Hi Folks,
I am a newbie home based Linux user with dial-up access to the internet. Up until now, because of the small, infrequent, amount of time I am actually connected to the internet, I have simply been ensuring that I always log on as a normal user (rather than root) to protect my PC, however I have recently been wondering whether it would be wise to install some kind of protection for my PC. Looking in my little Linux text book it would appear that "ipchains" would probably be sufficient for my needs (rather than setting up a dedicated firewall), however, when I try to use ipchains I get the error message:
ipchains: Incompatible with this kernel.
The kernel I am using is 2.4.10 and I am wondering if this error message is hinting that ipchains has now been superseded. Is there a modern replacement for ipchains? If so then what is it and where could I find some info on setting it up to protect my PC?
Thanks,
Ian.
It is certainly possible to run ipchains with 2.4.x kernels, but you'll need to ensure that it support for it is enabled within the kernel. This may require a re-compile of your current kernel.
The "modern" version is iptables and operates in a similar fashion to ipchains. Again, you'll need to make sure that your kernel has support for iptables enabled (whether it be as a module, in which case just try "modprobe ip_tables", or statically compiled into the kernel itself).
Regards,
Martyn
Martyn Drake wrote: The "modern" version is iptables and operates in a similar fashion to ipchains. Again, you'll need to make sure that your kernel has support for iptables enabled (whether it be as a module, in which case just try "modprobe ip_tables", or statically compiled into the kernel itself).
Thanks for your prompt reply to my question Martyn. I was unaware of the existence of iptables, but, on checking my system, I have discovered that I must have unknowingly installed it when installing Linux so it ready and waiting for use... Time for some experiments.
Ian.
Ian Douglas wrote:
Hi Folks,
I am a newbie home based Linux user with dial-up access to the internet. Up until now, because of the small, infrequent, amount of time I am actually connected to the internet, I have simply been ensuring that I always log on as a normal user (rather than root) to protect my PC, however I have recently been wondering whether it would be wise to install some kind of protection for my PC. Looking in my little Linux text book it would appear that "ipchains" would probably be sufficient for my needs (rather than setting up a dedicated firewall), however, when I try to use ipchains I get the error message:
ipchains: Incompatible with this kernel.
The kernel I am using is 2.4.10 and I am wondering if this error message is hinting that ipchains has now been superseded. Is there a modern replacement for ipchains? If so then what is it and where could I find some info on setting it up to protect my PC?
The replacement (and enhancement) for ipchains is iptables, which is only supported in the 2.4 kernel or later. As usual, Linux >2.4 also supports ipchains, *but* the two can't run on the same box at the same time. It may be that you have iptables already installed. Try typing "iptables -L" and see what happens.
In truth, not only is iptables much more powerful (it's "stateful" for instance) but it's more complicated. One of the many advantages of the SuSE distro is that it comes with an easy-to-use tool called personal-firewall which is designed for just the scenario you describe. That said, a few hours reading on the net, and some fiddling about will produce a working firewall script which you can call from your ipup script.
I've done a fair bit of work on firewalls, and ALUG lists passim have a few examples. Shout if you need help.
Cheers, Laurie.
Hi, RH 7.X auto installs iptables (the 'firewall' option is auto-selected for RPM when you run the install) and comes with a nice config tool which autoruns first time after install and is thereafter accessible throught the Gnome/KDE system menus.
I get the error message: ipchains: Incompatible with this kernel. The kernel I am using is 2.4.10 and I am wondering if this error message
is
hinting that ipchains has now been superseded.
As others have said IPChains can be enabled but I would say using ipchains under a 2.4 kernel is not the best way to go anyway. IPTables is a much more solid implementation, more efficient at capturing packets and applying rules. More complex true but arguably easier to configure.
Snort IDS is also good to have but a decent processor machine with plenty of RAM is a must because although Snort is very efficient packet logging and rule parsing is quite intensive and does hit performance. However for a standalone machine snort is not that difficult to setup - just add your machine details to snortfull.conf (which is well commented) restart snort and you're good to go. snortfull.conf contains many pre-set packet matching rules (and is regularly updated as new exploits arise and new rules are developed to detect them) and the snort website/mailing list abounds with good info. The snort list is also very helpful to newbies (I have found).
That way you end up with a good stateful firewall and detection of any attempted misdemeanors. And all for the cost of a little time. Free Software - don't you just love it!!.
£0.02 Regards Earl
[earl.brannigan@lindenhouse.co.uk] www.lindenhouse.co.uk Intellectual : Someone who can spend a whole day locked in a room with a tea cosy without once thinking of trying it on. Highbrow : Someone who can listen to the entire William Tell Overture without once thinking of the Lone Ranger.
Earl Brannigan wrote: Snort IDS is also good ....
Thanks for the advice Earl. I have had a look on my system and have discovered snort (version 1.8.1) is already installed. It sounds good and will be something to experiment with over Christmas but I think I will try and get the hang of iptables first... Loads of fun ahead!
Ian.
Laurie Brown wrote:
The replacement (and enhancement) for ipchains is iptables, which is only supported in the 2.4 kernel or later.
Thanks for the pointer Laurie. Unfortunately my Linux text books are a little out of date and although saying a bit about ipchains do not mention iptables at all.
As usual, Linux >2.4 also supports ipchains, *but* the two can't run on the same box at the same time. It may be that you have iptables already installed. Try typing "iptables -L" and see what happens.
"iptables -L" works so, as you suspected, it appears I must have unknowingly installed iptables when I installed Linux. It is simply that I did not know it existed. I notice that you mention that the two programs cannot coexist... that probably explains why I could not get ipchains to work.
... One of the many advantages of the SuSE distro is that it comes with an easy-to-use tool called personal-firewall which is designed for just the scenario you describe. That said, a few hours reading on the net, and some fiddling about will produce a working firewall script which you can call from your ipup script.
Thanks to your help Laurie, now that I know what I am looking for, I have indeed found an easy graphical interface. I must admit however that I like experimenting with things (I guess that is what is drawing me to Linux in the first place) so although I will probably use the graphical interface produced rules as a starting point I would like to experiment with them so as to try to learn what they are doing (though will make sure I back up the original config file first as, knowing me, I will soon render my system unusable!).
Thanks for your help.
Ian.
Ian Douglas wrote:
Laurie Brown wrote:
The replacement (and enhancement) for ipchains is iptables, which is only supported in the 2.4 kernel or later.
Thanks for the pointer Laurie. Unfortunately my Linux text books are a little out of date and although saying a bit about ipchains do not mention iptables at all.
We all have that problem. I don't much bother with them these days, because there is ALWAYS a more up-to-date paper on the Net somewhere. One thing about Linux that stands out over 'Doze is the help one gets from others, and especially the amount of documented eventually-successful-trial-and-error sessions there are out there. That doesn't seem to happen much with 'Doze. The alternative seems to be to pay MS for access to the Secret Scrolls or spend hours searching on their various web sites for slanted info and spin. Your first two ports of call should be http://www.google.com and http://www.dejanews.com which are, IMO, utterly essential to any serious IT professional. I'd even pay for access to dejanews...
As usual, Linux >2.4 also supports ipchains, *but* the two can't run on the same box at the same time. It may be that you have iptables already installed. Try typing "iptables -L" and see what happens.
"iptables -L" works so, as you suspected, it appears I must have unknowingly installed iptables when I installed Linux. It is simply that I did not know it existed. I notice that you mention that the two programs cannot coexist... that probably explains why I could not get ipchains to work.
It does indeed. At least your kernel supports iptables, so that's another steep learning curve put off for another day!
... One of the many advantages of the SuSE distro is that it comes with an easy-to-use tool called personal-firewall which is designed for just the scenario you describe. That said, a few hours reading on the net, and some fiddling about will produce a working firewall script which you can call from your ipup script.
Thanks to your help Laurie, now that I know what I am looking for, I have indeed found an easy graphical interface. I must admit however that I like experimenting with things (I guess that is what is drawing me to Linux in the first place) so although I will probably use the graphical interface produced rules as a starting point I would like to experiment with them so as to try to learn what they are doing (though will make sure I back up the original config file first as, knowing me, I will soon render my system unusable!).
It took me a fair while to get my head round ipchains, but once I did, it was easy. It took less time for iptables, but it was still pretty steep, but now I'm quite comfortable with it. I got a huge amount of help from the Net and from ALUG. My firewalls are always dedicated boxes with custom and cut-down kernels, so I'm a bit hazy on using it on a "working" box, but I have scripts to share if you need them.
GUIs are ok in my book, but I'd advise you look at the resultant config and try to understand it. "Real" Linux firewalls are usually some old crappy P100 with 2 NICs, no k/b, monitor or mouse, and certainly no GUI...
Cheers, Laurie.
Laurie Brown wrote: My firewalls are always dedicated boxes with custom and cut-down kernels, so I'm a bit hazy on using it on a "working" box, but I have scripts to share if you need them.
Yes Laurie, I certainly would be interested to see your scripts, so long as you are comfortable sharing them and don't feel you will be compromising your own security by doing so. I used the GUI to set up some default iptables rules (and have listed them below if you want to comment on them) so as to have a base set to work from to start my tweaking but am not sure what they mean yet as I haven't had time to read up on iptables yet. Being a home user I would not be interested in using the PC as a web/ftp server, nor infact offering any services to the internet at all, just sending and receiving email, browsing web pages and downloading files to the PC via the serial line modem dial-up link. My PC does also have an ethernet card linking it to a trusted network but this network does not need to send, nor receive, anything via the internet, and infact is only occasionally plugged in and used as I keep tripping over the wire!
Ian.
##### OUTPUT FROM "iptables -L" ##### Chain INPUT (policy ACCEPT) target prot opt source destination devchain all -- anywhere anywhere
Chain FORWARD (policy ACCEPT) target prot opt source destination
Chain OUTPUT (policy ACCEPT) target prot opt source destination
Chain devchain (1 references) target prot opt source destination rulchain all -- anywhere anywhere rulchain all -- anywhere anywhere
Chain maschain (0 references) target prot opt source destination
Chain rulchain (2 references) target prot opt source destination DROP udp -- anywhere anywhere udp dpt:sunrpc DROP udp -- anywhere anywhere udp dpt:965 DROP udp -- anywhere anywhere udp dpt:958 DROP udp -- anywhere anywhere udp dpt:asipregistry DROP udp -- anywhere anywhere udp dpt:time DROP udp -- anywhere anywhere udp dpt:snmp DROP udp -- anywhere anywhere udp dpt:mdbs_daemon DROP udp -- anywhere anywhere udp dpt:ntalk DROP udp -- anywhere anywhere udp dpt:talk DROP udp -- anywhere anywhere udp dpt:blackjack DROP udp -- anywhere anywhere udp dpt:nfs DROP udp -- anywhere anywhere udp dpt:1024 DROP icmp -- anywhere anywhere icmp redirect DROP udp -- anywhere anywhere LOG tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN LOG level warning REJECT tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN reject-with tcp-reset ##### END OF OUTPUT #####
Hi Folks,
I have had a look at the HOW-TOs and it seems that to set up iptables to protect my home PC (which I just use to browse the internet, download a few files, and send/receive email) all I need to do is use the following commands:
# Create chain which blocks new connections, except if coming from inside. iptables -N block iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT iptables -A block -j DROP
# Jump to that chain from INPUT and FORWARD chains. iptables -A INPUT -j block iptables -A FORWARD -j block
This seems too simple to be true. Can anyone see any problems with just using the above simple configuration?
Ian.
This could be useful, an (allegedly) very secure config file. I don't have the know-how to critique it but it seemed to be well-received on news:uk.comp.os.linux
http://spodzone.org.uk/packages/secure/iptables.sh
But, can someone advise me please on the best way to view the contents of the .sh file? I understand that this is a shell script file but I am not at all sure how to actually deal with it without running it.
Sorry if this is a really ignorant question. I did it by copy/pasting from the browser window into an editor but presumably there is some method a little more elegant than that?
TIA and happy hols Syd
So is it definitely on at Simon's parents' palatial place? If so, when - was there a final decision on the date?
Cheers Syd
-
Earl Brannigan -
Ian Douglas -
Laurie Brown -
Martyn Drake -
Syd Hancock