lang fr|gb
basic firewall
GNU/Linux is a secure system that works without anti-virus ... yes, but a little security will not hurt, especially if you have installed an SSH server, LAMP or Mail server.
for this livarp uses iptables that will define the status of ports depending on the type of communications.
you do not have to do anything to activate the firewall, iptables script concerned is in your /etc/init.d/ directory, which includes scripts launched at boot time.
configuration
to add or remove security rules, you ave to edit the /etc/firewall.rules file. this file is called by /etc/init.d/firewall.sh script to enable security rules. here is the default file for livarp:
*filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] -A INPUT -m state --state INVALID -j DROP -A INPUT -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP -A INPUT -p tcp --tcp-flags ALL ALL -j DROP -A INPUT -p tcp --tcp-flags ALL NONE -j DROP -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP -A INPUT -m pkttype --pkt-type broadcast -j DROP -A INPUT -f -j LOG --log-prefix "[#1 iptables fragments : ]" -A INPUT -f -j DROP -A INPUT -i lo -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 111 -m state --state NEW -j REJECT --reject-with tcp-reset -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --name SSH --rsource -j LOG --log-prefix "[#1 : SSH brute-force ] : " -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --name SSH --rsource -j DROP -A INPUT -p tcp --dport 22 -m recent --set --name SSH --rsource -A INPUT -p tcp --dport 22 -j ACCEPT COMMIT
this file prohibits incoming call not initiated by the user or system,
log invalids communications
log brute force issue on the SSH protocol
depending on your usage, you can remove some (ex: port 80 rules if you don't use web server). or add some rules:
- ping support :
-A INPUT -p tcp -p icmp -j ACCEPT - ftp support : launch connntrack for passive ftp (to be placed in your /etc/init.d/firewall.sh):
modprobe ip_conntrack_ftp ip_conntrack ip_nat_ftp
then add in your /etc/firewall.rules :
-A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -A INPUT -p tcp --sport 21 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -A OUTPUT -p tcp --dport 20 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT -A INPUT -p tcp --sport 20 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
- smtp/smtps support:
-A INPUT -p tcp --dports smtp,smtps,submission -j ACCEPT