You are not logged in.
Pages: 1
Greetings all, just getting started with Archlinux, using Chakra because I, er, couldn't quite manage to configure the desktop environment by myself. Anyway, I followed the "simple stateful firewall" guide on the wiki, but I notice that GRC's shieldsUP finds that my ports are closed and not stealthed. First of all, is this important anyway, or is it better they be closed rather than stealthed? And, if it would be more secure to stealth my ports, how do I change iptables rules to do this?
Thanks!
Offline
Stealthed means that your computer will not respond to any requests on a port, whereas with closed it will send a RST packet. Your iptables rules just need to be set to drop rather than reject.
Last edited by Bob_Sheep (2009-01-14 16:55:25)
Offline
I am trying to figure out how this works too, it's these lines, right?
# iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
# iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
and then -j DROP?
Will that give any disadvantages?
And if I can hijack a little, the open chain, I have used that for bittorrent (is that wise by the way?), but that site says the ports are closed. I have also opened another port for P2P and that works fine.
Could it be the ISP blocking? My bittorrent is still fast though.
EDIT: After a bit of setup it seems an application needs to be actually listening on the port for it to be open? I did try out DROP instead of REJECT and everything reports as stealthed now, except those ports in the OPEN chain.
Last edited by Procyon (2009-01-14 17:38:08)
Offline
Works perfectly!!!
Procyon-Just change REJECT to DROP in those two lines, forget whatever comes after the --, perfect Trustealth rating!
You might have to start again, flush your rules maybe, I did anyway.
edit-oh, i see you have it working already. Bah, I wanted to answer a question!
Last edited by darkbeanies (2009-01-14 17:51:07)
Offline
Erm no.
The fact you use --j REJECT will send a message back to the computer trying to contact yours. That way the computer will know that, even though the ports are closed, the system is up (because it gets a response). Just using -j DROP should fix this.
I don't think you can stealth open ports - that would defeat its purpose. How will you discern between legitimate requests (that need the port to be open) and bots (that you don't want to know the port is open)?
Edit: dammit I should refresh when I put a response together so slowly .
Got Leenucks? :: Arch: Power in simplicity :: Get Counted! Registered Linux User #392717 :: Blog thingy
Offline
Edit: dammit I should refresh when I put a response together so slowly .
At least you're not alone.
My Arch Linux Stuff • Forum Etiquette • Community Ethos - Arch is not for everyone
Offline
I see, and I read somewhere my 10 bittorrent ports are fine too as long as the application is secure. (rtorrent was using a closed port though, I wonder what was up with that)
And BTW, the policy of INPUT is already DROP, so these lines are actually redundant. (I tested it just now)
Offline
Also, I can't seem to get a port open for deluge. I tried iptables -A open -i eth0 -p tcp --dport 55555:55555 -j ACCEPT in the guide, is there anything else I need to do? I've got moblock running too, do I need to meddle with that at all to open ports, I don't think I do? I also tried
iptables -A open -i eth0 -p tcp --dport 55555:55555 -j ACCEPT
iptables -A open -i eth0 -p udp --dport 55555:55555 -j ACCEPT
But that doesn't work either, unless I did it wrong.
Offline
Why the port range if you only have one port in it? I think a range also requires a slightly different syntax from a rule with one port.
Btw:
iptables -L
shows you the loaded rules, always nice for diagnosing (it reads easier than the rules themselves imho).
Got Leenucks? :: Arch: Power in simplicity :: Get Counted! Registered Linux User #392717 :: Blog thingy
Offline
Ah, sorry, I just guessed it basically. I'll have a look, cheers.
edit- or could I do 55554:55556 and save time?
Output of iptables -L gives (at the bottom)
chain open
accept tcp -- anywhere tcp dpt: 55555
Last edited by darkbeanies (2009-01-14 19:43:18)
Offline
And BTW, the policy of INPUT is already DROP, so these lines are actually redundant. (I tested it just now)
I tried to set the input policy to REJECT btw, and this is what I got after I tried to load my altered iptables.rules:
iptables-restore v1.4.2: Can't set policy `INPUT' on `REJECT' line 4: Bad policy name
Is 'REJECT' not allowed as policy? Why? Anyone who knows more?
The time when Microsoft starts making something that doesn't suck will be when they start making vacuum cleaners.
Offline
Post your iptables.rules.
My Arch Linux Stuff • Forum Etiquette • Community Ethos - Arch is not for everyone
Offline
I tried this
# iptables rules for spitfire machine
*filter
:INPUT REJECT [0:0]
:FORWARD REJECT [0:0]
:OUTPUT ACCEPT [0:0]
# accept from local loopback
-A INPUT -i lo -j ACCEPT
# accept from LAN / Local Subnet
-A INPUT -i eth0 -s 192.168.0.0/24 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#Server
#FTP
#Command link
-A INPUT -p tcp --dport 21 -j ACCEPT
#data transfer link
-A INPUT -p tcp --dport 6250 -j ACCEPT
#Freeciv Server
-A INPUT -p tcp --dport 5555 -j ACCEPT
# aMule
-A INPUT -p tcp --dport 4662 -j ACCEPT
-A INPUT -p udp --dport 4665 -j ACCEPT
-A INPUT -p udp --dport 4669 -j ACCEPT
# ICEcast Streaming Audio Server
-A INPUT -p tcp --dport 8000 -j ACCEPT
# Bittorrent
-A INPUT -p tcp --dport 50000 -j ACCEPT
# forward LAN traffic
-A FORWARD -s 192.168.0.0/24 -j ACCEPT
# do not forward NetBIOS/SMB to the internet
-A FORWARD -o ppp+ -p udp --sport 137:138 -j DROP
-A FORWARD -o ppp+ -p tcp --sport 139 -j DROP
-A FORWARD -o ppp+ -p tcp --sport 445 -j DROP
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
# do masquerading
-A POSTROUTING -o ppp+ -s 192.168.0.0/24 -j MASQUERADE
COMMIT
instead of
# iptables rules for spitfire machine
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
# accept from local loopback
-A INPUT -i lo -j ACCEPT
# accept from LAN / Local Subnet
-A INPUT -i eth0 -s 192.168.0.0/24 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#Server
#FTP
#Command link
-A INPUT -p tcp --dport 21 -j ACCEPT
#data transfer link
-A INPUT -p tcp --dport 6250 -j ACCEPT
#Freeciv Server
-A INPUT -p tcp --dport 5555 -j ACCEPT
# aMule
-A INPUT -p tcp --dport 4662 -j ACCEPT
-A INPUT -p udp --dport 4665 -j ACCEPT
-A INPUT -p udp --dport 4669 -j ACCEPT
# ICEcast Streaming Audio Server
-A INPUT -p tcp --dport 8000 -j ACCEPT
# Bittorrent
-A INPUT -p tcp --dport 50000 -j ACCEPT
# forward LAN traffic
-A FORWARD -s 192.168.0.0/24 -j ACCEPT
# do not forward NetBIOS/SMB to the internet
-A FORWARD -o ppp+ -p udp --sport 137:138 -j DROP
-A FORWARD -o ppp+ -p tcp --sport 139 -j DROP
-A FORWARD -o ppp+ -p tcp --sport 445 -j DROP
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
# do masquerading
-A POSTROUTING -o ppp+ -s 192.168.0.0/24 -j MASQUERADE
COMMIT
The time when Microsoft starts making something that doesn't suck will be when they start making vacuum cleaners.
Offline
Pages: 1