First things in any linux, ubuntu, mate, etc is ufw. In my way i' use GUFW before internet connection, enable gufw and outgoing and incoming connection make deny, logging full, now allow 53,443,631,5353,80,8080 or allow DNS,CUPS,HTTP,HTTPS, web server I' dont use in my ubuntu gmail, yahoo,etc script because i have mail on http,https web browser. Now enable your internet and use ' trojan port list' copy port and then configure ufw with next command: TCP Code: ufw deny 1:52/tcp && ufw deny 54:79/tcp && ufw deny 81:630/tcp && ufw deny 632:5352/tcp && ufw deny 5354:8079/tcp && ufw deny 8082:10111/tcp && ufw deny 10163:40423/tcp && ufw deny 40425:65535/tcp UDP Code: ufw deny 1:52/udp && ufw deny 54:79/udp && ufw deny 81:630/udp && ufw deny 632:5352/udp && ufw deny 5354:8079/udp && ufw deny 8082:10111/udp && ufw deny 10163:40423/udp && ufw deny 40425:65535/udp i make ufw deny around allowed port because i need to use internet update && upgrade && dist-upgrade your linux, and search on google new kernel i use 4.7 open terminal: Code: $ cd /tmp/ Code: $ wget http://kernel-link(in .deb) Wait update,upgrade,dist-upgrade to finish, then dont restart, back to terminal and: Code: $ sudo dpkg -i *.deb now restart Again dont enable internet, open terminal and copy hard iptables script to desktop: hard iptables on (pastebin.com/raw/P3jC3hnh). But this is not just to run script, in my config i use my network card 'enp0s20' and my hostname 'desktop' , you need to use your. Next on your browser if you use, firefox type: about:config and write 'media.peerconnection.enable' click and make false now exit. Go to (firejail.wordpress.com) download firejail & firetools open terminal and install: Code: dpkg -I *.deb if error shown, use apt-get install -f . Now firejail is installed, but if you want total to isolate your root,sudo,etc ubuntu linux type: Code: usermod --shell /usr/bin/firejail yourusername This is for most ubuntu, mate, etc linux distro user. ENJOY.....
I don't understand the part you added to my rules. Why close so much ports like bellow? If you already told iptables to close everything (the beginning of my rules), then you only need to tell it to open what you want. Telling it to again block certain ports is a redundancy (because they're already closed) and doesn't make the rules safer or "harder": Code: # Any_port $IPT -A INPUT -p tcp -m tcp --dport 8082:65535 -m state --state NEW -j DROP $IPT -A INPUT -p udp -m udp --dport 8082:65535 -m state --state NEW -j DROP $IPT -A OUTPUT -p tcp -m tcp --dport 8082:65535 -m state --state NEW -j DROP $IPT -A OUTPUT -p udp -m udp --dport 8082:65535 -m state --state NEW -j DROP It makes no sense to me.
First i want thank you, for your rule.... I add that command because much of encrypted backdoor can surf on any port. Why not 'locked port' if you use linux only for mail read on http/s or surf on most danger web location. In another way today nothing is secure, we live in world of crashed security&privacy, this look like paranoid config for any user .
Also for people who know how to enter in ip address around any port default allow and default deny is not helper, that why i use ufw default deny incoming and outgoing in config for any user, paranoid, etc....
Clearly you're not nearly as paranoid as me and others here heheheh Good for you, though, I wish I could just forget about these kinds of things. They drive me crazy sometimes. You don't seem to understand how those rules work. The first thing they do is lock ALL ports, then you open what you need (like port 80 or 443). You already told iptables to lock down everything, so telling it to lock down those ports again is an unnecessary redundancy which doesn't improve the quality of the Firewall. See what @wat0114 said.
In about:config 'media.peerconnection.enable' is good thing because 'WebRTC detection' is not posible, no script and httpeverywhere, firejail and not need anything else anymore
I use more time just, default deny firewall without helped lock port and in netstat -a i found two address nsa.http listen and established, also net patrol inside and one hacker, posible s/he work for n-s-a or net patrol. But when i configure iptables, ufw, firejail, about:config i dont have anymore problem...
Trust me use only iptables with your original rule without my reconfiguration, in your port 1900 uPnP is open for road also another port i test to many times, i go on place wher is danger for firewall and linux is damaged. Any way this reconfigured iptables with ufw about:configf and firejail is best for everyone
I'm having connection issues with my own ISP so I'm using another connection. But when this is resolved, I'll post my IP here so you and anyone else can (try to) hack me Let's see if port 1900 is actually open. In the mean time, you can go to http://www.ipfingerprints.com/portscan.php and do a scan of such port. You'll see that it's Filtered (for TCP) and "Open/Filtered" for UDP. It says "Open/Filtered" exactly because the scan cannot determine if the port is open or closed (because it's filtered).
Ok let's show your rule " Fragment scan only works with TCP, ICMP Timestamp or ICMP Mask (mtu= ping types or ACK, FIN, Maimon, NULL, SYN, Window, and XMAS scan types " I don't want to say how is your rule buged for port, just i want say Linux is not secured anymore. World have nsa and etc. I just scan my rule with netstat -a and i want show you result Code: tcp 0 0 username:domain *:* LISTEN tcp1 0 0 xxx.xxx.xxx.xxx:46190 xx.xxx.xx.xx:https CLOSE_WAIT
And your rule is only --sport without --dport Code: $IPT -A INPUT -p tcp -m tcp --sport 1:65535 --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j drop_invalid
Then your post is pointless. OMG I can't believe what I'm reading. MY EEEYESS!!!! It doesn't have "--dport" because we're NOT forwarding that traffic, so we don't need a "--destination-port". Read the first lines of my thread: "NOTE 4: This firewall is for home computers without NAT, and is not intended for servers." If you were on a server or a router, then having "--sport" and "--dport" would make more sense. Besides, invalid OUTPUT traffic is being blocked too: So having both "--sport" and "--dport" is again a redundancy because we're separating both INPUT and OUTPUT invalid traffic on my rules. My rule is fine.
Anyway if anyone think bout this shown upgraded iptables and security how is not need to be then, feel free to remove
No, yours isn't "upgraded" It's really just adding redundancy, and I feel sorry for anyone using those rules because once the user tries to open new ports for new applications he/she will have to add in a few more rules, making the overall firewall just more difficult, not more secure.
I told you this upgraded rule is for paranoid linux user to use only http and https, cups, dnsand 8080 if anyone smart can configure port how s/he want..... If your mind is that smart you never give open door for ransomware . Bye
And I am still here waiting for a firewall with per-app + per-port + per-ip/dns + per-direction (either outgoing or incomming or both) rules, with a decent gui that also notifies and asks at connection requests...and all that in the official arch repo Because everything else is mostly a waste of time (atleast if you sit behind a hw fw).