Results 1 to 8 of 8

Thread: Installing a firewall on a seedbox?

  1. #1
    hi

    ive just got a LeaseWeb seedbox, running Debian Linux.

    ive configured X, Gnome, VNC, Java, and Azureus, and everything is working great - the speeds are out of this world.

    the only remaining thing i think i need to do is install a firewall but im not sure how to do this.

    i have installed Firestarter but not actually started the firewall because i am worried that as soon as i start the firewall, it will block my ssh and/or vnc connection to the server, effectively blocking my access to the seedbox.

    so, can anyone offer advice on how to firewall a seedbox, remotely, please?

    thanks

  2. BitTorrent   -   #2
    Bunny Hopper BT Rep: +18BT Rep +18BT Rep +18BT Rep +18
    Join Date
    May 2007
    Posts
    177
    Is a firewall really needed on linux? Here's an article about it:
    http://www.pcworld.com/article/id,12...1/article.html

    iptables already block all unwanted connections I believe. On my server, I just change the default port for ssh & ftp to prevent the bots.

  3. BitTorrent   -   #3
    iptables, by default, doesnt block anything.

    heres my iptables (on debian)

    OAA001:~# iptables -L
    Chain INPUT (policy ACCEPT)
    target prot opt source destination

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination


    everything is set to "ACCEPT"

    heres my iptables on my ubuntu system, with the settings configured with firestarter firewall:

    oscar@lappy:~$ sudo iptables -L
    [sudo] password for oscar:
    Chain INPUT (policy DROP)
    target prot opt source destination
    ACCEPT tcp -- 192.168.1.1 anywhere tcp flags:!FIN,SYN,RST,ACK/SYN
    ACCEPT udp -- 192.168.1.1 anywhere
    ACCEPT 0 -- anywhere anywhere
    ACCEPT icmp -- anywhere anywhere limit: avg 10/sec burst 5
    DROP 0 -- anywhere 255.255.255.255
    DROP 0 -- anywhere 255.255.255.255
    DROP 0 -- BASE-ADDRESS.MCAST.NET/8 anywhere
    DROP 0 -- anywhere BASE-ADDRESS.MCAST.NET/8
    DROP 0 -- 255.255.255.255 anywhere
    DROP 0 -- anywhere 0.0.0.0
    DROP 0 -- anywhere anywhere state INVALID
    LSI 0 -f anywhere anywhere limit: avg 10/min burst 5
    INBOUND 0 -- anywhere anywhere
    LOG_FILTER 0 -- anywhere anywhere
    LOG 0 -- anywhere anywhere LOG level info prefix `Unknown Input'

    Chain FORWARD (policy DROP)
    target prot opt source destination
    ACCEPT icmp -- anywhere anywhere limit: avg 10/sec burst 5
    LOG_FILTER 0 -- anywhere anywhere
    LOG 0 -- anywhere anywhere LOG level info prefix `Unknown Forward'

    Chain OUTPUT (policy DROP)
    target prot opt source destination
    AACCEPT tcp -- 192.168.1.4 192.168.1.1 tcp dpt:domain
    ACCEPT udp -- 192.168.1.4 192.168.1.1 udp dpt:domain
    ACCEPT 0 -- anywhere anywhere
    DROP 0 -- BASE-ADDRESS.MCAST.NET/8 anywhere
    DROP 0 -- anywhere BASE-ADDRESS.MCAST.NET/8
    DROP 0 -- 255.255.255.255 anywhere
    DROP 0 -- anywhere 0.0.0.0
    DROP 0 -- anywhere anywhere state INVALID
    OUTBOUND 0 -- anywhere anywhere
    LOG_FILTER 0 -- anywhere anywhere
    LOG 0 -- anywhere anywhere LOG level info prefix `Unknown Output'

    Chain INBOUND (1 references)
    target prot opt source destination
    ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED
    ACCEPT udp -- anywhere anywhere state RELATED,ESTABLISHED
    ACCEPT tcp -- anywhere anywhere tcp dpt:20000
    ACCEPT udp -- anywhere anywhere udp dpt:20000
    LSI 0 -- anywhere anywhere

    Chain LOG_FILTER (5 references)
    target prot opt source destination

    Chain LSI (2 references)
    target prot opt source destination
    LOG_FILTER 0 -- anywhere anywhere
    LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5 LOG level info prefix `Inbound '
    DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
    LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5 LOG level info prefix `Inbound '
    DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/RST
    LOG icmp -- anywhere anywhere icmp echo-request limit: avg 1/sec burst 5 LOG level info prefix `Inbound '
    DROP icmp -- anywhere anywhere icmp echo-request
    LOG 0 -- anywhere anywhere limit: avg 5/sec burst 5 LOG level info prefix `Inbound '
    DROP 0 -- anywhere anywhere

    Chain LSO (0 references)
    target prot opt source destination
    LOG_FILTER 0 -- anywhere anywhere
    LOG 0 -- anywhere anywhere limit: avg 5/sec burst 5 LOG level info prefix `Outbound '
    REJECT 0 -- anywhere anywhere reject-with icmp-port-unreachable

    Chain OUTBOUND (1 references)
    target prot opt source destination
    ACCEPT icmp -- anywhere anywhere
    ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED
    ACCEPT udp -- anywhere anywhere state RELATED,ESTABLISHED
    ACCEPT 0 -- anywhere anywhere
    Last edited by Unstable1; 01-26-2008 at 01:10 AM. Reason: Automerged Doublepost

  4. BitTorrent   -   #4
    Bunny Hopper BT Rep: +18BT Rep +18BT Rep +18BT Rep +18
    Join Date
    May 2007
    Posts
    177
    You're right, iptables by default doesn't filter anything. I'm just talking out of my ass... I guess what I really meant was all connections to your server will be drop except to the open ports. A seedbox has only one purpose, so I don't think it needs the security of a firewall, which is really the role of a router for a private network. I think just keeping the softwares updated and monitoring your network services is enough.

  5. BitTorrent   -   #5
    Artemis's Avatar ¿ןɐɯɹou ǝq ʎɥʍ BT Rep: +3
    Join Date
    Jun 2007
    Location
    127.0.0.1
    Posts
    5,472
    The server is sitting in a datacenter, they really wouldn't be much of a provider if the datacenter wasn't protected by a hardware firewall/routing system now would they ? there is no need to firewall the server.

    4d7920686f76657263726166742069732066756c6c206f662065656c73


  6. BitTorrent   -   #6
    Quote Originally Posted by Artemis View Post
    The server is sitting in a datacenter, they really wouldn't be much of a provider if the datacenter wasn't protected by a hardware firewall/routing system now would they ? there is no need to firewall the server.
    wow! so servers based in datacentres never get hacked??!! LOL you're having a laugh.

    before i installed the firewall all the ports were open, now ive installed the firewall, all the ports are closed.

  7. BitTorrent   -   #7
    Artemis's Avatar ¿ןɐɯɹou ǝq ʎɥʍ BT Rep: +3
    Join Date
    Jun 2007
    Location
    127.0.0.1
    Posts
    5,472
    There has to be a reason to hack the server in the first place, a seedbox isn't exactly the holy grail for a hacker, although the ports are open the very fact of what the server does makes it less of a target.

    4d7920686f76657263726166742069732066756c6c206f662065656c73


  8. BitTorrent   -   #8
    on linux boxes I use these:
    http://rfxnetworks.com/apf.php

    in the config you will see the "dev mode"... that flush iptables 5mins after the restart... so you can mess it with no worries

    and if you are running ftp and ssh on the standard ports... you will find BFD very useful too when mixed with APF
    http://rfxnetworks.com/bfd.php
    Last edited by yayyyyyy; 01-26-2008 at 12:49 PM.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •