I recently installed a proxy/firewall pc for my home network. I am new to linux so for most of the stuff i just copy and paste and tried to read the instructions. I got an idea of what i am doing but i am far behing to master anything regarding this wonderful os.

Well my problem is that after checking the firewall on the grc.com site it showed some open ports (113 & 139) and the rest was closed but not stealth. How do i make my ports not only close but stealth? I mean close is good but if i understood right with stealth port the scaners will not even know i am here! If any can tell me how to do this or can tell me where i can find the answer i will appreciate it greatly. Remember that i am knew, so don't get supper technical but i will do my best in order to learn. I just don't have the time to learn everything right know. It will be a slow process for me... Pitty!!!

Also what i call firewall is a script i am running on the proxy pc. I placed a copy of it on a previous post i made before named "My firewall nightmare!!" I unserstand there is more to internet security, like disabling any daemon i wont use, make strong password with numbers and special characters. Make several file imutables and a lot more, but my question will be Other than this script i am running do i need to run another script to secure the pc more? Like i said before, i dont know if this one will do or if there is anything else i have to run or change.

There are a lot of questions, i know, but it is just that i need a lot of answers...


Thanks again,

Nandy

Thanks,

Nandy

I'm assuming you use ipchains..

For ports to be in "stealth" mode. (eg: no response) use the "DENY" attribute.

eg:


EXT_INT="eth0"
ipchains -A input -p tcp -j DENY --destination-port 137:139 -i $EXT_INT -l
ipchains -A input -p udp -j DENY --destination-port 137:139 -i $EXT_INT -l


This would block all incoming samba traffic on eth0.


I haven't looked around for your previous post, but this is the general idea. I believe the port would be reported as closed if you used REJECT instead of DENY..

-r

Be careful with using DENY instead of REJECT. It can be damaging in terms of time and resources to remote systems trying to connect to your computer (because they have to keep the connection open for a LONG time -- until they realize that they're not going to get a response and give up), which is a good thing when you're dealing with script kiddies, but you can inconvenience innocent systems that way too. It can be bad for you too: one thing to never do is DENY traffic to the AUTH/Ident port, you want to REJECT it instead. Many services (almost all IRC servers, many mail servers, telnet servers, etc etc) will send you an IDENT request when you connect to them. If you DENY the ident request, you'll have to wait for it to time out on their end before you can continue, which can take quite a long time. You don't gain any real security benefit from dropping packets instead of rejecting them (it won't "hide your computer" like all the little kiddie security sites say unless you also have ping replies turned off, which causes a new set of problems and is generally a bad idea), so IMHO it's usually not worth the effort.

iDxMan is eth0 the nic that goes to the internet? I thinks so so i will drop that strings somewhere in the bottom of the script. Can i add a ":" and more ports if i find more open right?

Craig McPherson what is the bad thing about denying ping. I ask you because i am doing it so. Just curious.

So other than the firewall script i don't need any other script right?

This is the script i am using for the firewall. If anybody can tell me a way to improve it or anything it might lack i will appreciate it.

Thanks,

Nandy


#!/bin/sh

#############################################
#
# IPCHAINS Configuration Script v1.0
#
# Copyright 1999 Matthew Cerha (mcerha@io.com)
#
# This script is designed to configure a simple
# set of IPCHAINS rules for a two interface
# Linux firewall using IP-Masquerading.
#
# Inspiration from the Isinglass firewall
# script. http://www.tummy.com/isinglass
#
# Usage: firewall <on | off>
#
# After configuring the script variables,
# put a a line in your RC scripts like:
#
# /root/bin/firewall on
#
#############################################


#############################################
# Begin Configuration Section
#############################################


# Internal Interface
#
# This is the interface on the inside (trusted
# side) of the firewall.
#
# INTERNAL_INT=<eth0 | eth1 | ppp0>
#
INTERNAL_INT=eth0


# External Interface
#
# This is the interface on the outside (untrusted
# side) of the firewall.
#
# EXTERNAL_INT=<eth0 | eth1 | ppp0>
#
EXTERNAL_INT=eth1


# Masquerading
#
# Uncomment the following to enable IP-masquerading
# of your internal network.
# (Recommened)
#
#MASQ=yes


# Load Firewall Kernel Modules
#
# Uncomment the following in you need to load any
# firewall kernel modules. If you have compiled a kernel
# with the firewalling options built-in (FTP, IRC,
# Quake, RealAudio), please comment the follwing line.
# Note: If you are using a stock RedHat kernel, you will
# need to uncomment the following line.
#
#MODS=yes


# Common Inbound Services
#
# Uncomment each service that you would like accessible
# on your firewall from the outside world. Enable only
# those services which are absolutely necessary.
#
#FTP=yes
#HTTP=yes
#HTTPS=yes
#IDENT=yes
#IMAP=yes
#POP=yes
#SMTP=yes
#SSH=yes
#TELNET=yes


# DNS Query Replies
#
# Uncomment the following variable to allow the
# responses from DNS servers through the firewall.
# (Recommended)
#
DNS=yes


# Inbound ICMP
#
# Uncomment the following to allow hosts outside your
# firewall to "ping" your firewall.
# (Not Recommended)
#
#IN_PING=yes


# Outbound ICMP
#
# Uncomment the following to allow hosts inside your
# firewall to "ping" and "traceroute" through the
# firewall to the rest of the world.
# (Optional)
#
OUT_PING=yes
OUT_TRACEROUTE=yes


#############################################
# End Configuration Section
#############################################


#############################################
# Begin Firewall Configuration
#############################################


PATH=/sbin:/usr/sbin:/bin:/usr/bin


# The following function enables the firewall rules.
# It allows estalished connections through the firewall
# by default.

function firewall_on {


# Internal Trusted Network

INTERNAL_NET=`ifconfig $INTERNAL_INT | grep inet | awk '{print $2}' | cut -d ":" -f 2`
INTERNAL_MASK=`ifconfig $INTERNAL_INT | grep inet | awk '{print $4}' | cut -d ":" -f 2`

INTERNAL=$INTERNAL_NET/$INTERNAL_MASK


# External Untrusted Network

EXTERNAL_NET=`ifconfig $EXTERNAL_INT | grep inet | awk '{print $2}' | cut -d ":" -f 2`
#EXTERNAL_MASK=`ifconfig $EXTERNAL_INT | grep inet | awk '{print $4}' | cut -d ":" -f 2`
EXTERNAL_MASK=32

EXTERNAL=$EXTERNAL_NET/$EXTERNAL_MASK


# Disable kernel-level IP forwarding for security.

echo "0" > /proc/sys/net/ipv4/ip_forward


# Load some firewall kernel modules

if [ ! -z $MODS ] ; then

modprobe ip_masq_ftp
modprobe ip_masq_irc
modprobe ip_masq_raudio
modprobe ip_masq_quake

fi


# Flush out any existing firewall rules

ipchains -F input
ipchains -F output
ipchains -F forward


# Build the list of services to be allowed in via the external
# interface.

COMMON=""

[ ! -z $FINGER ] && COMMON="$COMMON 79"
[ ! -z $FTP ] && COMMON="$COMMON 20 21"
[ ! -z $HTTP ] && COMMON="$COMMON 80"
[ ! -z $HTTPS ] && COMMON="$COMMON 443"
[ ! -z $IDENT ] && COMMON="$COMMON 113"
[ ! -z $IMAP ] && COMMON="$COMMON 143"
[ ! -z $POP ] && COMMON="$COMMON 109 110"
[ ! -z $SMTP ] && COMMON="$COMMON 25"
[ ! -z $SSH ] && COMMON="$COMMON 22"
[ ! -z $TELNET ] && COMMON="$COMMON 23"


# Enable a rule to allow the selected common TCP services in
# the external interface of the firewall.

if [ ! -z "$COMMON" ] ; then

for I in $COMMON
do

ipchains -A input -i $EXTERNAL_INT -p TCP -s 0/0 \
-d $EXTERNAL $I -j ACCEPT

done

fi


# Enable a rule to allow inbound DNS responses from UDP port 53.

if [ ! -z $DNS ] ; then

ipchains -A input -i $EXTERNAL_INT -p UDP -s 0/0 53 \
-d $EXTERNAL -j ACCEPT

fi


# Enable a rule to allow established inbound TCP connections.

ipchains -A input ! -y -i $EXTERNAL_INT -p TCP -s 0/0 \
-d $EXTERNAL -j ACCEPT


# Enable a rule to allow inbound ICMP echo-replies.

if [ ! -z $IN_PING ] ; then

ipchains -A input -i $EXTERNAL -p ICMP -s 0/0 0 \
-d $EXTERNAL -j ACCEPT

fi


# Enable a rule to allow outbound ICMP echo-requests.

if [ ! -z $OUT_PING ] ; then

ipchains -A input -i $EXTERNAL_INT -p ICMP -s 0/0 8 \
-d $EXTERNAL -j ACCEPT

fi


# Enable a rule to allow outbound traceroutes.Destination-Unreachable (3)
# Requires inbound ICMP destination-unreachbles and TTL-exceeded messages.

if [ ! -z $OUT_TRACEROUTE ] ; then

ipchains -A input -i $EXTERNAL_INT -p ICMP -s 0/0 3 \
-d $EXTERNAL -j ACCEPT

ipchains -A input -i $EXTERNAL_INT -p ICMP -s 0/0 11 \
-d $EXTERNAL -j ACCEPT

fi


# Enable IP-masquerading.

if [ ! -z $MASQ ] ; then

ipchains -P forward DENY

ipchains -A forward -s $INTERNAL -d 0/0 -j MASQ

fi


# Deny all other inbound traffic.

ipchains -A input -i $EXTERNAL_INT -s 0/0 -d $EXTERNAL -j DENY


# Enable kernel-level IP forwarding.

echo "1" > /proc/sys/net/ipv4/ip_forward


} # End function firewall_on


# The following function disables all firewall rules.

function firewall_off {


# Disable kernel-level IP forwarding for security.

echo "0" > /proc/sys/net/ipv4/ip_forward


# Flush all existing firewall rules.

ipchains -F input
ipchains -F output
ipchains -F forward


} # End function firewall_off


# Main Function

if [ "$1" = "on" ] ; then

echo "Enabling firewall."
firewall_on
exit 0

elif [ "$1" = "off" ] ; then

echo "Disabling firewall."
firewall_off
exit 0

else

echo "Usage: firewall <on | off>"
exit 0

fi


#############################################
# End Firewall Configuration
#############################################

iDxMan is eth0 the nic that goes to the internet? I thinks so so i will drop that strings
somewhere in the bottom of the script. Can i add a ":" and more ports if i find more open
right?


Yes, eth0 is my nic to the internet. You can use the colon to specify a wider range of ports, if that's what you're asking.

eg:

1024:65535 etc..

Be careful in what you block. You might need it. Also, you might want to log activity for now (ie: use the "-l" at the end of each ipchains statement), just to see what is going on and perhaps what port is being blocked if something isn't working right.

=r

I goofed!!! If you pay attention to the script i have i wrote eth0 where eth1 where suposed to be and viceversa. That is the reason why i was getting that weird error. After i fix the nic order, i tried the port scaner and everithing was stealth! Now i want to go to that other website to get a full scan, let see what happen.

Thanks for all your help,

Nandy

nandy:
And that dear reader is why you should never ever say eth0 or eth1, you should always define a symbol with a name that means something, like
LAN=eth0
INTERNET=eth1
and abolish all mention of eth0 and eth1 in the actual firewall mechanism.
Then you can change the lot by editing those lines. or you could run it thru sed to fix it, but that does not improve the readibility of what you have done.

00000000000000000000000000000

You guys were talking about DENY, shouldn't use that because it takes to long to time out. On another message board talking about stealth, one person forwarded the incoming ports to a dummy ip (one not being used) and obviously it doesn't respond, so it looks like no one is home... Any comments?