post your rules files please. And answer any questions if possible.
I don't know shit about network but I'm trying to protect me.
Can iptables be of any help in protecting my desktop?
Apparently I can't just block every port in INPUT and OUTPUT chains because browsers use random ports to create connections..
So all I can do is, for example, allow in INPUT only connections where the source port is like 80 or 443, but nothing stops an attacker from using those ports to attack me, right?
>Can iptables be of any help in protecting my desktop? >allow in INPUT only connections where the source port is like 80 or 443
Why are you running a public webserver on your desktop?
Connor Cox
I'm not. is iptables only usefull for webservers?
William Torres
-P INPUT DROP -P FORWARD DROP -P OUTPUT ACCEPT
Joseph Clark
Use shorewall to manage your iptables
Parker Wright
Let me say all my stupid ideas about it and you correct me. ts a good opportunity.
Ports are the IS channels which processes use to exchange packets.
So every packet starts at some port at the "client" and ends in some port and the "server", These are the source port and destination port respectively.
Packets are useless if no application is listening to the destination port at the server.
The thing is: -I shouldn't allow any application other than my browser to be listening on my ports. I couldn't find a way to do that with iptables.
-On http and https source ports will always be 80 and 443. So if I only allow to receive packages pachakes with -sport 80 or 443 I should mostly receive page traffic. But I don't even know if sport applies to the INPUT chain (do packages carry source port information?)
By this you can see I know nothing.. but tutorials on the net apparently assume you already know everything. Not al areas are like this.. security is a pain in the ass
Jayden Hernandez
Browsers don't use ports in the way most people think. They use lots of high numbered ports, like 237437, etc, that's just a random number like something they would use, they don't actually use the same ports as webservers
Thomas Sullivan
Yes, thats why I said
"Apparently I can't just block every port in INPUT and OUTPUT chains because browsers use random ports to create connections.."
If you actually know how this things work could you please give some comprehensible instruction on it? google was of no use for that..
Blake Collins
>allow in INPUT only connections where the source port is like 80 or 443 allow only established connections in INPUT -m state --state ESTABLISHED
Isaac Young
This script gives you +90% network security #!/bin/bash
#create the set echo "Generating the blocking set..." ipset create china hash:net
for i in $(cat /tmp/cn.zone); do ipset add china $i done
iptables -I INPUT -m set --match-set china src -j DROP
echo "China is blocked!" rm /tmp/cn.zone
Julian Collins
Sorry, I misunderstood your question. Like said, your browser (and any other program) temporarily opens ephemeral ports when you connect to websites and closes them when idle. The only way you can be attacked in this way is if you're connecting directly to a malicious host or you get MITM'd (which shouldn't happen over port 443). These connections happen transiently and only when you initiate them.
Using iptables isn't going to add much if you don't have any passively listening services running, which is why it's more often used on webservers and routers.
Lucas Allen
And how would I guarantee that I have no such listening services running? They would be trojans, right?
or, more generally speaking, what can I do to make my debian more secure other than jusrt updating it and runing clamav and rkhunter regularly?
Ryder Morgan
fucking hate those chinks and their http flood
Ayden Torres
>And how would I guarantee that I have no such listening services running? They would be trojans, right?
Most linux distros come with certain services enabled out of the box (NFS, samba, some others). Disabling them if you don't need them isn't a bad idea, but if you're behind a firewall or an ordinary NAT router it's not that big of a deal. You can easily see what's running in the background.
netstat -nlp --inet --inet6
Joseph Cooper
and how do I know if there is anything strange there? There are a lot of names there.. I just have to google each one and start memorizing which ones are safe or is there a better way to do that?
Brody Sanders
Basically. You have to know what they do to know whether you need them around. Just pay attention to the ones in a LISTENING or ESTABLISHED state and google to see if they're something you can do without.
Andrew Evans
Also, you can ignore the ones that aren't bound to 0.0.0.0
Camden Williams
What about muh Russia?
Jacob Rivera
Only allow ssh access via key auth and not password.
Gabriel Barnes
>Also, you can ignore the ones that aren't bound to 0.0.0.0 why? what does it mean?
Cameron Brown
It means that you are only listening on specific IP addresses so blocking is irrelevant.
