $HOME/$user/iptables.rules

spain

Mon Aug 29, 2011 12:31:52 pm

I forgot to say that I only connect via wifi if you opened not to change anything in the settings you gave me!. greetings

Obsidian1723

Tue Aug 30, 2011 3:30:53 am

spain wrote:I forgot to say that I only connect via wifi if you opened not to change anything in the settings you gave me!. greetings


Change eth0 to wlan0 or wifi0 or whatever sudo ifconfig -a shows you is your wireless NIC.

spain

Tue Aug 30, 2011 8:51:56 am

:roll: forgive the ignorance but this is not just entender.Basta to copy this text file gedit and save it as "simple-firewall.sh" without quotes. Now you have to open the terminal and save towhere atl.