I have noticed some posts need updating. I will be adding new posts for new software versions and moving old posts to a archive. If something on here is incorrect or needs updating sign up and leave me post or use our simple contact form on the right!

IPtables, SSH, Ubuntu Securty, etc..

Bookmark It

#—————————————————————
# Initialize all the chains by removing all the rules
# tied to them
#—————————————————————

iptables –flush
iptables -t nat –flush
iptables -t mangle –flush

#—————————————————————
# The loopback interface should accept all traffic
# Necessary for X-Windows and other socket based services
#—————————————————————

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

#—————————————————————
# Allow outbound DNS queries from the FW and the replies too
#
# – Interface eth0 is the internet interface
#
# Zone transfers use TCP and not UDP. Most home networks
# websites using a single DNS server won’t require TCP statements
#
#—————————————————————

iptables -A OUTPUT -p udp -o eth0 –dport 53 –sport 1024:65535 \
-j ACCEPT
iptables -A INPUT -p udp -i eth0 –sport 53 –dport 1024:65535 \
-j ACCEPT

#—————————————————————
# Allow previously established connections
# – Interface eth0 is the internet interface
#—————————————————————

iptables -A OUTPUT -o eth0 -m state –state ESTABLISHED,RELATED \
-j ACCEPT

#—————————————————————
# Allow port 80 (www) and 22 (SSH) connections to the firewall
#—————————————————————

iptables -A INPUT -p tcp -i eth0 –dport 22 –sport 1024:65535 \
-m state –state NEW -j ACCEPT

iptables -A INPUT -p tcp -i eth0 –dport 80 –sport 1024:65535 \
-m state –state NEW -j ACCEPT

#—————————————————————
# Allow port 80 (www) and 443 (https) connections from the firewall
#—————————————————————

iptables -A OUTPUT -j ACCEPT -m state \
–state NEW,ESTABLISHED,RELATED -o eth0 -p tcp \
-m multiport –dport 80,443 -m multiport –sport 1024:65535

#—————————————————————
# Allow previously established connections
# – Interface eth0 is the internet interface
#—————————————————————

iptables -A INPUT -j ACCEPT -m state –state ESTABLISHED,RELATED \
-i eth0 -p tcp

#—————————————————————
# If a packet doesn’t match one of the built in chains, then
# The policy should be to drop it
#—————————————————————

iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP
iptables -A FORWARD -j DROP

Bookmark It

Basics of firewalls

Every new Linux user will at some point start wondering about installing a firewall. Eventually everyone also runs across the concept of iptables. Early on, one might not know what iptables means, or even have heard the term. This is quite a disappointing considering how important good iptables management is to tight security in a Linux networking environment.

I’m going to assume you’ve heard of a firewall and have some vague notion of what that means in relation to computers and networking. Just in case; a firewall basically provides and enforces rules for allowing or denying network access on specific ports, from or to specific networked computers. Most Windows users, think of Windows Firewall, ZoneAlarm, Norton Firewall, or what is refferred to as a “hardware firewall”, such as the many router appliances that can be purchased from a electronics vendor.

Windows Firewall and ZoneAlarm are sometimes called “software firewalls”, are in fact little different in concept from hardware firewalls. The biggest difference between the concept is the security that each provides. Because the software firewall is on the local system, it provides a reduced security potential: by the time unauthorized traffic touches the software firewall, it has already touched the system you’re trying to protect. That doesn’t mean you shouldn’t use them, however; it’s just an extra layer of security, and used properly it can enhance the overall security of your network. You should never, ever consider it a substitute for a separate hardware firewall.

Applications like the Windows Firewall and ZoneAlarm are really pretty low quality, as firewalls go. Even ZoneAlarm Pro is not that great as a firewall. Norton Firewall is better in some ways than the above, in that it is capable of providing better security, and worse in others, in that it is difficult to configure, hides much of what it’s doing even worse than ZoneAlarm, and in general has the potential to seriously mess things up without ever giving a hint to the user aside from “Oh, it’s probably Norton again.”

Ultimately, the major problem with all of these popular software firewalls on Windows systems is that they do not operate at a low enough level to provide really significant security. There are a couple of firewall applications for Windows that do provide a more fundamental firewalling capability, making use of Windows kernel socket APIs, but the Windows OS design and driver APIs provide for potential “leakage” that even these Windows socket-layer firewalls (such as the iSafer Winsock Firewall) can be worked around by a clever security cracker, depending on the sort of hardware you’re using for network connectivity, what drivers you’re using, and so on.

Ultimately, the problem with these Windows-based firewalls is that they’re software that sits on top of the OS trying to get the OS to relinquish control of network packet control earlier than it really wants to so that the traffic can be filtered effectively.

Free UNIX firewalls

Free versions of UNIX tend to have a much better packet filtering model. Linux, for instance, has the netfilter project, which works on kernel-integrated network traffic filtering. The management system for that, which handles filtering rules for netfilter to apply and enforce, is called iptables. The OpenBSD analog to iptables, meanwhile, is called pf, and there are a number of cited advantages and disadvantages to each in comparison to the other.

In any case, it happens that iptables and pf both work extremely well as firewalling systems. While I haven’t done an exhaustive survey, I’d say that probably at least half of the little hardware firewalls you run across in retail electronics outlets are in fact running a stripped-down embedded Linux kernel with netfilter, some running iptables and some running some wacky hybrid thing that replaces iptables just to make everything work differently somehow—probably to frustrate the efforts of people who would like to have more hands-on control of how the router/firewall appliance is working behind the scenes. Regardless, if you’ve used a store-bought router/firewall appliance, there’s a reasonable chance you’ve used something running iptables for firewalling, even if you’ve never installed Linux on anything.

Because of the open, modular design of Linux (and other free versions of UNIX, for that matter), kernel-integrated network packet filtering can be easily implemented and has improved over the years. This allows for a very close marriage of the firewalling capability of such OSes with the network interface itself, providing a basically impenetrable security model, in theory.

In theory, of course, theory and practice are the same; in practice, they are not. The security you can get from this security model, in practice, depends on your ability to effectively define firewall rules and the flexibility and functionality of the filtering rules management system—in this case, iptables.

There was a predecessor to iptables called ipchains. From what I’ve seen thus far, it looks like ipchains differed from iptables mostly in that it was a little more difficult to configure and manage, and in that it was stateless, whereas iptables is stateful. That means is that iptables can actually apply firewall rules based on the current state of network traffic: rules can exist that depend upon the amount of traffic you’re receiving on a specific port, for instance, rather than simply blocking or opening that port across the board. This makes iptables much, much more useful for ensuring system security than ipchains. Interestingly enough, ZoneAlarm is also stateful in a very limited fashion, but its statefulness is largely unconfigurable and the benefits of its stateful operation can be circumvented by automated scripting, if the person writing the scripts knows what he or she is doing.

Firewalls…..have a good day!

Bookmark It

Certain linksys routers won’t work with xbox live here is a list of common questions/problems to tell if this post will help you:

• My XBOX LIVE won’t connect and I have a linksys router.
• Why won’t my linksys router connect to xbox live?
• I just got a new linksys router and my XBOX LIVE won’t work!

Not really, well sort of! But I did include two alternate ways to fix your issue near the bottom of the post.

Version 2.02.7
This firmware version is not Xbox Live Compatible by default with UPNP

Note The UPnP implementation on the Linksys WRT54g with firmware 2.02.7 has been discovered to prevent users from being able to connect to Xbox Live.

Other versions may be affected as well. You can fix it by disabling UPNP!

Option 1 disable UPNP to allow XBOX LIVE to work on linksys routers!

1. Access your wrt54gs router by navigating to 192.168.1.1 on your internet browser or whatever ip you have your router setup on.
2. Login.
3. Click on the Administration tab.
4. Click on Management sub-tab.
5. You’ll find the UPnP radio buttons at the bottom, Choose Disable
6. Save your settings
7. Reboot your router or it wont work!

Option 2 Put your XBOX 360 into a DMZ

So here we go!

1. Set a static ip on your xbox (call ms for support…………..lol)
2. Access your wrt54gs router by navigating to 192.168.1.1 on your internet browser or whatever ip you have your router setup on.
3. Login
4. Select the security tab located on the top menu bar of the web interface.
5. Towards the bottom of the screen you should she DMZ. In the pull down box select Enable and in the DMZ Host IP address 192.168.1.____ inter the IP address of the computer you wish to open up to the internet. (This should be the static IP address of your website)
6. Save changes (apply)
7. Reboot Router! (think of it like hot sauce)

Steps should be similar for most firmware versions, plus the steps should be in your documentation for your router.

Bookmark It

What a Joke! It used to take me days to get enough keyed packets.

[wp_youtube]d7tpl77VwO4[/wp_youtube]

Bookmark It