I've just tried to get iptables running on my desktop workstation (not a server). I connect to the internet via dial-up on this machine which is connected to my LAN (with server and Windows machines). I wanted a firewall and, of course, in Linux that would be iptables.

I'm using a simple couple of lines in my /etc/ppp/ip-up script (Slack 9.1) to flush all iptable configs and then refuse all connections to my machine via the internet (I do not, nor does anyone else, connect to this machine via the internet; all attempts are to be considered hostile as far as I know).

Here are the lines I added to my ip-up script (after connection is made and I've been given an IP address by my ISP):

## Flush any previous rules ##
iptables -F
## Drop all attempts at establishing a connection from the internet ##
iptables -A INPUT -i ppp0 -p tcp --syn -j DROP

My question is one of ignorance. How do I know if iptables is "running in the background" and catching all attempts to hack my system? If I do a ps ax, iptables does not appear (so it's not running a a daemon).

If I run the commands manually, after establishing a connection, this is what I get:
/usr/sbin/iptables -vF
Flushing chain `INPUT'
Flushing chain `FORWARD'
Flushing chain `OUTPUT'

And:
/usr/sbin/iptables -v -A INPUT -i ppp0 -p tcp --syn -j DROP
DROP tcp opt -- in ppp0 out * 0.0.0.0/0 -> 0.0.0.0/0 tcp flags:0x16/0x02

Looks to me as if it's running correctly, but I wonder if someone might help me confirm that and help me understand a little how iptables runs "in the background" (if I can't see it in ps ax).

Thank you for the help.

-Greg

Use one of the free web based portscans - dslreports.com has one, as does grc and a few others.

Edit - if you don't feel like mucking around making your own rulse, gShield (http://muse.linuxmafia.org) is a really easy to use config script for iptables.

Originally posted by ph34r
Use one of the free web based portscans - dslreports.com has one, as does grc and a few others.

Thanks. I'm poking around on that site right now.

Originally posted by ph34r
if you don't feel like mucking around making your own rulse, gShield (http://muse.linuxmafia.org) is a really easy to use config script for iptables.

I downloaded Firestarter. Dunno if that's going to be overkill for my simple need. But, it looks like it might get me up and running quickly.

Thanks.

-gk

I just ran a port scanner and the results came back fine, except for my port 111 (portmapper rpcbind). ??

I did an

iptables -F

to flush out all rules and then did the port scan again. It came 100% back favorable. That's weird. I would have thought that having no rules would open my machine to everything. But, it seems more of a risk to run the iptables as I had above than to not run it at all.

-gk

You don't see anything in the output of "ps ax" because iptables does not involve any daemons.

The iptables program merely talks to the kernel, telling the kernel firewalling code to turn on and off certain filters. The actual filtering is all done inside the kernel; the iptables binary itself does not stay running.

To see what the current settings actually are, use
iptables -L
There is also a
-j LOG
option, which will log firewall actions on a per rule basis to (probably) /var/log/messages.
HTH

Originally posted by chrism01
To see what the current settings actually are, use
iptables -L

Interesting... here's my output (if you could call it that )...

[root@gregkedro ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Looks like I just accept anything and everything. ??

-gk

Yep, you're wide open

But, the weird thing is the port test (see above). Running iptables (with configs shown above) opens port 111 to a vulnerability. Running it wide open shows no port vulnerabilities.

The one problem I've had with a hacker came from China. Someone must have been running some sort of program that randomly checked IPs (I dunno). I keep a term window open running tail -f /var/log/messages to see what's going on with my connection, etc. I'd see this punk try to get in my system through my sshd. So, I simply shut it down (sshd). No more problems.

I know I need to RTFM more about iptables and testing it out. But... I have 5 other projects before that one, and the stuff is just piling up.

Any ideas on why I have less of a vulnerability running it wide open than with configs?

Thanks.

-Greg

You have to remember that a port is only 'exploitable' if a program (ie a server program) is listening ie is bound to that port.
Otherwise, it's effectively closed.
Be sure to check what you have running as well as the state of the associated ports in the firewall.
It's still a good idea to have a default policy of DENY on all chains, then just provide exceptions to connections you want to allow.
BTW, I'd make this your priority proj, unless you want your system cracked/trashed...
Here's quick & easy way to secure your system and learn about security at the same time:
http://www.bastille-linux.org/
Provides Perl script(s) that tighten up your system and tell you what/why at the same time.
Enjoy... :)

Good link. Thanks, man.

-Greg

Originally posted by gkedrovs
...try to get in my system through my sshd. There's been a lot of automated ssh scanning going on lately. It's tapered off a bit since it originally showed up, but not a ton.

See, for example, http://isc.sans.org/diary.php?date=2004-11-02 and the honeypot capture linked from http://isc.sans.org/diary.php?date=2004-11-04.

This is why I use SSH public-key authentication on my server -- it won't even prompt anyone coming in for a password. (I also firewall the ssh port so that only our public IP address at work -- which is supposed to be static -- can get through the firewall, but defense in depth is always a good idea.)