RE: [suse-security] Newbie Question re. Firewall2 vs. IPTABLES
Hello Uli, So if i deactivate firewall2, IPTABLES is still active and i can add my own set of rules (iptables -A TCP etc.) and they are active right away? Cheers -KEH -----Original Message----- From: Ulrich Roth [mailto:Roth@impact.de] Sent: Tuesday, July 22, 2003 1:25 PM To: suse-security@suse.com Subject: AW: [suse-security] Newbie Question re. Firewall2 vs. IPTABLES Hi Knut,
i am new to SuSE (Linux in generall) and have been fiddeling with firewall 2 for some time.
My question is: If i deactivate SuSEfirewall2 (using YaST), will any IPTABLES rule i might create afterward still take action? And if not, where do i enable it (IPTABLES)? Iptables is enabled by default. SuSEfirewall2 is only a shell script that runs many many iptables commands, depending on how you configure it. You may create your own script to execute iptables commands, or you may use SuSE's firewall script. SuSE made this script in order to make life easier for admins. Bye Uli -- Ulrich Roth IMPACT Business & Technology Consulting GmbH Im Mediapark 8 / KölnTurm D-50670 Koeln Phone +49-221-93 70 80-29 Fax +49-221-93 70 80-15 E-Mail: roth@impact.de
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
On Tue, 2003-07-22 at 13:31, Knut Erik Hauslo wrote:
Hello Uli,
So if i deactivate firewall2, IPTABLES is still active and i can add my own set of rules (iptables -A TCP etc.) and they are active right away?
No, then you need to write your own shell script and get it to start when you start your machine.
Cheers -KEH
-----Original Message----- From: Ulrich Roth [mailto:Roth@impact.de] Sent: Tuesday, July 22, 2003 1:25 PM To: suse-security@suse.com Subject: AW: [suse-security] Newbie Question re. Firewall2 vs. IPTABLES
Hi Knut,
i am new to SuSE (Linux in generall) and have been fiddeling with firewall 2 for some time.
My question is: If i deactivate SuSEfirewall2 (using YaST), will any IPTABLES rule i might create afterward still take action? And if not, where do i enable it (IPTABLES)? Iptables is enabled by default. SuSEfirewall2 is only a shell script that runs many many iptables commands, depending on how you configure it. You may create your own script to execute iptables commands, or you may use SuSE's firewall script. SuSE made this script in order to make life easier for admins. Bye Uli -- Ulrich Roth IMPACT Business & Technology Consulting GmbH Im Mediapark 8 / KölnTurm D-50670 Koeln Phone +49-221-93 70 80-29 Fax +49-221-93 70 80-15 E-Mail: roth@impact.de
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here -- -- Raymond Leach
Network Support Specialist http://www.knowledgefactory.co.za "lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import" Key fingerprint = 7209 A695 9EE0 E971 A9AD 00EE 8757 EE47 F06F FB28 --
Here is a copy of my firewall script if you want to use it! It is for a single dial-up machine, running Apache Web server. You can alter it to suit your own machines needs. If you leave SuSEFirewall running, my script should clear all the SuSEFirewall rules out of IPTables, and put it's own rules in the packet filter. You need to check the POLICY rules though - I don't think FLUSHing IPTables rules affects the POLICY of built-in chains. USE AT YOUR OWN RISK! You need to copy this to a safe place on your machine, and set the file as executable - See 'man chmod' for details. Or under mc (Norton Commander type filemanager) highlight the name of the file to modify, press F9, pull down the File menu, select Advanced chown option, set the file permissions as rwx --- --- and set the owner/group for the file as well. Then add a line to /etc/init.d/boot.local - this will execute the script each time you reboot the machine. You need to check the script is called AFTER SuSEFirewall is up and running, or SuSEFirewall will overwrite the rules this script sets up in the IPTables packet filter! === You can also open a terminal as root, and CD to the directory where you have put the firewall script. As root, if you do ./my-fw > firewall.out You will get the output sent to the file named firewall.out This is handy for checking the firewall script for any syntax errors. === #! /bin/bash # copyright Keith Anthony Roberts (c) 2003 # file-id: /path/to/firewall/script/my-fw # # custom script to start iptables packet filter firewall rules # # run from /etc/init.d/boot.local # # last updated 15-07-2003 # #------------------------------------------------------# echo; echo "======================================================================="; echo "Running /path/to/firewall/script/my-fw" echo " - Initial status of firewall is:" echo "======================================================================="; echo; #------------------------------------------------------# #------------------------------------------------------# echo; echo "======================================================================="; echo "NAT table initial status" echo "======================================================================="; echo; #------------------------------------------------------# # list status of NAT table iptables -t nat -L -v #------------------------------------------------------# #------------------------------------------------------# echo; echo "======================================================================="; echo "MANGLE table initial status" echo "======================================================================="; echo; #------------------------------------------------------# # list status of MANGLE table iptables -t mangle -L -v #------------------------------------------------------# #------------------------------------------------------# echo; echo "======================================================================="; echo "FILTER table initial status" echo "======================================================================="; echo; #------------------------------------------------------# # list status of FILTER table iptables -t filter -L -v #------------------------------------------------------# #------------------------------------------------------# # flush ALL rules in ALL tables iptables -t nat -F iptables -t mangle -F iptables -t filter -F # clear packet & byte counters iptables -t nat -Z iptables -t mangle -Z iptables -t filter -Z # delete ALL user-defined chains in ALL tables iptables -t nat -X iptables -t mangle -X iptables -t filter -X #------------------------------------------------------# echo; echo "======================================================================="; echo "Starting up my own custom firewall now!" echo "======================================================================="; echo; #------------------------------------------------------# #******************************************************# # NAT table rules # #******************************************************# # NOT USED #******************************************************# # MANGLE table rules # #******************************************************# # NOT USED #******************************************************# # FILTER table rules # #******************************************************# # LOG all packets going through the FORWARD chain - should disable this really iptables -A FORWARD -j LOG --log-prefix 'FILTER-FWD PKTS ' #------------------------------------------------------# # LOG INPUT Syn-flood Denial of Service attempts - 10 per hour iptables -A INPUT -i ppp0 -p tcp --syn -m limit --limit 10/h \ -j LOG --log-prefix 'Syn-flood INP attack??? ' # Syn-flood INPUT protection iptables -A INPUT -i ppp0 -p tcp --syn -m limit --limit 1/s -j ACCEPT #------------------------------------------------------# # LOG INPUT Furtive Port Scanner attempts - 10 per hour iptables -A INPUT -i ppp0 -p tcp --tcp-flags SYN,ACK,FIN,RST RST \ -m limit --limit 10/h -j LOG --log-prefix 'Port Scanner INP attack??? ' # Port Scanner INPUT protection iptables -A INPUT -i ppp0 -p tcp --tcp-flags SYN,ACK,FIN,RST RST \ -m limit --limit 1/s -j ACCEPT #------------------------------------------------------# # LOG INPUT Ping of Death Denial of Service attempts - 10 per hour iptables -A INPUT -i ppp0 -p icmp --icmp-type echo-request \ -m limit --limit 10/h -j LOG --log-prefix 'Ping of Death INP attack??? ' # Pingu of Death INPUT protection iptables -A INPUT -i ppp0 -p icmp --icmp-type echo-request \ -m limit --limit 1/s -j ACCEPT #------------------------------------------------------# #------------------------------------------------------# # LOG FORWARD Syn-flood Denial of Service attempts - 10 per hour iptables -A FORWARD -p tcp --syn -m limit --limit 10/h \ -j LOG --log-prefix 'Syn-flood FWD attack??? ' # Syn-flood FORWARDing protection iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT #------------------------------------------------------# # LOG FORWARD Furtive Port Scanner attempts - 10 per hour iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST \ -m limit --limit 10/h -j LOG --log-prefix 'Port Scanner FWD attack??? ' # Port Scanner FORWARDing protection iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST \ -m limit --limit 1/s -j ACCEPT #------------------------------------------------------# # LOG FORWARD Ping of Death Denial of Service attempts - 10 per hour iptables -A FORWARD -p icmp --icmp-type echo-request \ -m limit --limit 10/h -j LOG --log-prefix 'Ping of Death FWD attack??? ' # Ping of Death FORWARDing protection iptables -A FORWARD -p icmp --icmp-type echo-request \ -m limit --limit 1/s -j ACCEPT #------------------------------------------------------# # create a new chain for apache connections #------------------------------------------------------# iptables -N open_port_80 # LOG all NEW, ESTABLISHED, RELATED # remote connections coming in on ppp0 to apache port 80 iptables -A open_port_80 -i ppp0 -p tcp --dport 80 \ -m state ! --state INVALID \ -j LOG --log-prefix 'Remote Port 80 connects ' # ACCEPT all NEW, ESTABLISHED, RELATED # remote connections coming in on ppp0 to apache port 80 iptables -A open_port_80 -i ppp0 -p tcp --dport 80 \ -m state ! --state INVALID \ -j ACCEPT # LOG all local connections to apache port 80 iptables -A open_port_80 -i ! ppp0 -p tcp --dport 80 \ -j LOG --log-prefix 'Local Port 80 connects ' # ACCEPT all local connections to apache port 80 iptables -A open_port_80 -i ! ppp0 -p tcp --dport 80 -j ACCEPT #------------------------------------------------------# # create new chain that blocks all other # new connection attempts coming in from ppp0 #------------------------------------------------------# iptables -N block # LOG all other new connection attempts (& invalid packets) coming from ppp0 iptables -A block -i ppp0 -m state --state NEW,INVALID \ -j LOG --log-prefix 'DROPPED NEW CONNS ON PPP0 ' # DROP all new connection attempts (& invalid packets) coming from ppp0 # and not for apache web server iptables -A block -i ppp0 -m state --state NEW,INVALID -j DROP #------------------------------------------------------# # jump to various chains from INPUT and FORWARD chains #------------------------------------------------------# iptables -A INPUT -j open_port_80 iptables -A INPUT -j block iptables -A FORWARD -j block #------------------------------------------------------# echo; echo "======================================================================="; echo "New status of firewall using my own custom rules is:" echo "======================================================================="; echo; #------------------------------------------------------# #------------------------------------------------------# echo; echo "======================================================================="; echo "NAT table - new status" echo "======================================================================="; echo; #------------------------------------------------------# # list current status of NAT table iptables -t nat -L -v #------------------------------------------------------# #------------------------------------------------------# echo; echo "======================================================================="; echo "MANGLE table - new status" echo "======================================================================="; echo; #------------------------------------------------------# # list current status of MANGLE table iptables -t mangle -L -v #------------------------------------------------------# #------------------------------------------------------# echo; echo "======================================================================="; echo "FILTER table - new rules" echo "======================================================================="; echo; #------------------------------------------------------# # list current status of FILTER table iptables -L -v #------------------------------------------------------# # exit with a valid code exit 0 #------------------------------------------------------# # end of firewall # On 22 Jul 2003, Ray Leach wrote:
On Tue, 2003-07-22 at 13:31, Knut Erik Hauslo wrote:
Hello Uli,
So if i deactivate firewall2, IPTABLES is still active and i can add my own set of rules (iptables -A TCP etc.) and they are active right away?
No, then you need to write your own shell script and get it to start when you start your machine.
Cheers -KEH
-----Original Message----- From: Ulrich Roth [mailto:Roth@impact.de] Sent: Tuesday, July 22, 2003 1:25 PM To: suse-security@suse.com Subject: AW: [suse-security] Newbie Question re. Firewall2 vs. IPTABLES
Hi Knut,
i am new to SuSE (Linux in generall) and have been fiddeling with firewall 2 for some time.
My question is: If i deactivate SuSEfirewall2 (using YaST), will any IPTABLES rule i might create afterward still take action? And if not, where do i enable it (IPTABLES)? Iptables is enabled by default. SuSEfirewall2 is only a shell script that runs many many iptables commands, depending on how you configure it. You may create your own script to execute iptables commands, or you may use SuSE's firewall script. SuSE made this script in order to make life easier for admins. Bye Uli -- Ulrich Roth IMPACT Business & Technology Consulting GmbH Im Mediapark 8 / KölnTurm D-50670 Koeln Phone +49-221-93 70 80-29 Fax +49-221-93 70 80-15 E-Mail: roth@impact.de
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here -- -- Raymond Leach
Network Support Specialist http://www.knowledgefactory.co.za "lynx -source http://www.rchq.co.za/raymondl.asc | gpg --import" Key fingerprint = 7209 A695 9EE0 E971 A9AD 00EE 8757 EE47 F06F FB28 --
participants (3)
-
keith@topaz5.worldonline.co.uk
-
Knut Erik Hauslo
-
Ray Leach