Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Tue 30 Sep 2014, 13:58
All times are UTC - 4
 Forum index » Off-Topic Area » Security
Interesting changes
Post new topic   Reply to topic View previous topic :: View next topic
Page 2 of 2 [24 Posts]   Goto page: Previous 1, 2
Author Message
Smithy


Joined: 12 Dec 2011
Posts: 434

PostPosted: Fri 15 Mar 2013, 15:23    Post subject:  

rcrsn51 wrote:
Stealthing is a feature provided by some firewall products. I'm surprised that the Linux firewall in Puppy appears to do it.

Smithy: Is your Puppy machine behind a router? Does it have a local IP address like 192.168.x.y?


No RcRn51, this one isn't, it is a mobile and has dynamic addresses.
Back to top
View user's profile Send private message 
SFR


Joined: 26 Oct 2011
Posts: 1072

PostPosted: Fri 28 Jun 2013, 18:04    Post subject:  

Hey Smithy et all

I'm having exactly the same issue from some time...
Previously all ports were stealth, but since many months I'm getting very similar results as on your screenshot in the first post.
Perhaps it's related to the fact that my modem was replaced with a router, more or less at that time (but my IP remained within "normal" range (dynamic); also, router is locked by my ISP and I have no access to its settings)..?

Anyway, today I found this:
http://www.linuxquestions.org/questions/linux-security-4/stealth-iptables-ruleset-21338/#post352329
I did apply those rules and all ports are stealth back again!

But, since my knowledge regarding networking/iptables is almost non-existant and that thread is quite old, it'd be reasonable to ask:
Are these rules still ok?
Do they have any major disadvantages in comparsion to standard (automagic) rules?

BTW, I'm not running any server or sth, only basic network usage, so there's no need for extended features.

Greetings!
Before.jpg
 Description   
 Filesize   64.7 KB
 Viewed   304 Time(s)

Before.jpg

After.jpg
 Description   
 Filesize   60.35 KB
 Viewed   304 Time(s)

After.jpg


_________________
[O]bdurate [R]ules [D]estroy [E]nthusiastic [R]ebels => [C]reative [H]umans [A]lways [O]pen [S]ource
Omnia mea mecum porto.
Back to top
View user's profile Send private message 
Smithy


Joined: 12 Dec 2011
Posts: 434

PostPosted: Mon 01 Jul 2013, 11:07    Post subject:  

hI SFR, I put that code in and I can't even get on the interweb now.
Had to boot up again.
That's stealth!
Back to top
View user's profile Send private message 
SFR


Joined: 26 Oct 2011
Posts: 1072

PostPosted: Mon 01 Jul 2013, 12:42    Post subject:  

Hey Smithy

Looks like these settings are hardcoded for eth0, so if you're on, eg. wlan0, then 4th line must be amended:

Quote:
iptables -P INPUT DROP
iptables -F INPUT
iptables -N inbound
iptables -A INPUT -i wlan0 -j inbound
iptables -A INPUT -i lo -j ACCEPT

iptables -A inbound -m state --state ESTABLISHED -j ACCEPT
iptables -A inbound -m state --state RELATED -j ACCEPT

(Or maybe it'd be enough to add new line with a second interface..? I still know too little about this stuff...)

BTW, when I tried those rules on my second laptop (on which I'm using WiFi only) for the first time, I 'stealthed' myself completely too, but simple reinitialization via 'Tray -> Firewall -> Automagic' did the job without need to reboot.

Greetings!

_________________
[O]bdurate [R]ules [D]estroy [E]nthusiastic [R]ebels => [C]reative [H]umans [A]lways [O]pen [S]ource
Omnia mea mecum porto.
Back to top
View user's profile Send private message 
Smithy


Joined: 12 Dec 2011
Posts: 434

PostPosted: Mon 01 Jul 2013, 18:51    Post subject:  

That's a powerful snippet of code SFR, I have not seen the stealth mode on for a long time, now it's back up, thanks for that.

If I wanted to open up a port or two, would you know how to do that easily?

I guess if I reran the Puppy firewall setup (either automagic or custom) it might lose the stealth settings that the snippet of code provides?
Back to top
View user's profile Send private message 
SFR


Joined: 26 Oct 2011
Posts: 1072

PostPosted: Tue 02 Jul 2013, 05:30    Post subject:  

Glad it works for you, too!

Quote:
If I wanted to open up a port or two, would you know how to do that easily?

I have no idea. Best if someone who knows anything about iptables could take the floor...

Quote:
I guess if I reran the Puppy firewall setup (either automagic or custom) it might lose the stealth settings that the snippet of code provides?

Yep, and additionally firewall settings get resetted to defaults at boot time by /etc/rc.d/rc.firewall script.

Greetings!

_________________
[O]bdurate [R]ules [D]estroy [E]nthusiastic [R]ebels => [C]reative [H]umans [A]lways [O]pen [S]ource
Omnia mea mecum porto.
Back to top
View user's profile Send private message 
Smithy


Joined: 12 Dec 2011
Posts: 434

PostPosted: Tue 09 Jul 2013, 04:12    Post subject:  

Yes, just a minor modification to the firewall setup dialog could be good, incorporating that code and additionally adding "on the fly" open up or back to stealth ports as user sees fit.

I noticed firestarter looks pretty good:
http://www.fs-security.com/
and g uncomplicated firewall too:
http://gufw.org/new

But the Puppy firewall just sits there nicely imo and has done for years, so maybe best not to throw out the baby just because the bathwater is a little murky.
Back to top
View user's profile Send private message 
Smithy


Joined: 12 Dec 2011
Posts: 434

PostPosted: Sun 14 Jul 2013, 10:52    Post subject:    

I copied bits of this post from 2009 by martin, legend of thor, bit fiddlyfinikity, but that is the linux way sometimes Wink

This code will open port 2234:

Code:
Code:
iptables -A INPUT -i eth1 -p tcp --sport 2234 -m state --state ESTABLISHED -j ACCEPT


If a programme requires a particular port to be opened, such as Nicotine, you can make a simple script that opens the port and executes the programme. Eg:

Code:
Code:
#!/bin/sh
iptables -A INPUT -i eth1 -p tcp --sport 2234 -m state --state ESTABLISHED -j ACCEPT
/usr/bin/nicotine



This will open port 2234 and run the Nicotine programme. This works for me.

Remember, that some programmes require multiple ports to be opened. Just add extra iptables lines and the required port.

how to find out what programmes are accessing ports type in Terminal:

Code:
Code:
netstat -nlp



Thanks to trapster for this info.

To check if the port has opened from the first post type:

Code:
Code:
iptables -L


PS: Sometimes your programme still won't be able to access the internet - this may due to:
1. It requires extra ports to be opened or
2. Modem firewall is blocking.

Security does not appear compromised with this procedure - I went to ShieldUp! to test and it came back as stealthed.
Back to top
View user's profile Send private message 
SFR


Joined: 26 Oct 2011
Posts: 1072

PostPosted: Sun 14 Jul 2013, 10:59    Post subject:  

Thanks for sharing this, Smithy.
I'll write it down for future reference. Smile

Greetings!

_________________
[O]bdurate [R]ules [D]estroy [E]nthusiastic [R]ebels => [C]reative [H]umans [A]lways [O]pen [S]ource
Omnia mea mecum porto.
Back to top
View user's profile Send private message 
Display posts from previous:   Sort by:   
Page 2 of 2 [24 Posts]   Goto page: Previous 1, 2
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Off-Topic Area » Security
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.0749s ][ Queries: 12 (0.0135s) ][ GZIP on ]