Linux Firewall for all future

Discussion in 'all things UNIX' started by luxilius, Jul 12, 2016.

  1. luxilius

    luxilius Registered Member

    Joined:
    Jul 12, 2016
    Posts:
    16
    Location:
    serbia
    First things in any linux, ubuntu, mate, etc is ufw. In my way i' use GUFW before internet connection, enable gufw and outgoing and incoming connection make deny, logging full,
    now allow 53,443,631,5353,80,8080 or allow DNS,CUPS,HTTP,HTTPS, web server
    I' dont use in my ubuntu gmail, yahoo,etc script because i have mail on http,https web browser. Now enable your internet and use ' trojan port list' copy port and then configure ufw with next command:

    TCP
    Code:
     ufw deny 1:52/tcp && ufw deny 54:79/tcp && ufw deny 81:630/tcp && ufw deny 632:5352/tcp && ufw deny 5354:8079/tcp && ufw deny 8082:10111/tcp && ufw deny 10163:40423/tcp && ufw deny 40425:65535/tcp 
    UDP
    Code:
     ufw deny 1:52/udp && ufw deny 54:79/udp && ufw deny 81:630/udp && ufw deny 632:5352/udp && ufw deny 5354:8079/udp && ufw deny 8082:10111/udp && ufw deny 10163:40423/udp && ufw deny 40425:65535/udp 
    i make ufw deny around allowed port :thumb: because i need to use internet
    update && upgrade && dist-upgrade your linux, and search on google new kernel i use 4.7 open terminal:

    Code:
     $ cd /tmp/ 
    Code:
     $ wget http://kernel-link(in .deb) 
    Wait update,upgrade,dist-upgrade to finish, then dont restart, back to terminal and:
    Code:
     $ sudo dpkg -i *.deb 
    now restart
    Again dont enable internet, open terminal and copy hard iptables script to desktop:
    hard iptables on (pastebin.com/raw/P3jC3hnh). But this is not just to run script, in my config i use my network card 'enp0s20' and my hostname 'desktop' , you need to use your.
    Next on your browser if you use, firefox type:
    about:config and write 'media.peerconnection.enable' click and make false now exit.

    Go to (firejail.wordpress.com) download firejail & firetools open terminal and install:
    Code:
     dpkg -I *.deb 
    if error shown, use apt-get install -f . Now firejail is installed, but if you want total to isolate your root,sudo,etc ubuntu linux type:
    Code:
     usermod --shell /usr/bin/firejail yourusername 
    This is for most ubuntu, mate, etc linux distro user. ENJOY.....
     
  2. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,974
    Location:
    Brasil
    I don't understand the part you added to my rules. Why close so much ports like bellow? If you already told iptables to close everything (the beginning of my rules), then you only need to tell it to open what you want. Telling it to again block certain ports is a redundancy (because they're already closed) and doesn't make the rules safer or "harder":

    Code:
    # Any_port
    $IPT -A INPUT -p tcp -m tcp  --dport 8082:65535  -m state --state NEW  -j DROP
    $IPT -A INPUT -p udp -m udp  --dport 8082:65535  -m state --state NEW  -j DROP
    $IPT -A OUTPUT -p tcp -m tcp  --dport 8082:65535  -m state --state NEW  -j DROP
    $IPT -A OUTPUT -p udp -m udp  --dport 8082:65535  -m state --state NEW  -j DROP

    It makes no sense to me.
     
    Last edited: Jul 13, 2016
  3. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    1,984
    Location:
    Canada
    Exactly, it's "default deny" already so only allow rules are needed.
     
  4. fblais

    fblais Registered Member

    Joined:
    Jul 31, 2008
    Posts:
    836
    Location:
    Québec, Canada
    Honestly, I do "sudo ufw enable" after installation of the distro and then just forget about that.
     
  5. luxilius

    luxilius Registered Member

    Joined:
    Jul 12, 2016
    Posts:
    16
    Location:
    serbia
    First i want thank you, for your rule.... I add that command because much of encrypted backdoor can surf on any port.
    Why not 'locked port' if you use linux only for mail read on http/s or surf on most danger web location. In another way today nothing is secure, we live in world of crashed security&privacy, this look like paranoid config for any user .
     
  6. luxilius

    luxilius Registered Member

    Joined:
    Jul 12, 2016
    Posts:
    16
    Location:
    serbia
    Also for people who know how to enter in ip address around any port default allow and default deny is not helper, that why i use ufw default deny incoming and outgoing in config for any user, paranoid, etc....
     
  7. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,974
    Location:
    Brasil
    Clearly you're not nearly as paranoid as me and others here heheheh :argh: Good for you, though, I wish I could just forget about these kinds of things. They drive me crazy sometimes.

    You don't seem to understand how those rules work. The first thing they do is lock ALL ports, then you open what you need (like port 80 or 443). You already told iptables to lock down everything, so telling it to lock down those ports again is an unnecessary redundancy which doesn't improve the quality of the Firewall. See what @wat0114 said.
     
  8. luxilius

    luxilius Registered Member

    Joined:
    Jul 12, 2016
    Posts:
    16
    Location:
    serbia
    Ok you say that, but please watch on youtube about backdoor port, bypass, etc. blackhat #CONF
     
  9. luxilius

    luxilius Registered Member

    Joined:
    Jul 12, 2016
    Posts:
    16
    Location:
    serbia
    In about:config 'media.peerconnection.enable' is good thing because 'WebRTC detection' is not posible, no script and httpeverywhere, firejail and not need anything else anymore
     
  10. luxilius

    luxilius Registered Member

    Joined:
    Jul 12, 2016
    Posts:
    16
    Location:
    serbia
    I use more time just, default deny firewall without helped lock port and in netstat -a i found two address nsa.http listen and established, also net patrol inside and one hacker, posible s/he work for n-s-a or net patrol.
    But when i configure iptables, ufw, firejail, about:config i dont have anymore problem...
     
  11. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,974
    Location:
    Brasil
    Yeah, sure, I don't know what I'm talking about ;)
     
  12. luxilius

    luxilius Registered Member

    Joined:
    Jul 12, 2016
    Posts:
    16
    Location:
    serbia
    Trust me use only iptables with your original rule without my reconfiguration, in your port 1900 uPnP is open for road also another port i test to many times, i go on place wher is danger for firewall and linux is damaged.

    Any way this reconfigured iptables with ufw about:configf and firejail is best for everyone
     
  13. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,974
    Location:
    Brasil
    I'm having connection issues with my own ISP so I'm using another connection. But when this is resolved, I'll post my IP here so you and anyone else can (try to) hack me ;) Let's see if port 1900 is actually open.

    In the mean time, you can go to http://www.ipfingerprints.com/portscan.php and do a scan of such port. You'll see that it's Filtered (for TCP) and "Open/Filtered" for UDP. It says "Open/Filtered" exactly because the scan cannot determine if the port is open or closed (because it's filtered).
     
  14. luxilius

    luxilius Registered Member

    Joined:
    Jul 12, 2016
    Posts:
    16
    Location:
    serbia
    Ok let's show your rule " Fragment scan only works with TCP, ICMP Timestamp or ICMP Mask (mtu=:cool: ping types or ACK, FIN, Maimon, NULL, SYN, Window, and XMAS scan types "

    I don't want to say how is your rule buged for port, just i want say Linux is not secured anymore. World have nsa and etc.
    I just scan my rule with netstat -a and i want show you result
    Code:
     tcp 0 0 username:domain *:* LISTEN
    tcp1 0 0 xxx.xxx.xxx.xxx:46190  xx.xxx.xx.xx:https CLOSE_WAIT 
     
  15. luxilius

    luxilius Registered Member

    Joined:
    Jul 12, 2016
    Posts:
    16
    Location:
    serbia
    And your rule is only --sport without --dport
    Code:
     $IPT -A INPUT -p tcp -m tcp --sport 1:65535 --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j drop_invalid 
    
     
  16. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,974
    Location:
    Brasil
    Then your post is pointless.

    OMG I can't believe what I'm reading. MY EEEYESS!!!!

    It doesn't have "--dport" because we're NOT forwarding that traffic, so we don't need a "--destination-port". Read the first lines of my thread: "NOTE 4: This firewall is for home computers without NAT, and is not intended for servers." If you were on a server or a router, then having "--sport" and "--dport" would make more sense.

    Besides, invalid OUTPUT traffic is being blocked too:
    So having both "--sport" and "--dport" is again a redundancy because we're separating both INPUT and OUTPUT invalid traffic on my rules.

    My rule is fine.
     
  17. luxilius

    luxilius Registered Member

    Joined:
    Jul 12, 2016
    Posts:
    16
    Location:
    serbia
    Your is fine, OK. You start discussion for rule, i show only upgraded rule....
    Nothing else.....
     
  18. luxilius

    luxilius Registered Member

    Joined:
    Jul 12, 2016
    Posts:
    16
    Location:
    serbia
    Anyway if anyone think bout this shown upgraded iptables and security how is not need to be then, feel free to remove
     
  19. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,974
    Location:
    Brasil
    No, yours isn't "upgraded" :argh: It's really just adding redundancy, and I feel sorry for anyone using those rules because once the user tries to open new ports for new applications he/she will have to add in a few more rules, making the overall firewall just more difficult, not more secure.
     
  20. luxilius

    luxilius Registered Member

    Joined:
    Jul 12, 2016
    Posts:
    16
    Location:
    serbia
    I told you this upgraded rule is for paranoid linux user to use only http and https, cups, dnsand 8080 if anyone smart can configure port how s/he want.....
    If your mind is that smart you never give open door for ransomware . Bye
     
  21. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    523
    And I am still here waiting for a firewall with per-app + per-port + per-ip/dns + per-direction (either outgoing or incomming or both) rules, with a decent gui that also notifies and asks at connection requests...and all that in the official arch repo :(

    Because everything else is mostly a waste of time (atleast if you sit behind a hw fw).
     
  22. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,974
    Location:
    Brasil
    Have you tried Douane?
     
  23. luxilius

    luxilius Registered Member

    Joined:
    Jul 12, 2016
    Posts:
    16
    Location:
    serbia
    why u don't accept remix of security for linux ?
     
  24. amarildojr

    amarildojr Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    1,974
    Location:
    Brasil
    I do accept remixes, as long as they make sense, and as long as they doesn't contain redundancies.
     
Loading...