iptables basics

[blakelock]

OK, I'm a bit of a newbie but have been reading quite a bit regarding iptables. I'm trying to secure my recent Debian3.0 install. I understand how the rules of iptables work but:

1. how can I verify that iptables is already installed?
2. One "how to" I read said iptables might be a module or compiled into the kernel. How do check to see if it's in the kernel?
3. I thought the "inetd.conf" file started all the services. However, ssh, telnet, finger are not even listed in this file. Where are those services started and how do I disable them?

This should get me started. I've pasted my "inetd.conf" file and the output to a "netstat -pant" command which shows some vulnerability (I think). I don't want to run any services. I only need to access the net.


*********************** here is the inetd.conf file

# /etc/inetd.conf: see inetd(8) for further informations.
#
# Internet server configuration database
#
#
# Lines starting with "#:LABEL:" or "#<off>#" should not
# be changed unless you know what you are doing!
#
# If you want to disable an entry so it isn't touched during
# package updates just comment it out with a single '#' character.
#
# Packages should modify this file by using update-inetd(8)
#
# <service_name> <sock_type> <proto> <flags> <user> <server_path> <args>
#
#:INTERNAL: Internal services
#echo stream tcp nowait root internal
#echo dgram udp wait root internal
#chargen stream tcp nowait root internal
#chargen dgram udp wait root internal
discard stream tcp nowait root internal
discard dgram udp wait root internal
daytime stream tcp nowait root internal
#daytime dgram udp wait root internal
time stream tcp nowait root internal
#time dgram udp wait root internal

#:STANDARD: These are standard services.

#:BSD: Shell, login, exec and talk are BSD protocols.

#:MAIL: Mail, news and uucp services.
smtp stream tcp nowait mail /usr/sbin/exim exim -bs

#:INFO: Info services
ident stream tcp wait identd /usr/sbin/identd identd

#:BOOT: Tftp service is provided primarily for booting. Most sites
# run this only on machines acting as "boot servers."

#:RPC: RPC based services

#:HAM-RADIO: amateur-radio services

#:OTHER: Other services




******** here is the netstat -pant output:

(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:515 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:113 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:37 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:13 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:9 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:1024 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN -

[Cadillac84]

Blakelock,

If you type

iptables -V

and it says version 1.2.5 or something like that, then iptables is loaded. If it says "command not found" then it isn't. If it is NOT loaded, type

ipchains -V

and if that says command not found, then neither is loaded (both of them cannot be loaded -- they are mutually exclusive).

Here's what *I* suggest:

Go to this url and d/l the pdf file so you can a) look at it, and b) copy part of it to a text editor (Win or Lin is OK). If you use Win, I'd suggest a plain-text version like Notepad, but WordPerfect or Word are fine as long as you remember that you need to save the part of this that you're going to save as an ASCII file and be sure to NOT change the Hard Returns to Soft Returns.

YOU MUST read through the script (my suggestion is to print the applicable portion (as outlined below) in Landscape mode on a laser printer using "minimum" margins to avoid awkward line endings. The reason you MUST read through the script as though you were the computer trying to run the program is that Debian does some things differently than other distros and you will need to check a few things like where is this or that -- may have to comment a line here and there and uncomment some others. The script is very well documented.

http://www.tldp.org/HOWTO/IP-Masquer...WTO/index.html

That is David Ranch's HOWTO Masquerade, but it has an excellent script for checking everything you need to have about iptables. I recently used FWVER 0.73s with superior results. I suggest you get the latest HOWTO which contains version 0.74s and scroll down to § 6.4 and copy the § 6.4.1 to a text file and edit it to suit your purpose and then run it. Note (in case you're not comfortable with this stuff) that you can use Notepad to edit the file on your Windows box and then save it as tables_script_1.txt on a floppy disk (or call it whatever you want) and then mount that floppy on your linux box and copy it to someplace cool like /root

I would, as a precaution, then open it using vim or pico or whatever editor you're comfortable with and just look it over to make sure you didn't pick up any "windowisms" during the transfer. Then, just run it as root using

sh /root/tables_script_1.txt

Be patient as a couple of the things will take a while to run. The current version is 0.74s but the change deals with foreign language issues -- won't hurt you; but, if you find 0.73s, that worked for me (U.S. English).

Or, you may wish to run it manually (typing in each command as you read it from the script). That is not really as daunting as it sounds and it will give you a good understanding of what has to be checked and where things are and so on. That is actually what *I* did, and it was neat to watch what took zero time and what took a minute or so. At 700 MHz, you'll hardly notice.

By the way, isn't there a law against running Linux on computers that fast?? Those are all supposed to be reserved for WinDoze, don'tcha know!

Good luck,

Chuck Moore
Montgomery AL
CNMoore@Knology.net

P.S. The HOWTO contains information about iptables, ipchains, and ipwadm -- so be sure to go to § 6.4.1 which is the "iptables" part.

C

[blakelock]

thanks for the reply,

I'll work with it a bit (probably take me a couple of days) and see what I can come up with.

the machine is fast but I'm forced to use MS sometimes. Once I get linux secured, I can nearly exclusively use it and forget about MS! Oh glory be!

[Cadillac84]

>>Once I get linux secured, I can nearly exclusively use it and forget about MS! <<

Not likely! Too much good software out there that you'll want to run. But, you will enjoy the stability and control and if you have children who have need for Internet access, you can use things like squid to do a really nice job of keeping them away from the seamier side of the Internet.

Feel free to email if you have specific Qs

Chuck
CNMoore@Knology.net
Montgomery AL USA