# Newbie to Gentoo/Linux {wants to make it secure}

## rajl

Ok,

     I read through the security guide, but it's documentation of HOW to do things was rather sparse and confusing, as well as rather overwhelming as to what all I could do to secure my system.  To let you know my situation, I'm currently switching from Win2K to Linux, for myriad reasons, and Gentoo has so far been the distro i like the best.  However, I don't know how to make it secure enough for my personal preferences.  I have this computer attached directly to a LAN.  I use it as a general purpose workstation.

     Keeping that in mind, here's what I want to do.  First, my PC is attached to a campus network, but has no firewall.  I currently have iptables installed, but unused.  I want to configure IPtables to deny all outside connections EXCEPT for: ssh and any other connections that might need to be made for basic webbrowsing, Instant Messenging, file transfer, send and receive email, and other basic internet functions.  I also want to be able to do X tunneling through ssh.  I've heard that requires using Xserver though, which I've also heard as being a security hole.  What is the best way to accomplish this?  Keep in mind that I have no current plans to host any servers, unless something would be required for accepting ssh connections (I want to be able to remotely connect to my machine).  

      For that matter, can anyone either help me out with IPTables, or point me towards a really good tutorial ??? The man page decently describes all the commands, but doesn't give any detailed examples, and the online Documentation I've found I'm having trouble applying to my system.

      I have also implemented a reasonably good, in my mind, password and file permission system.  I also don't log in as root, but as a regular user.

      Beyond implementing a decent firewall ruleset, (which I don't really know how to do since I don't know all the underlying ports, etc of networking), if there's anything else I can do, I would appreciate the suggestion.  (Perhaps basic intrusion detection after a firewall and/or other measures are up and running).

----------

## pilla

Have you searched through the threads for firewall configuration? You questions are not strange nor new for me, I think I' ve read them a couple of times.

You can also enable the security features in the kernel if you are using gentoo-sources.

BTW, if you are not running http, inetd, xinetd, smtp servers, you have a good start for your security  :Cool: 

----------

## rajl

I've been reading through the newsgroup posts actually.  I think my questions may stem from ignorance of linux more than anything else.  For starters, can you clarify how to operate iptables in layman's terms.  I know what it does, but it's the how to get it to do it that's giving me trouble. 

For example, I see people posting all through the forums their iptables rule sets (some of which are very long and complicated) but i don't know how they're telling iptables to do that.

Does iptables take command line arguments, read from a config file all the time, or have it's parameters loaded into it from a script file during boot?  If it's command line arguments, are they a "fire and forget" type, or do you have to type in all the long ruleset upon boot up each time (which would seem really stupid, but it almost sounds like that)?  If someone can clarify those questions for me, I can probalby figure out the rest.

----------

## rajl

What exactly are inetd and xinetd servers?  I got the impression that they were some sort of runtime daemon, but I don't why a daemon is a security risk (assuming this is the case).

----------

## splooge

www.projectfiles.com/firewall is the firewall I use.  should do everything you want.

----------

## Messiah

 *rajl wrote:*   

> What exactly are inetd and xinetd servers?

 

They are if I recall correctly supervising daemons that can start other daemons on demand.

 *Quote:*   

> I got the impression that they were some sort of runtime daemon, but I don't why a daemon is a security risk (assuming this is the case).

 

In general: a daemon that is running means that anyone on the internet could exploit one more service that is running on your computer. We are talking about "ways to get into your system". You do know (I hope) that you must be more careful with someone inside your system than with someone outside  :Razz: 

----------

## pilla

tTe problem is with daemons that listen to some IP ports, like ftpd, telnetd, httpd, .... 

They are more prune to atacks. 

 *Messiah wrote:*   

>  *rajl wrote:*   What exactly are inetd and xinetd servers? 
> 
> They are if I recall correctly supervising daemons that can start other daemons on demand.
> 
>  *Quote:*   I got the impression that they were some sort of runtime daemon, but I don't why a daemon is a security risk (assuming this is the case). 
> ...

 

----------

## BackSeat

Firewalls... Well, the first thing to know is that you want to block ALL incoming packets EXCEPT port 22 (if you want to ssh into your box from the Internet) and so-called RELATED and ESTABLISHED packets (which are concerned with connections which originated from your box). The best guilde to IP tables that I've seen is  Rusty's Remarkably Unreliable Guides - you want the one on packet filtering, although the others are worth a read too. Written by the guy who wrote the iptables code, and for once a developer who can write documentation well (and has!).

BS

----------

## rajl

Thanks for the help guys.  I really appreciate it though.  I'm having a problem when entering one of my rules though.  Whenever I enter the rule: /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

I get the error message of "No chain/target/match by that name"  can someone tell me what is wrong with that as a rule?

----------

## fyerk

Did you initialize the chains first? Did you load the kernel modules?

Warning: This snippet of code will drop *all* connections in and out of a computer so don't use it on a box that you don't have console access to. This is just meant to be an example of what to start a firewall with.

```

# Load appropriate modules

modprobe ip_tables

modprobe ip_conntrack

modprobe ip_conntrack_ftp

# flush rules, remove existing tables, and zero the counters

iptables -F

iptables -X

iptables -Z

# set default policies

iptables -P INPUT   DROP

iptables -P OUTPUT  DROP

iptables -P FORWARD DROP

```

----------

## Slurp53

A couple of really great firewalls already exist.  Firestarter at http://firestarter.sourceforge.net/ which has an ebuild and Guarddog at http://www.simonzone.com/software/guarddog/.   Both simple and easy to use.

Test your firewall at https://grc.com/x/ne.dll?bh0bkyd2

Hope that helps...

 :Smile:   :Smile:   :Smile: 

----------

## rajl

I'm using the gentoo default script, so I know it's bootable.  The chains I'm manipulating are the default chains, so they are already initalized.  Actually, what I'm doing is entering the chains manually at the command prompt, then using iptables-save to save the rules.  Then the gentoo script loads the rules from the file generated by iptables-save.  So technically, when I type at the root prompt:

iptables -P INPUT DROP

I do ok, but when I type:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 

I get the error message: 

No chain/target/match by that name

Hopefully that clarifies my problem some.  So since the first rule works, I know that I have iptables loaded.  What's this ip_conntrack and ip_conntrack_ftp you have listed.  Do I need them for what I want to do with my firewall?  If I do, can I assume they are loaded or is there someway I can check (i'm new and still learning linux).

Since those are the only 2 rules I need to secure my system right now (not running any servers remember), I personally would rather do it textually, and get it done with, rather than download a bloated program which, however good it maybe, requires Gnome libraries I otherwise don't need (I run Fluxbox).

Eventually, I want to set up my box to accept SSH connections as well, so then I will worry about adding a third or fourth rule to handle that situation as well.

----------

## fyerk

You may not have ipt_state compiled into your kernel. 

Try this and see what you get.

```

# /sbin/lsmod | grep ip

```

You should see something similar to the following:

```

iris:root# lsmod | grep ip

ipt_REJECT              3552   4  (autoclean)

ipt_LOG                 4000  10  (autoclean)

ipt_state               1152  16  (autoclean)

ipt_limit               1504  10  (autoclean)

ip_conntrack_irc        3040   0  (unused)

ip_conntrack_ftp        4096   0  (unused)

ip_conntrack           16940   3  [ipt_state ip_conntrack_irc ip_conntrack_ftp]

iptable_filter          2272   0  (autoclean) (unused)

ip_tables              11392   5  [ipt_REJECT ipt_LOG ipt_state ipt_limit iptable_filter]

```

If you don't see ipt_state, that's your problem. You'll  need to go back into your kernel config and make sure you included support for stateful filtering.

The option you're looking for is Networking Options --> IP: Netfilter Configuration --> Connection state match support

----------

## rajl

Ok, I'm thoroughly confused now.  I logged in as root, and did "lsmod | grep ip" and got *nothing* related to iptables.  Actually, just typing a regular "lsmod" only lists about 10 or 11 modules total.  

But I know iptables is installed because if I type "iptables -P INPUT DROP", I can no longer use the internet because, obviously, all incoming packets are being dropped.  Since I remember including iptables in the kernel, is it possible that it is not loaded as a module, but is built into the kernel (and thus not seen by lsmod)?  If so, how would I find it?  Or should I just rebuild the kernal anyway (not something I'm looking forward too since I've never done that before; had a friend help me put gentoo on and I just looked over his shoulder).

----------

## dioxmat

check out the excellent iptables tutorial, and the HOWTOs available from http://tldp.org/

----------

## fyerk

If you compiled iptables directly into the kernel then no, it would not show up in lsmod. Did you also check for Connection state match support?

----------

