Let me guess? You just bought your brand new version on linux, and now you are feeling really 1337ish so you decide you are going to port scan yourself. So then you do, and now you are scared. You probably had at least 10 ports open, including ftp, telnet, ssh, pop3, and some other scary ports that you know are just creeping with security flaws.
So now you decided that you don't want all these ports open. Now you jump out onto the net in search of a firewall. Well, unlike windows, people on *nix normally configure their own firewalls. Why? Think about it which is more 1337ish? To have a firewall that you configured on your own to show your friends, or one that you downloaded from ZoneAlarm.com?
II. KERNEL FUN
Now for the fun part. Getting started. Log into root, and you are ready to begin. First off, I would like to say that this tutorial is for the 2.4.x kernel, and if you don't have it by now... You are leaving yourself open to more than I can help you with right now, so do yourself a favor and download the newest kernel from kernel.org.
If you already have the 2.4.x kernel installed. Check to see if iptables is turned on in the config. If it is, then just skip down until after the compilation part. If not, then you get the wonderful learning experience of learning to compile and configure your kernel. Read up on this in /usr/share/doc/howto/en on the file called Kernel-HOWTO. This should lead you through the steps. Just make sure that you check iptables under Network Options, and then check every single option under Netfilter Options.
Now follow the rest of the directions and boot into your new 2.4.x kernel. The next task we get tackle is downloading and installing the iptables program (doens't make since that it doesn't come preinstalled does it?) Well you can get this at http://netfilter. kernelnotes.org/ then just install the rpm (rpm -i iptables1.2). Now, reboot (you could continue without, but it will run choppy).
III. SCAN YOUR PORTS
Now you also need a little program called nmap, which can be aquared from www.insecure.org/nmap/. This little program really helps, it allows you to scan yourself and find exactly what ports are open. So, download and install this. Then enter the command, nmap -sS <your i.p> (from root) it should list all the ports that you have open now. Surprised? Never thought that a brand new user would have that many ports open did you? Time to close them. You should have gotten a report like this:
Port State Service 21/tcp open ftp 22/tcp open ssh 23/tcp open telnet 25/tcp open smtp 37/tcp open time 79/tcp open finger 80/tcp open http ... ... ... ... ... ... and so on...
IV. FIREWALLS HERE WE COME!
These are the ports that we have to close. For this, we call up our iptables command. To close off the port you simple type:
iptables -A INPUT -p tcp --dport 21 -j REJECT
This tells iptables that you want to add a link, thats controls input, on a tcp port 21, and you want it to reject everything. After entering this command, you should either have closed or filtered in the State category if you do an nmap. Well, as you can see, that would be a lot of work to enter every single one of those commands every time you reboot (the closing of the port is only temporary). So how about we make a bash script? Simply place this script in /bin or /usr/bin under the name firewall.
#!/bin/bash iptables -A INPUT -p tcp --dport 21 -j REJECT iptables -A INPUT -p tcp --dport 22 -j REJECT iptables -A INPUT -p tcp --dport 23 -j REJECT iptables -A INPUT -p tcp --dport 25 -j REJECT iptables -A INPUT -p tcp --dport 37 -j REJECT ... .... .... .... .... ... echo Great job shraps! Firewall is intact!
Now we can just run firewall everytime we reboot. However, switching into root is a pain for just one command so why not use the su -c firewall command? This makes things much easier.
V. OPENING A PORT AGAIN
So you have all your ports firewalled? Let's say that now you would like to run an ftp server. But remember? You closed up the ftp port with your firewall. How are we gonna fix this? Simple, just type:
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
Now you can just edit your firewall program, and put a # in front of the ftp port to comment that line out. Congratulations, now you have a working firewall.