You are not logged in.
Hi!
I have base only Arch installation for running one Linux compatible application on it. I wander with two questions.
Do I need to configure through iptables command to get more security or it is unnecessary as I have no default getaway and have route added for two subnets?
If using iptables is addhelpful in my case how can I install iptables (my Arch base installation writes "not found")? I need short instruction.
Thank you!
Offline
Do I need to configure through iptables command to get more security or it is unnecessary as I have no default getaway and have route added for two subnets?
The default gateway only defines where network packets are sent when they're not destined for your own NIC. It doesn't provide any security, just connectivity.
If using iptables is addhelpful in my case how can I install iptables (my Arch base installation writes "not found")? I need short instruction.
Search the Wiki. Here's a link on how to set up a simple stateful firewall.
A bus station is where a bus stops.
A train station is where a train stops.
On my desk I have a workstation.
Offline
If your system is connected to a network (LAN) and has NO OPEN ports via services, in other words: you are not running a mail service or Apache server, then just enter "ALL:ALL" in /etc/hosts.deny and that's all you need.
If you want to have ssh access to that box you can add the IP address of the machine you want to allow to connect to that box in /etc/hosts.allow , but if you want to "push" the boundaries any further I would add a firewall via IPTABLES.
Hope this helps.
Rick
Offline
Do I need to configure through iptables command to get more security or it is unnecessary as I have no default getaway and have route added for two subnets?
If you consider those two subnets trusted, you do not have to add anything. The first rule of security still applies: Install and run only the services you really need. If the only service running is sshd, you are already secure enough.
If using iptables is addhelpful in my case how can I install iptables (my Arch base installation writes "not found")? I need short instruction.
You have to install iptables via pacman.
Offline
If the only service running is sshd, you are already secure enough.
What do you mean by "sshd"?
You have to install iptables via pacman.
Do I have to download some additional package containing iptables to install with pacman or iptables included in Aech base installation?
Offline
If your system is connected to a network (LAN) and has NO OPEN ports via services, in other words: you are not running a mail service or Apache server, then just enter "ALL:ALL" in /etc/hosts.deny and that's all you need.
My system is connected to Internet directly. I have forwarded one TCP and one UDP port. My DSL modem does not allow me to prevent inbound traffic by its firewall (it is not possible to forward ports for special IP addresses/subnets, ports are always open for all IPs for inbound traffic) This is the reason I removed default getaway in Arch and added two needed subnets (It helped me really. My system was overloaded with unwanted traffic. Now unwanted traffic flow is stopped)
If you want to have ssh access to that box you can add the IP address of the machine you want to allow to connect to that box in /etc/hosts.allow
What do you mean by "ssh access to that box"?
but if you want to "push" the boundaries any further I would add a firewall via IPTABLES
Yes, I want more security as possible but do I need it in my case? (I do not know)
Offline
The default gateway only defines where network packets are sent when they're not destined for your own NIC. It doesn't provide any security, just connectivity.
Do you mean the trick I use is not the best I can do in my situation?
Search the Wiki. Here's a link on how to set up a simple stateful firewall.
Is there complete Help File for Arch with tree for topics and search option and with tips (I do not need tips about what I can do in Arch. I need tips about how I must do thing in particular situation exactly)
Thank you all for your attention!
Offline
FUBAR wrote:The default gateway only defines where network packets are sent when they're not destined for your own NIC. It doesn't provide any security, just connectivity.
Do you mean the trick I use is not the best I can do in my situation?
FUBAR wrote:Search the Wiki. Here's a link on how to set up a simple stateful firewall.
Is there complete Help File for Arch with tree for topics and search option and with tips (I do not need tips about what I can do in Arch. I need tips about how I must do thing in particular situation exactly)
That's exactly what the wiki is for:
http://wiki.archlinux.org/index.php/Category:HowTos
Offline
That's exactly what the wiki is for:
http://wiki.archlinux.org/index.php/Category:HowTos
May I download it on my PC as one file?
Thank you!
Offline
zaozao,
In response to your questions:
If your system is connected to the Internet, you are connected to a network, one that is (in my opinion) far more dangerous than a LAN. Having said that, my statements still apply: If you have no services running there is very little anyone can do to "get to you".
The best way to confirm the status of your server in relation to the "rest of the world" is to use 'namp' or a service like this https://www.grc.com/x/ne.dll?rh1dkyd2 which is free but very good to assess your security level.
In security the first rule is "If you are unsure block it ... the is time to open it later if you realize you need it", so in that spirit you may as well use a firewall like "firestarter" (pacman -Sy firestarter) and from there on you KNOW that your workstation is secure.
Hope this helps.
Rick
Offline
Thank you for resources listed.
As I cannot say exactly the two subnets needed are trusted at all I guess I need firewall.
I think it is possible to set rules to allow packets from forwarded ports only for application (service) listens to those ports and prevent packets go to other services in the system through those forwarded ports. I am thinking right?
I find out.
Please, tell me if I want to use iptables do I need to download some additional package as I have only Arch base installation? If so what is the link for the package?
Thank you!
Thank you for your attention!
And one Help File for Arch available for downloading is needed much!
Offline
And one Help File for Arch available for downloading is needed much!
wget -r -np http://wiki.archlinux.org
A bus station is where a bus stops.
A train station is where a train stops.
On my desk I have a workstation.
Offline
Please, some one tell me where can I download package containing iptables (I do not want big file download, only the minimum).
And which directory I have to put the package to install it with pacman -Sy iptables?
I do not want connect my Arch base installation to whole Internet, I want to download the package by windows and then get it in Arch trough CD or my own WEB.
Thank you!
Offline
zaozao wrote:And one Help File for Arch available for downloading is needed much!
wget -r -np http://wiki.archlinux.org
What is the file name at http://wiki.archlinux.org? (I want to download it with windows)
Thank you!
Offline
Sorry zaozao I've been away for a few days.
Yes you can download iptabes with pacman -Sy iptables
but I think that if you do pacman -Sy firestarter it will automatically install iptables for you along with the firewall software.
Hope this helps.
Rick
Offline
He's got a base installation with no internet access, so pacman -S won't help. It's already answered here.
1000
Offline
byte, I do not think he has no Internet access because on part of his original post he says:
My system is connected to Internet directly. I have forwarded one TCP and one UDP port. My DSL modem does not allow me to prevent inbound traffic by its firewall
Unless I missing something his concern with security has this root.
Offline