Do i really need iptables?

dienadel · 2006-12-04 11:14:21

Hello,

As i've said in the tittle, the question is: Do i really need iptables?

I don't use any service, like webserver, ftp or similar. The only thing that i use in that way is bittorrent and mldonkey.

I'm behind a router, and have opened the ports needed both in the router and in iptables conf which has not other configuration.

So, would be necesary iptables in my PC?

A short answer, would may be AND WHY NOT? A little paranoid about security using iptables isn't bad, is it?

What do you think?

Dienadel

dolby · 2006-12-04 11:58:35

no, unless u wanna learn how to set up iptables now in case u ever really need to in the future

Snarkout · 2006-12-04 14:30:36

You need IP tables if you want firewall-like protection on your box, and if you want to learn iptables. If you're behind a NATing router and don't run any services, you're probably fairly safe. You cannot go wrong learning iptables, though - I wish I knew it a lot better than I do. I write a lot of cisco access lists, and honestly find the iptables syntax extremely confusing, so I have only learned the basics. Maybe if I'd learned them in the other order I'd think differently, who knows? In any case, if you want the protection w/o the hassle there are a number of frontends for iptables like guarddog, firestarter, shorewall, etc.

RobF · 2006-12-04 16:26:12

I suppose what you're really asking is whether you need a software firewall at all if you're behind a NAT router. Perhaps not but it wouldn't hurt, and you will be more secure running a second firewall. There is no need to learn iptables as there are many good scripts and GUI front ends that configure iptables. I'm using Arno's firewall (arno-iptables-firewall from http://rocky.molphys.leidenuniv.nl or arno-iptables-firewall in AUR) which is the most popular firewall script on freshmeat.net. It's quite easy to configure. Shorewall is also good. Among the iptables config utilities with GUI Firestarter is good.

These software firewalls are easy to stop and restart. If you're running into a connect problem that may be caused by the presence of the firewall, you simply turn it off for the time needed.

Robert

brain0 · 2006-12-05 09:18:29

RobF wrote:

I suppose what you're really asking is whether you need a software firewall at all if you're behind a NAT router. Perhaps not but it wouldn't hurt, and you will be more secure running a second firewall.

Only few times have I read such nonsense. Despite the fact that I would be interested in your definition of the word "secure", I am pretty sure that - if you would understand the way networks work - you would know that a second firewall won't make you "more secure".

To answer the original question: No, you don't need iptables or similar. Your NAT router only forwards the connections to you that you forwarded explicitly, everything else is rejected on the router.
Even if you were connected directly without a NAT router, you can safely go online if you don't have any vulnerable services running, so the Archlinux default setup is safe.

chrismortimore · 2006-12-05 09:43:10

I considered setting up iptables on my machines. But I opted for just setting up a DMZ on an invalid address. Much easier.

But to be honest, you'll be fine without it. It's good to know how to do these things, but your router will make it unnecessary.

dienadel · 2006-12-05 15:14:16

brain0 wrote:

To answer the original question: No, you don't need iptables or similar. Your NAT router only forwards the connections to you that you forwarded explicitly, everything else is rejected on the router.
Even if you were connected directly without a NAT router, you can safely go online if you don't have any vulnerable services running, so the Archlinux default setup is safe.

That was what i thought or think:

The router only let pass what you have ask for, f.e. a web page. Whatever other thing is rejected as you have not asked for it... as the router doesn't know to which PC send that information.

As in P2P applications, your PC must act as a server (moreless) you must "make something" to let that something that you haven't ask for, pass the router. And here is the "port forwarding".

And why the firewall has become something that "must" be in the PC, thus a normal user doesn't need any service? because windows had opened ports with vulnerable services on it BY DEFAULT?

Note that i'm no expert in "net things"

thanks all!

Dienadel

RobF · 2006-12-05 16:24:44

brain0 wrote:

RobF wrote:
I suppose what you're really asking is whether you need a software firewall at all if you're behind a NAT router. Perhaps not but it wouldn't hurt, and you will be more secure running a second firewall.
Only few times have I read such nonsense. Despite the fact that I would be interested in your definition of the word "secure", I am pretty sure that - if you would understand the way networks work - you would know that a second firewall won't make you "more secure".
To answer the original question: No, you don't need iptables or similar. Your NAT router only forwards the connections to you that you forwarded explicitly, everything else is rejected on the router.
Even if you were connected directly without a NAT router, you can safely go online if you don't have any vulnerable services running, so the Archlinux default setup is safe.

A simple NAT router (without a dedicated hardware firewall) will reject attempts at connecting from the WAN that weren't initiated by a host behind the router. It will not block attempts at connecting to hosts on the WAN that were initiated by the host behind the router, e.g. by a trojan program. The latter can be blocked with a software firewall that's installed on that host.

Besides, a firewall installed on your host will also enable you to block connect attempts from within the LAN.

Robert

brain0 · 2006-12-05 21:10:57

RobF wrote:

A simple NAT router (without a dedicated hardware firewall) will reject attempts at connecting from the WAN that weren't initiated by a host behind the router.

Which is all you need.

It will not block attempts at connecting to hosts on the WAN that were initiated by the host behind the router, e.g. by a trojan program. The latter can be blocked with a software firewall that's installed on that host.

1) Trojan horse? Come on, we don't use windows
2) Name a Linux firewall that is designed to filter outgoing traffic without limiting the user's freedom.

Besides, a firewall installed on your host will also enable you to block connect attempts from within the LAN.

And protect you from your evil LAN neighbours?

jnengland77 · 2006-12-05 22:53:35

I would have to agree that it's safe for you to run behind a router which uses NAT. I'm behind a router, and don't run a firewall(although I did use a software firewall when I did use Windows).

Besides, a firewall installed on your host will also enable you to block connect attempts from within the LAN.
And protect you from your evil LAN neighbours?

Yes, they hog all the bandwidth... no not really I totally agree with brain0. I would think my LAN neighbours(family computer running Windows...speaking of which I should run anti-virus...work... and more work...stupid Windows) are safe and kind to one another.

Anyway you should be safe.

~jnengland77

RobF · 2006-12-06 00:08:15

brain0 wrote:

Trojan horse? Come on, we don't use windows.

I don't expect that Linux will forever be immune to attacks with rootkits, worms, trojans and other malware.

Name a Linux firewall that is designed to filter outgoing traffic without limiting the user's freedom.

TuxGuardian, for an application-based firewall. An ignorant user who gets frightened by firewall alarms may feel "limited in their freedom" when they use such a firewall but anyone who understands how application-based firewalls work will soon have allowed/denied all the applications that they commonly use, and alarms won't go off anymore. If an alarm does go off, it may be prudent to pay attention. In Windows, the capability of filtering outgoing traffic is standard with application-based firewalls, and millions of Windows users run them competently and without complaints.

If you want to set up a rule-based firewall to filter outgoing traffic, there may be no ready made solution in Linux as yet (but I haven't searched for it). Hence, you may have to know how to configure iptables or one of the firewall scripts that configures iptables to set up such filtering. E.g. see this: http://www.hackinglinuxexposed.com/arti … 30213.html

And protect you from your evil LAN neighbours?

You may not know all of your LAN neighbors. What about the guy out on the street in his car with his laptop who is sniffing your wireless packets (in case one of your LAN hosts uses wireless ethernet to an AP on the router), cracks that connection and then gets on your LAN? Then the NAT "firewall" in the router is useless.

Obviously, I'm playing devil's advocate. But the point is, it only takes minimal effort to set up an iptables firewall on your host machine, and if you're knowledgeable about firewalls it won't cause you a problem. If you ever suspect that it is the cause of some problem, you can simply stop it for the time being.

Better to be safe than sorry.

Robert

chrismortimore · 2006-12-06 08:58:42

RobF wrote:

You may not know all of your LAN neighbors. What about the guy out on the street in his car with his laptop who is sniffing your wireless packets (in case one of your LAN hosts uses wireless ethernet to an AP on the router), cracks that connection and then gets on your LAN? Then the NAT "firewall" in the router is useless.

Can't he be stopped using /etc/hosts.deny and /etc/hosts.allow?

rabid_dog · 2006-12-06 13:43:16

Maybe slight bug?

When you install iptables in /etc/iptables lies file simple_firewall.rules
Begunning user might think that it can be used as simple firewall rules on workstation without any services, but it really cannot!

# cat simple_firewall.rules
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT

If we want to use X or install printer with cups we need rules that allow packets go in and out from loopback interface.

Rules must looks like:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
COMMIT

How'd you think it cost to write to Judd to change this file in next versions of package?

ralvez · 2006-12-06 15:05:05

I think that RobF is 100% correct in his posting and I fail to see what non-sense brain0 is referring to.
1. A REAL network is often a mix of Windows, Macs and Linux (if you are lucky like me )
2. While Linux cannot be "infected" by viruses Windows can. Once that Windows machine is compromised the LAN is compromised.
3. While most of my LAN neighbors can be trusted, there is always "the one" that cannot. Fact of life in a network: most attacks happen from within the network by parties that have valid credentials in the LAN. Those are **not my statistics**,(I'm not a security expert) but visit security sites and you will see. Some sites will even "venture" specific percentage figures.
4. As virtualization becomes more of a commodity the spread of infection will extend to VM systems easily, unless they are protected.

At the end of the day, and without "taking sides" I agree that double-walling is not an extreme thing to do. As a matter of fact in a mixed environment I always do it. In a small network of Linux boxes, that may not be as needed ... but then again, intrusion statistics seem to work against that reasoning.

On the other hand, if brain0 is referring to a network comprised of me, myself and I then double-walling makes no much sense, I think.

RobF · 2006-12-06 17:35:17

I agree with ralvez that double-firewalling (NAT router plus software firewall) might be overkill in a network comprised only of me, myself and I - as long as you use wired ethernet. If your host is a laptop that connects wirelessly to an AP/router then you're vulnerable. Your unknown neighbor or some wardriver parked on your street can sniff your connection and crack it - according to George Ou ( http://blogs.zdnet.com/Ou/index.php?p=41 ) any WEP based network with or without dynamic WEP keys can be cracked in a few minutes. Once the intruder is on your LAN, he can forge his MAC address and IP address, and begin to crack your host's root password.

Also, while you're somewhat protected when you're using a laptop plus NAT router at home, if you take this laptop elsewhere (Starbucks, library, university, etc.), even when you connect via wired ethernet, you just don't know exactly how you are connected to this untrusted network. You may forget to bring up a firewall on your laptop in this situation - unless of course it is installed permanently anyway.

Robert

chrismortimore · 2006-12-06 20:26:39

rabid_dog wrote:

How'd you think it cost to write to Judd to change this file in next versions of package?

Post a bug on flyspray and it'll get picked up there.

brain0 · 2006-12-06 23:52:45

chrismortimore wrote:

rabid_dog wrote:
How'd you think it cost to write to Judd to change this file in next versions of package?
Post a bug on flyspray and it'll get picked up there.

It's actually a good idea to change that simple rules file, maybe according to my iptables howto on arch wiki. I have to fix some iptables bugs anyway, so I'll think of that.

Arch Linux

#1 2006-12-04 11:14:21

Do i really need iptables?

#2 2006-12-04 11:58:35

Re: Do i really need iptables?

#3 2006-12-04 14:30:36

Re: Do i really need iptables?

#4 2006-12-04 16:26:12

Re: Do i really need iptables?

#5 2006-12-05 09:18:29

Re: Do i really need iptables?

#6 2006-12-05 09:43:10

Re: Do i really need iptables?

#7 2006-12-05 15:14:16

Re: Do i really need iptables?

#8 2006-12-05 16:24:44

Re: Do i really need iptables?

#9 2006-12-05 21:10:57

Re: Do i really need iptables?

#10 2006-12-05 22:53:35

Re: Do i really need iptables?

#11 2006-12-06 00:08:15

Re: Do i really need iptables?

#12 2006-12-06 08:58:42

Re: Do i really need iptables?

#13 2006-12-06 13:43:16

Re: Do i really need iptables?

#14 2006-12-06 15:05:05

Re: Do i really need iptables?

#15 2006-12-06 17:35:17

Re: Do i really need iptables?

#16 2006-12-06 20:26:39

Re: Do i really need iptables?

#17 2006-12-06 23:52:45

Re: Do i really need iptables?

Board footer