IPTABLES thread
post your rules files please. And answer any questions if possible.
I don't know shit about network but I'm trying to protect me.
Can iptables be of any help in protecting my desktop?
Apparently I can't just block every port in INPUT and OUTPUT chains because browsers use random ports to create connections..
So all I can do is, for example, allow in INPUT only connections where the source port is like 80 or 443, but nothing stops an attacker from using those ports to attack me, right?
>Can iptables be of any help in protecting my desktop?
>allow in INPUT only connections where the source port is like 80 or 443
Why are you running a public webserver on your desktop?
>>61580875
I'm not. is iptables only usefull for webservers?
>>61580785
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
Use shorewall to manage your iptables
>>61580875
Let me say all my stupid ideas about it and you correct me. ts a good opportunity.
Ports are the IS channels which processes use to exchange packets.
So every packet starts at some port at the "client" and ends in some port and the "server", These are the source port and destination port respectively.
Packets are useless if no application is listening to the destination port at the server.
The thing is:
-I shouldn't allow any application other than my browser to be listening on my ports. I couldn't find a way to do that with iptables.
-On http and https source ports will always be 80 and 443. So if I only allow to receive packages pachakes with -sport 80 or 443 I should mostly receive page traffic. But I don't even know if sport applies to the INPUT chain (do packages carry source port information?)
By this you can see I know nothing.. but tutorials on the net apparently assume you already know everything. Not al areas are like this.. security is a pain in the ass
>>61581024
Browsers don't use ports in the way most people think. They use lots of high numbered ports, like 237437, etc, that's just a random number like something they would use,
they don't actually use the same ports as webservers
>>61581101
Yes, thats why I said
"Apparently I can't just block every port in INPUT and OUTPUT chains because browsers use random ports to create connections.."
If you actually know how this things work could you please give some comprehensible instruction on it? google was of no use for that..
>allow in INPUT only connections where the source port is like 80 or 443
allow only established connections in INPUT
-m state --state ESTABLISHED
This script gives you +90% network security#!/bin/bash
#get latest chinese ip addresses
echo "Fetching chinese ip address ranges..."
curl -o /tmp/cn.zone -L http://www.ipdeny.com/ipblocks/data/countries/cn.zone
#create the set
echo "Generating the blocking set..."
ipset create china hash:net
for i in $(cat /tmp/cn.zone); do
ipset add china $i
done
iptables -I INPUT -m set --match-set china src -j DROP
echo "China is blocked!"
rm /tmp/cn.zone
>>61580892
Sorry, I misunderstood your question. Like >>61581101 said, your browser (and any other program) temporarily opens ephemeral ports when you connect to websites and closes them when idle. The only way you can be attacked in this way is if you're connecting directly to a malicious host or you get MITM'd (which shouldn't happen over port 443). These connections happen transiently and only when you initiate them.
Using iptables isn't going to add much if you don't have any passively listening services running, which is why it's more often used on webservers and routers.
>>61581266
And how would I guarantee that I have no such listening services running? They would be trojans, right?
or, more generally speaking, what can I do to make my debian more secure other than jusrt updating it and runing clamav and rkhunter regularly?
>>61581232
fucking hate those chinks and their http flood
>>61581419
>And how would I guarantee that I have no such listening services running? They would be trojans, right?
Most linux distros come with certain services enabled out of the box (NFS, samba, some others). Disabling them if you don't need them isn't a bad idea, but if you're behind a firewall or an ordinary NAT router it's not that big of a deal. You can easily see what's running in the background.netstat -nlp --inet --inet6
>>61581705
and how do I know if there is anything strange there? There are a lot of names there.. I just have to google each one and start memorizing which ones are safe or is there a better way to do that?
>>61581861
Basically. You have to know what they do to know whether you need them around. Just pay attention to the ones in a LISTENING or ESTABLISHED state and google to see if they're something you can do without.
Also, you can ignore the ones that aren't bound to 0.0.0.0
>>61581232
What about muh Russia?
>>61580785
Only allow ssh access via key auth and not password.
>>61581990
>Also, you can ignore the ones that aren't bound to 0.0.0.0
why? what does it mean?
>>61582146
It means that you are only listening on specific IP addresses so blocking is irrelevant.
ufw enable
ufw deny incoming