Security Quick-Start HOWTO for Red Hat Linux | ||
---|---|---|
Prev |
We can see a typical connection between two computers in this one line excerpt from netstat output:
tcp 30 0 169.254.179.139:1359 18.29.1.67:21 CLOSE_WAIT |
So to summarize using the above example, we have client (me) connecting to a server (rpmfind.net), and the connection is defined and controlled by the respective ports on either end. The data is transmitted and controlled by packets. The server is using a "privileged" port (i.e. a port below number 1024) which stays open listening for connections. The "unprivileged" port used on my end by my client application is temporary, is only opened for the duration of the connection, and only responds to the server's port at the other end of the connection. This type of port is not vulnerable to attacks or break-ins generally speaking. The server's port is vulnerable since it remains open. The administrator of the FTP server will need to take appropriate precautions that his server is secure. Other Internet connections, such as to web servers or mail servers, work similar to the above example, though the server ports are different. SMTP mail servers use port 25, and web servers typically use port 80. See the Ports section for other commonly used ports and services.
One more point on ports: ports are only accessible if there is something listening on that port. No one can force a port open if there is no service or daemon listening there, ready to handle incoming connection requests. A closed port is a totally safe port.
And a final point on the distinction between clients and servers. The example above did not have a telnet or ftp server in the LISTENER section in the netstat example above. In other words, no such servers were running locally. You do not need to run a telnet or ftp server daemon in order to connect to somebody else's telnet or ftp server. These are only for providing these services to others that would be making connections to you. Which you don't really want to be doing in most cases. This in no way effects the ability to use telnet and ftp client software.
1-19, assorted protocols, many of which are antiquated, and probably none of which are needed on a modern system. If you don't know what any of these are, then you definitely don't need them. The echo service (port 7) should not be confused with the common ping program. Leave all these off. |
20 - FTP-DATA. "Active" FTP connections use two ports: 21 is the control port, and 20 is where the data comes through. Passive FTP does not use port 20 at all. Low risk, but see below. |
21 - FTP server port, aka File Transfer Protocol. A well entrenched protocol for transferring files between systems. Very high risk, and maybe the number one crack target. |
22 - SSH (Secure Shell), or sometimes PCAnywhere. Low to moderate risk (yes there are exploits even against so called "secure" services). |
23 - Telnet server. For LAN use only. Use ssh instead in non-secure environments. Moderate risk. |
25 - SMTP, Simple Mail Transfer Protocol, or mail server port, used for sending outgoing mail, and transferring mail from one place to another. Moderate risk. This has had a bad history of exploits, but has improved lately. |
37 - Time service. This is the built-in inetd time service. Low risk. For LAN use only. |
53 - DNS, or Domain Name Server port. Name servers listen on this port, and answer queries for resolving host names to IP addresses. High Risk. |
67 (UDP) - BOOTP, or DHCP, server port. Low risk. If using DHCP on your LAN, this does not need to be exposed to the Internet. |
68 (UDP) - BOOTP, or DHCP, client port. Low risk. |
69 - tftp, or Trivial File Transfer Protocol. Extremely insecure. LAN only, if really, really needed. |
79 - Finger, used to provide information about the system, and logged in users. Low risk as a crack target, but gives out way too much information and should not be run. |
80 - WWW or HTTP standard web server port. The most commonly used service on the Internet. Low risk. |
98 - Linuxconf web access administrative port. LAN only, if really needed at all. |
110 - POP3, aka Post Office Protocol, mail server port. POP mail is mail that the user retrieves from a remote system. Low risk. |
111 - sunrpc (Sun Remote Procedure Call), or portmapper port. Used by NFS (Network File System), NIS (Network Information Service), and various related services. Sounds dangerous and is high risk. LAN use only. A favorite crack target. |
113 - identd, or auth, server port. Used, and sometimes required, by some older style services (like SMTP and IRC) to validate the connection. Probably not needed in most cases. Low risk, but could give an attacker too much information about your system. |
119 -- nntp or news server port. Low risk. |
123 - Network Time Protocol for synchronizing with time servers where a high degree of accuracy is required. Low risk, but probably not required for most users. rdate makes an easier and more secure way of updating the system clock. And then inetd's built in time service for synchronizing LAN systems is another option. |
137-139 - NetBios (SMB) services. Mostly a Windows thing. Low risk on Linux, but LAN use only. 137 is a very commonly seen port attempt. A rather obnoxious protocol from Redmond that generates a lot of "noise", much of which is harmless. |
143 - IMAP, Interim Mail Access Protocol. Another mail retrieval protocol. Low to moderate risk. |
161 - SNMP, Simple Network Management Protocol. More commonly used in routers and switches to monitor statistics and vital signs. Not needed for most of us, and low risk. |
177 - XDMCP, the X Display Management Control Protocol for remote connections to X servers. Low risk, but LAN only is recommended. |
443 - HTTPS, a secure HTTP (WWW) protocol in fairly wide use. Low risk. |
465 - SMTP over SSL, secure mail server protocol. Low risk. |
512 (TCP) - exec is how it shows in netstat. Actually the proper name is rexec, for Remote Execution. Sounds dangerous, and is. High risk, LAN only if at all. |
512 (UDP) - biff, a mail notification protocol. Low risk, LAN only. |
513 - login, actually rlogin, aka Remote Login. No relation to the standard /bin/login that we use every time we log in. Sounds dangerous, and is. High risk, and LAN only if really needed. |
514 (TCP) - shell is the nickname, and how netstat shows it. Actually, rsh is the application for "Remote Shell". Like all the "r" commands, this is a throw back to kindler, gentler times. Very insecure, so high risk, and LAN only usage, if at all. |
514 (UDP) - syslog daemon port, only used for remote logging purposes. The average user does not need this. Probably low risk, but definitely LAN only if really required. |
515 - lp or print server port. High risk, and LAN only of course. Someone on the other side of the world does not want to use your printer for it's intended purpose! |
587 - MSA, or "submission", the Mail Submission Agent protocol. A new mail handling protocol supported by most MTA's (mail servers). Low risk. |
631 - the CUPS (print daemon) web management port. LAN only, low risk. |
635 - mountd, part of NFS. LAN use only. |
901 - SWAT, Samba Web Administration Tool port. LAN only. |
993 - IMAP over SSL, secure IMAP mail service. Very low risk. |
995 - POP over SSL, secure POP mail service. Very low risk. |
1024 - This is the first "unprivileged" port, which is dynamically assigned by the kernel to whatever application requests it. This can be almost anything. Ditto for ports just above this. |
1080 - Socks Proxy server. A favorite crack target. |
1243 - SubSeven Trojan. Windows only problem. |
1433 - MS SQL server port. A sometimes target. N/A on Linux. |
2049 - nfsd, Network File Service Daemon port. High risk, and LAN usage only is recommended. |
3128 - Squid proxy server port. Low risk, but for most should be LAN only. |
3306 - MySQL server port. Low risk, but for most should be LAN only. |
5432 - PostgreSQL server port. LAN only, relatively low risk. |
5631 (TCP), 5632 (UDP) - PCAnywhere ports. Windows only. PCAnywhere can be quite "noisy", and broadcast wide address ranges. |
6000 - X11 TCP port for remote connections. Low to moderate risk, but again, this should be LAN only. Actually, this can include ports 6000-6009 since X can support multiple displays and each display would have its own port. ssh's X11Forwarding will start using ports at 6010. |
6346 - gnutella. |
6667 - ircd, Internet Relay Chat Daemon. |
6699 - napster. |
7100-7101 - Some font servers use these ports. Low risk, but LAN only. |
8000 and 8080 - common web cache and proxy server ports. LAN only. |
10000 - webmin, a web based system administration utility. Low risk at this point. |
27374 - SubSeven, a commonly probed for Windows only Trojan. Also, 1243. |
31337 - Back Orifice, another commonly probed for Windows only Trojan. |
More services and corresponding port numbers can be found in /etc/services. Also, the "official" list is http://www.iana.org/assignments/port-numbers.
A great analysis of what probes to these and other ports might mean from Robert Graham: http://www.linuxsecurity.com/resource_files/firewalls/firewall-seen.html. A very good reference.
Another point here, these are the standard port designations. There is no law that says any service has to run on a specific port. Usually they do, but certainly they don't always have to.
Just a reminder that when you see these types of ports in your firewall logs, it is not anything to go off the deep end about. Not if you have followed Steps 1-3 above, and verified your firewall works. You are fairly safe. Much of this traffic may be "stray bullets" too -- Internet background noise, misconfigured clients or routers, noisy Windows stuff, etc.
$ netstat -tua Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 *:printer *:* LISTEN tcp 0 0 bigcat:8000 *:* LISTEN tcp 0 0 *:time *:* LISTEN tcp 0 0 *:x11 *:* LISTEN tcp 0 0 *:http *:* LISTEN tcp 0 0 bigcat:domain *:* LISTEN tcp 0 0 bigcat:domain *:* LISTEN tcp 0 0 *:ssh *:* LISTEN tcp 0 0 *:631 *:* LISTEN tcp 0 0 *:smtp *:* LISTEN tcp 0 1 dsl-78-199-139.s:1174 64.152.100.93:nntp SYN_SENT tcp 0 1 dsl-78-199-139.s:1175 64.152.100.93:nntp SYN_SENT tcp 0 1 dsl-78-199-139.s:1173 64.152.100.93:nntp SYN_SENT tcp 0 0 dsl-78-199-139.s:1172 207.153.203.114:http ESTABLISHED tcp 1 0 dsl-78-199-139.s:1199 www.xodiax.com:http CLOSE_WAIT tcp 0 0 dsl-78-199-139.sd:http 63.236.92.144:34197 TIME_WAIT tcp 400 0 bigcat:1152 bigcat:8000 CLOSE_WAIT tcp 6648 0 bigcat:1162 bigcat:8000 CLOSE_WAIT tcp 553 0 bigcat:1164 bigcat:8000 CLOSE_WAIT udp 0 0 *:32768 *:* udp 0 0 bigcat:domain *:* udp 0 0 bigcat:domain *:* udp 0 0 *:631 *:* |
$ netstat -taun Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:515 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:8000 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:37 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN tcp 0 0 192.168.1.1:53 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:631 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN tcp 0 1 169.254.179.139:1174 64.152.100.93:119 SYN_SENT tcp 0 1 169.254.179.139:1175 64.152.100.93:119 SYN_SENT tcp 0 1 169.254.179.139:1173 64.152.100.93:119 SYN_SENT tcp 0 0 169.254.179.139:1172 207.153.203.114:80 ESTABLISHED tcp 1 0 169.254.179.139:1199 216.26.129.136:80 CLOSE_WAIT tcp 0 0 169.254.179.139:80 63.236.92.144:34197 TIME_WAIT tcp 400 0 127.0.0.1:1152 127.0.0.1:8000 CLOSE_WAIT tcp 6648 0 127.0.0.1:1162 127.0.0.1:8000 CLOSE_WAIT tcp 553 0 127.0.0.1:1164 127.0.0.1:8000 CLOSE_WAIT udp 0 0 0.0.0.0:32768 0.0.0.0:* udp 0 0 192.168.1.1:53 0.0.0.0:* udp 0 0 127.0.0.1:53 0.0.0.0:* udp 0 0 0.0.0.0:631 0.0.0.0:* |
Let's look at the first few lines of this in detail. On line one,
tcp 0 0 0.0.0.0:515 0.0.0.0:* LISTEN |
Line two is a little different:
tcp 0 0 127.0.0.1:8000 0.0.0.0:* LISTEN |
With the next three entries, we are back to listening on all available interfaces:
tcp 0 0 0.0.0.0:37 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN |
The next two lines are interesting:
tcp 0 0 192.168.1.1:53 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN |
The last three LISTENER entries:
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:631 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN |
tcp 0 1 169.254.179.139:1174 64.152.100.93:119 SYN_SENT tcp 0 1 169.254.179.139:1175 64.152.100.93:119 SYN_SENT tcp 0 1 169.254.179.139:1173 64.152.100.93:119 SYN_SENT tcp 0 0 169.254.179.139:1172 207.153.203.114:80 ESTABLISHED tcp 1 0 169.254.179.139:1199 216.26.129.136:80 CLOSE_WAIT tcp 0 0 169.254.179.139:80 63.236.92.144:34197 TIME_WAIT tcp 400 0 127.0.0.1:1152 127.0.0.1:8000 CLOSE_WAIT tcp 6648 0 127.0.0.1:1162 127.0.0.1:8000 CLOSE_WAIT tcp 553 0 127.0.0.1:1164 127.0.0.1:8000 CLOSE_WAIT |
udp 0 0 0.0.0.0:32768 0.0.0.0:* udp 0 0 192.168.1.1:53 0.0.0.0:* udp 0 0 127.0.0.1:53 0.0.0.0:* udp 0 0 0.0.0.0:631 0.0.0.0:* |
# netstat -tap Active Internet connections (servers and established) Local Address Foreign Address State PID/Program name *:printer *:* LISTEN 988/inetd bigcat:8000 *:* LISTEN 1064/junkbuster *:time *:* LISTEN 988/inetd *:x11 *:* LISTEN 1462/X *:http *:* LISTEN 1078/httpd bigcat:domain *:* LISTEN 956/named bigcat:domain *:* LISTEN 956/named *:ssh *:* LISTEN 972/sshd *:631 *:* LISTEN 1315/cupsd *:smtp *:* LISTEN 1051/master |
$ /bin/ps ax |grep 1051 |grep -v grep 1051 ? S 0:24 /usr/libexec/postfix/master |
$ /bin/ps -axf 956 ? S 0:00 named -u named 957 ? S 0:00 \_ named -u named 958 ? S 0:46 \_ named -u named 959 ? S 0:47 \_ named -u named 960 ? S 0:00 \_ named -u named 961 ? S 0:11 \_ named -u named 1051 ? S 0:30 /usr/libexec/postfix/master 1703 ? S 0:00 \_ tlsmgr -l -t fifo -u -c 1704 ? S 0:00 \_ qmgr -l -t fifo -u -c 1955 ? S 0:00 \_ pickup -l -t fifo -c 1863 ? S 0:00 \_ trivial-rewrite -n rewrite -t unix -u -c 2043 ? S 0:00 \_ cleanup -t unix -u -c 2049 ? S 0:00 \_ local -t unix 2062 ? S 0:00 \_ smtpd -n smtp -t inet -u -c |
If all this has not shed any light, we might also try locate:
$ locate /master /etc/postfix/master.cf /var/spool/postfix/pid/master.pid /usr/libexec/postfix/master /usr/share/vim/syntax/master.vim /usr/share/vim/vim60z/syntax/master.vim /usr/share/doc/postfix-20010202/html/master.8.html /usr/share/doc/postfix-20010202/master.cf /usr/share/man/man8/master.8.gz |
$ find / -name master /usr/libexec/postfix/master |
If lsof is installed, it is another command that is useful for finding who owns processes or ports:
# lsof -i :631 COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME cupsd 1315 root 0u IPv4 3734 TCP *:631 (LISTEN) |
# fuser -v -n tcp 631 USER PID ACCESS COMMAND 631/tcp root 1315 f.... cupsd |
See the man pages for fuser and lsof command syntax.
# grep rpc.statd /etc/init.d/* /etc/init.d/nfslock: [ -x /sbin/rpc.statd ] || exit 0 /etc/init.d/nfslock: daemon rpc.statd /etc/init.d/nfslock: killproc rpc.statd /etc/init.d/nfslock: status rpc.statd /etc/init.d/nfslock: /sbin/pidof rpc.statd >/dev/null 2>&1; STATD="$?" |
# ls -l /proc/1315/exe lrwxrwxrwx 1 root root 0 July 4 19:41 /proc/1315/exe -> /usr/sbin/cupsd |
# netstat -aup Active Internet connections (servers and established) Local Address Foreign Address State PID/Program name *:32768 *:* 956/named bigcat:domain *:* 956/named bigcat:domain *:* 956/named *:631 *:* 1315/cupsd |
So we found no big surprises in this hypothetical situation.
If you suspect you have been broken into, do not trust netstat or ps output. There is a good chance that they, and other system components, has been tampered with in such a way that the output is not reliable. |
The Redhat watch/security mailing list: https://listman.redhat.com/mailman/listinfo/redhat-watch-list |
Red Hat errata and security notices: http://redhat.com/errata/ |
The Red Hat update FTP site: ftp://updates.redhat.com/ |
Other relevant documents available from the Linux Documentation Project:
Security HOWTO: http://tldp.org/HOWTO/Security-HOWTO.html |
Firewall HOWTO: http://tldp.org/HOWTO/Firewall-HOWTO.html |
Ipchains HOWTO: http://tldp.org/HOWTO/IPCHAINS-HOWTO.html |
User Authentication: http://tldp.org/HOWTO/User-Authentication-HOWTO/index.html, includes a nice discussion on PAM. |
VPN (Virtual Private Network): http://tldp.org/HOWTO/VPN-HOWTO.html and http://tldp.org/HOWTO/VPN-Masquerade-HOWTO.html |
The Remote X Apps Mini HOWTO, http://www.tldp.org/HOWTO/mini/Remote-X-Apps.html, includes excellent discussions on the security implications of running X Windows. |
The Linux Network Administrators Guide: http://tldp.org/LDP/nag2/index.html, includes a good overview of networking and TCP/IP, and firewalling. |
The Linux Administrator's Security Guide: http://www.seifried.org/lasg/, includes many obvious topics of interest, including firewalling, passwords and authentication, PAM, and more. |
Securing Red Hat: http://tldp.org/LDP/solrhe/Securing-Optimizing-Linux-RH-Edition-v1.3/index.html |
Tools for creating custom ipchains and iptables firewall scripts:
Firestarter: http://firestarter.sourceforge.net |
Two related projects: http://seawall.sourceforge.net/ for ipchains, and http://shorewall.sourceforge.net/ for iptables. |
Port number assignments, and what that scanner may be scanning for:
http://www.linuxsecurity.com/resource_files/firewalls/firewall-seen.html |
http://www.sans.org/newlook/resources/IDFAQ/oddports.htm |
http://www.iana.org/assignments/port-numbers, the official assignments. |
Linux Security.com: http://www.linuxsecurity.com, loaded with good info, and Linux specific. Lots of good docs: http://www.linuxsecurity.com/docs/ |
CERT, http://www.cert.org |
The SANS Institute: http://www.sans.org/ |
The Coroner's Toolkit (TCT): http://www.fish.com/security/, discussions and tools for dealing with post break-in issues (and preventing them in the first place). |
Junkbuster: http://www.junkbuster.com, a web proxy and cookie manager. |
PGP: http://www.gnupg.org/ |
Other documentation and reference sites:
Linux Security.com: http://www.linuxsecurity.com/docs/ |
Linux Newbie: http://www.linuxnewbie.org/nhf/intel/security/index.html |
The comp.os.linux.security FAQ: http://www.linuxsecurity.com/docs/colsfaq.html |
The Internet Firewall FAQ: http://www.interhack.net/pubs/fwfaq/ |
The Site Security Handbook RFC: http://www.ietf.org/rfc/rfc2196.txt |
Miscellaneous sites of interest:
http://www.bastille-linux.org, for Mandrake and Red Hat only. |
SAINT: http://www.wwdsi.com/saint/, system security analysis. |
SSL: http://www.openssl.org/ |
SSH: http://www.openssh.org/ |
Scan yourself: http://www.hackerwhacker.com |
PAM: http://www.kernel.org/pub/linux/libs/pam/index.html |
Detecting Trojaned Linux Kernel Modules: http://members.prestige.net/tmiller12/papers/lkm.htm |
Rootkit checker: http://www.chkrootkit.org |
Port scanning tool nmap's home page: http://www.insecure.org |
Nessus, more than just a port scanner: http://www.nessus.org |
Tripwire, intrusion detection: http://www.tripwire.org |
Snort, sniffer and more: http://www.snort.org |
http://www.mynetwatchman.com and http://dshield.org are "Distributed Intrusion Detection Systems". They collect log data from subscribing "agents", and collate the data to find and report malicious activity. If you want to fight back, check these out. |
Text files are just that.
Binary files are not.
Binary files are meant to be read by machines, text files can be easily edited, and are generally read by people. But text files can be (and frequently are) read by machines. Examples of this would be configuration files, and scripts.
There are a number of different text editors available in *nix. A few are found on every system. That would be '/bin/ed' and '/bin/vi'. 'vi' is almost always a clone such as 'vim' due to license problems. The problem with 'vi' and 'ed' is that they are terribly user unfriendly. Another common editor that is not always installed by default is 'emacs'. It has a lot more features and capability, and is not easy to learn either.
As to 'user friendly' editors, 'mcedit' and 'pico' are good choices to start with. These are often much easier for those new to *nix.
The first things to learn are how to exit an editing session, how to save changes to the file, and then how to avoid breaking long lines that should not be broken (wrapped).
The 'vi' editor
'vi' is one of the most common text editors in the Unix world, and it's nearly always found on any *nix system. Actually, due to license problems, the '/bin/vi' on a Linux system is always a 'clone', such as 'elvis', 'nvi', or 'vim' (there are others). These clones can act exactly like the original 'vi', but usually have additional features that make it slightly less impossible to use.
So, if it's so terrible, why learn about it? Two reasons. First, as noted, it's almost guaranteed to be installed, and other (more user friendly) editors may not be installed by default. Second, many of the 'commands' work in other applications (such as the pager 'less' which is also used to view man pages). In 'less', accidentally pressing the 'v' key starts 'vi' in most installations.
'vi' has two modes. The first is 'command mode', and keystrokes are interpreted as commands. The other mode is 'insert' mode, where nearly all keystrokes are interpreted as text to be inserted.
==> Emergency exit from 'vi' 1. press the <esc> key up to three times, until the computer beeps, or the screen flashes. 2. press the keys :q! <Enter>
That is: colon, the letter Q, and then the exclamation point, followed by the Enter key.
'vi' commands are as follows. All of these are in 'command' mode:
a Enter insertion mode after the cursor.
A Enter insertion mode at the end of the current line.
i Enter insertion mode before the cursor.
o Enter insertion mode opening a new line BELOW current line.
O Enter insertion mode opening a new line ABOVE current line.
h move cursor left one character.
l move cursor right one character.
j move cursor down one line.
k move cursor up one line.
/mumble move cursor forward to next occurrence of 'mumble' in
the text
?mumble move cursor backward to next occurrence of 'mumble'
in the text
n repeat last search (? or / without 'mumble' to search for
will do the same thing)
u undo last change made
^B Scroll back one window.
^F Scroll forward one window.
^U Scroll up one half window.
^D Scroll down one half window.
:w Write to file.
:wq Write to file, and quit.
:q quit.
:q! Quit without saving.
<esc> Leave insertion mode.
NOTE: The four 'arrow' keys almost always work in 'command' or 'insert' mode.
The 'ed' editor.
The 'ed' editor is a line editor. Other than the fact that it is virtually guaranteed to be on any *nix computer, it has no socially redeeming features, although some applications may need it. A _lot_ of things have been offered to replace this 'thing' from 1975.
==> Emergency exit from 'ed'
1. type a period on a line by itself, and press <Enter> This gets you to the command mode or prints a line of text if you were in command mode. 2. type q and press <Enter>. If there were no changes to the file, this action quits ed. If you then see a '?' this means that the file had changed, and 'ed' is asking if you want to save the changes. Press q and <Enter> a second time to confirm that you want out.
The 'pico' editor.
'pico' is a part of the Pine mail/news package from the University of Washington (state, USA). It is a very friendly editor, with one minor failing. It silently inserts a line feed character and wraps the line when it exceeds (generally) 74 characters. While this is fine while creating mail, news articles, and text notes, it is often fatal when editing system files. The solution to this problem is simple. Call the program with the -w option, like this:
pico -w file_2_edit
Pico is so user friendly, no further instructions are needed. It _should_ be obvious (look at the bottom of the screen for commands). There is an extensive help function. Pico is available with nearly all distributions, although it _may_ not be installed by default.
==> Emergency exit from 'pico'
Press and hold the <Ctrl> key, and press the letter x. If no changes had been made to the file, this will quit pico. If changes had been made, it will ask if you want to save the changes. Pressing n will then exit.
The 'mcedit' editor.
'mcedit' is part of the Midnight Commander shell program, a full featured visual shell for Unix-like systems. It can be accessed directly from the command line ( mcedit file_2_edit ) or as part of 'mc' (use the arrow keys to highlight the file to be edited, then press the F4 key).
mcedit is probably the most intuitive editor available, and comes with extensive help. "commands" are accessed through the F* keys. Midnight Commander is available with nearly all distributions, although it _may_ not be installed by default.
==> Emergency exit from 'mcedit'
Press the F10 key. If no changes have been made to the file, this will quit mcedit. If changes had been made, it will ask if you want to Cancel this action. Pressing n will then exit.
A simple, default scan of "localhost":
# nmap localhost Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ ) Interesting ports on bigcat (127.0.0.1): (The 1507 ports scanned but not shown below are in state: closed) Port State Service 22/tcp open ssh 25/tcp open smtp 37/tcp open time 53/tcp open domain 80/tcp open http 3000/tcp open ppp Nmap run completed -- 1 IP address (1 host up) scanned in 2 seconds |
Let's do a little more intensive scan. Let's check all ports -- TCP and UDP.
# nmap -sT -sU -p 1-65535 localhost Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ ) Interesting ports on bigcat (127.0.0.1): (The 131050 ports scanned but not shown below are in state: closed) Port State Service 22/tcp open ssh 25/tcp open smtp 37/tcp open time 53/tcp open domain 53/udp open domain 80/tcp open http 3000/tcp open ppp 8000/tcp open unknown 32768/udp open unknown Nmap run completed -- 1 IP address (1 host up) scanned in 385 seconds |
# nmap bigcat Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ ) Interesting ports on bigcat (192.168.1.1): (The 1520 ports scanned but not shown below are in state: closed) Port State Service 22/tcp open ssh 3000/tcp open ppp Nmap run completed -- 1 IP address (1 host up) scanned in 1 second |
# nmap bigcat Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ ) Note: Host seems down. If it is really up, but blocking our ping probes, try -P0 Nmap run completed -- 1 IP address (0 hosts up) scanned in 30 seconds |
Oops, I blocked ICMP (ping) while I was at it this time. One more time:
# nmap -P0 bigcat Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ ) All 1523 scanned ports on bigcat (192.168.1.1) are: filtered Nmap run completed -- 1 IP address (1 host up) scanned in 1643 seconds |
#!/bin/sh # # Configure kernel sysctl run-time options. # ################################################################### # Anti-spoofing blocks for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $i done # Ensure source routing is OFF for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $i done # Ensure TCP SYN cookies protection is enabled [ -e /proc/sys/net/ipv4/tcp_syncookies ] &&\ echo 1 > /proc/sys/net/ipv4/tcp_syncookies # Ensure ICMP redirects are disabled for i in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $i done # Ensure oddball addresses are logged [ -e /proc/sys/net/ipv4/conf/all/log_martians ] &&\ echo 1 > /proc/sys/net/ipv4/conf/all/log_martians [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ] &&\ echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ] &&\ echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ## Optional from here on down, depending on your situation. ############ # Ensure ip-forwarding is enabled if # we want to do forwarding or masquerading. [ -e /proc/sys/net/ipv4/ip_forward ] &&\ echo 1 > /proc/sys/net/ipv4/ip_forward # On if your IP is dynamic (or you don't know). [ -e /proc/sys/net/ipv4/ip_dynaddr ] &&\ echo 1 > /proc/sys/net/ipv4/ip_dynaddr # eof |
The same effect by using /etc/sysctl.conf instead:
# # Add to existing sysctl.conf # # Anti-spoofing blocks net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.all.rp_filter = 1 # Ensure source routing is OFF net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.all.accept_source_route = 0 # Ensure TCP SYN cookies protection is enabled net.ipv4.tcp_syncookies = 1 # Ensure ICMP redirects are disabled net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.all.accept_redirects = 0 # Ensure oddball addresses are logged net.ipv4.conf.default.log_martians = 1 net.ipv4.conf.all.log_martians = 1 net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.icmp_ignore_bogus_error_responses = 1 ## Optional from here on down, depending on your situation. ############ # Ensure ip-forwarding is enabled if # we want to do forwarding or masquerading. net.ipv4.ip_forward = 1 # On if your IP is dynamic (or you don't know). net.ipv4.ip_dynaddr = 1 # end of example |
#!/bin/sh # # ipchains.sh # # An example of a simple ipchains configuration. This script # can enable 'masquerading' and will open user definable ports. # ################################################################### # Begin variable declarations and user configuration options ###### # # Set the location of ipchains (default). IPCHAINS=/sbin/ipchains # Local Interfaces # # This is the WAN interface, that is our link to the outside world. # For pppd and pppoe users. # WAN_IFACE="ppp0" WAN_IFACE="eth0" # # Local Area Network (LAN) interface. #LAN_IFACE="eth0" LAN_IFACE="eth1" # Our private LAN address(es), for masquerading. LAN_NET="192.168.1.0/24" # For static IP, set it here! #WAN_IP="1.2.3.4" # Set a list of public server port numbers here...not too many! # These will be open to the world, so use caution. The example is # sshd, and HTTP (www). Any services included here should be the # latest version available from your vendor. Comment out to disable # all PUBLIC services. #PUBLIC_PORTS="22 80 443" PUBLIC_PORTS="22" # If we want to do port forwarding, this is the host # that will be forwarded to. #FORWARD_HOST="192.168.1.3" # A list of ports that are to be forwarded. #FORWARD_PORTS="25 80" # If you get your public IP address via DHCP, set this. DHCP_SERVER=66.21.184.66 # If you need identd for a mail server, set this. MAIL_SERVER= # A list of unwelcome hosts or nets. These will be denied access # to everything, even our 'PUBLIC' services. Provide your own list. #BLACKLIST="11.22.33.44 55.66.77.88" # A list of "trusted" hosts and/or nets. These will have access to # ALL protocols, and ALL open ports. Be selective here. #TRUSTED="1.2.3.4/8 5.6.7.8" ## end user configuration options ################################# ################################################################### # The high ports used mostly for connections we initiate and return # traffic. LOCAL_PORTS=`cat /proc/sys/net/ipv4/ip_local_port_range |cut -f1`:\ `cat /proc/sys/net/ipv4/ip_local_port_range |cut -f2` # Any and all addresses from anywhere. ANYWHERE="0/0" # Start building chains and rules ################################# # # Let's start clean and flush all chains to an empty state. $IPCHAINS -F # Set the default policies of the built-in chains. If no match for any # of the rules below, these will be the defaults that ipchains uses. $IPCHAINS -P forward DENY $IPCHAINS -P output ACCEPT $IPCHAINS -P input DENY # Accept localhost/loopback traffic. $IPCHAINS -A input -i lo -j ACCEPT # Get our dynamic IP now from the Inet interface. WAN_IP will be our # IP address we are protecting from the outside world. Put this # here, so default policy gets set, even if interface is not up # yet. [ -z "$WAN_IP" ] &&\ WAN_IP=`ifconfig $WAN_IFACE |grep inet |cut -d : -f 2 |cut -d \ -f 1` # Bail out with error message if no IP available! Default policy is # already set, so all is not lost here. [ -z "$WAN_IP" ] && echo "$WAN_IFACE not configured, aborting." && exit 1 WAN_MASK=`ifconfig $WAN_IFACE | grep Mask | cut -d : -f 4` WAN_NET="$WAN_IP/$WAN_MASK" ## Reserved IPs: # # We should never see these private addresses coming in from outside # to our external interface. $IPCHAINS -A input -l -i $WAN_IFACE -s 10.0.0.0/8 -j DENY $IPCHAINS -A input -l -i $WAN_IFACE -s 172.16.0.0/12 -j DENY $IPCHAINS -A input -l -i $WAN_IFACE -s 192.168.0.0/16 -j DENY $IPCHAINS -A input -l -i $WAN_IFACE -s 127.0.0.0/8 -j DENY $IPCHAINS -A input -l -i $WAN_IFACE -s 169.254.0.0/16 -j DENY $IPCHAINS -A input -l -i $WAN_IFACE -s 224.0.0.0/4 -j DENY $IPCHAINS -A input -l -i $WAN_IFACE -s 240.0.0.0/5 -j DENY # Bogus routing $IPCHAINS -A input -l -s 255.255.255.255 -d $ANYWHERE -j DENY ## LAN access and masquerading # # Allow connections from our own LAN's private IP addresses via the LAN # interface and set up forwarding for masqueraders if we have a LAN_NET # defined above. if [ -n "$LAN_NET" ]; then echo 1 > /proc/sys/net/ipv4/ip_forward $IPCHAINS -A input -i $LAN_IFACE -j ACCEPT $IPCHAINS -A forward -s $LAN_NET -d $LAN_NET -j ACCEPT $IPCHAINS -A forward -s $LAN_NET -d ! $LAN_NET -j MASQ fi ## Blacklist hosts/nets # # Get the blacklisted hosts/nets out of the way, before we start opening # up any services. These will have no access to us at all, and will be # logged. for i in $BLACKLIST; do $IPCHAINS -A input -l -s $i -j DENY done ## Trusted hosts/nets # # This is our trusted host list. These have access to everything. for i in $TRUSTED; do $IPCHAINS -A input -s $i -j ACCEPT done # Port Forwarding # # Which ports get forwarded to which host. This is one to one # port mapping (ie 80 -> 80) in this case. # NOTE: ipmasqadm is a separate package from ipchains and needs # to be installed also. Check first! [ -n "$FORWARD_HOST" ] && ipmasqadm portfw -f &&\ for i in $FORWARD_PORTS; do ipmasqadm portfw -a -P tcp -L $WAN_IP $i -R $FORWARD_HOST $i done ## Open, but Restricted Access ports/services # # Allow DHCP server (their port 67) to client (to our port 68) UDP traffic # from outside source. [ -n "$DHCP_SERVER" ] &&\ $IPCHAINS -A input -p udp -s $DHCP_SERVER 67 -d $ANYWHERE 68 -j ACCEPT # Allow 'identd' (to our TCP port 113) from mail server only. [ -n "$MAIL_SERVER" ] &&\ $IPCHAINS -A input -p tcp -s $MAIL_SERVER -d $WAN_IP 113 -j ACCEPT # Open up PUBLIC server ports here (available to the world): for i in $PUBLIC_PORTS; do $IPCHAINS -A input -p tcp -s $ANYWHERE -d $WAN_IP $i -j ACCEPT done # So I can check my home POP3 mailbox from work. Also, so I can ssh # in to home system. Only allow connections from my workplace's # various IPs. Everything else is blocked. $IPCHAINS -A input -p tcp -s 255.10.9.8/29 -d $WAN_IP 110 -j ACCEPT # Uncomment to allow ftp data back (active ftp). Not required for 'passive' # ftp connections. #$IPCHAINS -A input -p tcp -s $ANYWHERE 20 -d $WAN_IP $LOCAL_PORTS -y -j ACCEPT # Accept non-SYN TCP, and UDP connections to LOCAL_PORTS. These are # the high, unprivileged ports (1024 to 4999 by default). This will # allow return connection traffic for connections that we initiate # to outside sources. TCP connections are opened with 'SYN' packets. # We have already opened those services that need to accept SYNs # for, so other SYNs are excluded here for everything else. $IPCHAINS -A input -p tcp -s $ANYWHERE -d $WAN_IP $LOCAL_PORTS ! -y -j ACCEPT # We can't be so selective with UDP since that protocol does not know # about SYNs. $IPCHAINS -A input -p udp -s $ANYWHERE -d $WAN_IP $LOCAL_PORTS -j ACCEPT # Allow access to the masquerading ports conditionally. Masquerading # uses it's own port range -- on 2.2 kernels ONLY! 2.4 kernels, do not # use these ports, so comment out! [ -n "$LAN_NET" ] &&\ $IPCHAINS -A input -p tcp -s $ANYWHERE -d $WAN_IP 61000: ! -y -j ACCEPT &&\ $IPCHAINS -A input -p udp -s $ANYWHERE -d $WAN_IP 61000: -j ACCEPT ## ICMP (ping) # # ICMP rules, allow the bare essential types of ICMP only. Ping # request is blocked, ie we won't respond to someone else's pings, # but can still ping out. $IPCHAINS -A input -p icmp --icmp-type echo-reply \ -s $ANYWHERE -i $WAN_IFACE -j ACCEPT $IPCHAINS -A input -p icmp --icmp-type destination-unreachable \ -s $ANYWHERE -i $WAN_IFACE -j ACCEPT $IPCHAINS -A input -p icmp --icmp-type time-exceeded \ -s $ANYWHERE -i $WAN_IFACE -j ACCEPT ####################################################################### # Set the catchall, default rule to DENY, and log it all. All other # traffic not allowed by the rules above, winds up here, where it is # blocked and logged. This is the default policy for this chain # anyway, so we are just adding the logging ability here with '-l'. # Outgoing traffic is allowed as the default policy for the 'output' # chain. There are no restrictions on that. $IPCHAINS -A input -l -j DENY echo "Ipchains firewall is up `date`." ##-- eof ipchains.sh |
#!/bin/sh # # iptables.sh # # An example of a simple iptables configuration. This script # can enable 'masquerading' and will open user definable ports. # ################################################################### # Begin variable declarations and user configuration options ###### # # Set the location of iptables (default). IPTABLES=/sbin/iptables # Local Interfaces # This is the WAN interface that is our link to the outside world. # For pppd and pppoe users. # WAN_IFACE="ppp0" WAN_IFACE="eth0" # # Local Area Network (LAN) interface. #LAN_IFACE="eth0" LAN_IFACE="eth1" # Our private LAN address(es), for masquerading. LAN_NET="192.168.1.0/24" # For static IP, set it here! #WAN_IP="1.2.3.4" # Set a list of public server port numbers here...not too many! # These will be open to the world, so use caution. The example is # sshd, and HTTP (www). Any services included here should be the # latest version available from your vendor. Comment out to disable # all Public services. Do not put any ports to be forwarded here, # this only direct access. #PUBLIC_PORTS="22 80 443" PUBLIC_PORTS="22" # If we want to do port forwarding, this is the host # that will be forwarded to. #FORWARD_HOST="192.168.1.3" # A list of ports that are to be forwarded. #FORWARD_PORTS="25 80" # If you get your public IP address via DHCP, set this. DHCP_SERVER=66.21.184.66 # If you need identd for a mail server, set this. MAIL_SERVER= # A list of unwelcome hosts or nets. These will be denied access # to everything, even our 'Public' services. Provide your own list. #BLACKLIST="11.22.33.44 55.66.77.88" # A list of "trusted" hosts and/or nets. These will have access to # ALL protocols, and ALL open ports. Be selective here. #TRUSTED="1.2.3.4/8 5.6.7.8" ## end user configuration options ################################# ################################################################### # Any and all addresses from anywhere. ANYWHERE="0/0" # These modules may need to be loaded: modprobe ip_conntrack_ftp modprobe ip_nat_ftp # Start building chains and rules ################################# # # Let's start clean and flush all chains to an empty state. $IPTABLES -F $IPTABLES -X # Set the default policies of the built-in chains. If no match for any # of the rules below, these will be the defaults that IPTABLES uses. $IPTABLES -P FORWARD DROP $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P INPUT DROP # Accept localhost/loopback traffic. $IPTABLES -A INPUT -i lo -j ACCEPT # Get our dynamic IP now from the Inet interface. WAN_IP will be the # address we are protecting from outside addresses. [ -z "$WAN_IP" ] &&\ WAN_IP=`ifconfig $WAN_IFACE |grep inet |cut -d : -f 2 |cut -d \ -f 1` # Bail out with error message if no IP available! Default policy is # already set, so all is not lost here. [ -z "$WAN_IP" ] && echo "$WAN_IFACE not configured, aborting." && exit 1 WAN_MASK=`ifconfig $WAN_IFACE |grep Mask |cut -d : -f 4` WAN_NET="$WAN_IP/$WAN_MASK" ## Reserved IPs: # # We should never see these private addresses coming in from outside # to our external interface. $IPTABLES -A INPUT -i $WAN_IFACE -s 10.0.0.0/8 -j DROP $IPTABLES -A INPUT -i $WAN_IFACE -s 172.16.0.0/12 -j DROP $IPTABLES -A INPUT -i $WAN_IFACE -s 192.168.0.0/16 -j DROP $IPTABLES -A INPUT -i $WAN_IFACE -s 127.0.0.0/8 -j DROP $IPTABLES -A INPUT -i $WAN_IFACE -s 169.254.0.0/16 -j DROP $IPTABLES -A INPUT -i $WAN_IFACE -s 224.0.0.0/4 -j DROP $IPTABLES -A INPUT -i $WAN_IFACE -s 240.0.0.0/5 -j DROP # Bogus routing $IPTABLES -A INPUT -s 255.255.255.255 -d $ANYWHERE -j DROP # Unclean $IPTABLES -A INPUT -i $WAN_IFACE -m unclean -m limit \ --limit 15/minute -j LOG --log-prefix "Unclean: " $IPTABLES -A INPUT -i $WAN_IFACE -m unclean -j DROP ## LAN access and masquerading # # Allow connections from our own LAN's private IP addresses via the LAN # interface and set up forwarding for masqueraders if we have a LAN_NET # defined above. if [ -n "$LAN_NET" ]; then echo 1 > /proc/sys/net/ipv4/ip_forward $IPTABLES -A INPUT -i $LAN_IFACE -j ACCEPT # $IPTABLES -A INPUT -i $LAN_IFACE -s $LAN_NET -d $LAN_NET -j ACCEPT $IPTABLES -t nat -A POSTROUTING -s $LAN_NET -o $WAN_IFACE -j MASQUERADE fi ## Blacklist # # Get the blacklisted hosts/nets out of the way, before we start opening # up any services. These will have no access to us at all, and will # be logged. for i in $BLACKLIST; do $IPTABLES -A INPUT -s $i -m limit --limit 5/minute \ -j LOG --log-prefix "Blacklisted: " $IPTABLES -A INPUT -s $i -j DROP done ## Trusted hosts/nets # # This is our trusted host list. These have access to everything. for i in $TRUSTED; do $IPTABLES -A INPUT -s $i -j ACCEPT done # Port Forwarding # # Which ports get forwarded to which host. This is one to one # port mapping (ie 80 -> 80) in this case. [ -n "$FORWARD_HOST" ] &&\ for i in $FORWARD_PORTS; do $IPTABLES -A FORWARD -p tcp -s $ANYWHERE -d $FORWARD_HOST \ --dport $i -j ACCEPT $IPTABLES -t nat -A PREROUTING -p tcp -d $WAN_IP --dport $i \ -j DNAT --to $FORWARD_HOST:$i done ## Open, but Restricted Access ports # # Allow DHCP server (their port 67) to client (to our port 68) UDP # traffic from outside source. [ -n "$DHCP_SERVER" ] &&\ $IPTABLES -A INPUT -p udp -s $DHCP_SERVER --sport 67 \ -d $ANYWHERE --dport 68 -j ACCEPT # Allow 'identd' (to our TCP port 113) from mail server only. [ -n "$MAIL_SERVER" ] &&\ $IPTABLES -A INPUT -p tcp -s $MAIL_SERVER -d $WAN_IP --dport 113 -j ACCEPT # Open up Public server ports here (available to the world): for i in $PUBLIC_PORTS; do $IPTABLES -A INPUT -p tcp -s $ANYWHERE -d $WAN_IP --dport $i -j ACCEPT done # So I can check my home POP3 mailbox from work. Also, so I can ssh # in to home system. Only allow connections from my workplace's # various IPs. Everything else is blocked. $IPTABLES -A INPUT -p tcp -s 255.10.9.8/29 -d $WAN_IP --dport 110 -j ACCEPT ## ICMP (ping) # # ICMP rules, allow the bare essential types of ICMP only. Ping # request is blocked, ie we won't respond to someone else's pings, # but can still ping out. $IPTABLES -A INPUT -p icmp --icmp-type echo-reply \ -s $ANYWHERE -d $WAN_IP -j ACCEPT $IPTABLES -A INPUT -p icmp --icmp-type destination-unreachable \ -s $ANYWHERE -d $WAN_IP -j ACCEPT $IPTABLES -A INPUT -p icmp --icmp-type time-exceeded \ -s $ANYWHERE -d $WAN_IP -j ACCEPT # Identd Reject # # Special rule to reject (with rst) any identd/auth/port 113 # connections. This will speed up some services that ask for this, # but don't require it. Be careful, some servers may require this # one (IRC for instance). #$IPTABLES -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset ################################################################### # Build a custom chain here, and set the default to DROP. All # other traffic not allowed by the rules above, ultimately will # wind up here, where it is blocked and logged, unless it passes # our stateful rules for ESTABLISHED and RELATED connections. Let # connection tracking do most of the worrying! We add the logging # ability here with the '-j LOG' target. Outgoing traffic is # allowed as that is the default policy for the 'output' chain. # There are no restrictions placed on that in this script. # New chain... $IPTABLES -N DEFAULT # Use the 'state' module to allow only certain connections based # on their 'state'. $IPTABLES -A DEFAULT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A DEFAULT -m state --state NEW -i ! $WAN_IFACE -j ACCEPT # Enable logging for anything that gets this far. $IPTABLES -A DEFAULT -j LOG -m limit --limit 30/minute --log-prefix "Dropping: " # Now drop it, if it has gotten here. $IPTABLES -A DEFAULT -j DROP # This is the 'bottom line' so to speak. Everything winds up # here, where we bounce it to our custom built 'DEFAULT' chain # that we defined just above. This is for both the FORWARD and # INPUT chains. $IPTABLES -A FORWARD -j DEFAULT $IPTABLES -A INPUT -j DEFAULT echo "Iptables firewall is up `date`." ##-- eof iptables.sh |
"Most people just have a single PPP connection to the Internet, and don't want anyone coming back into their network, or the firewall:"
## Insert connection-tracking modules (not needed if built into kernel). insmod ip_conntrack insmod ip_conntrack_ftp ## Create chain which blocks new connections, except if coming from inside. iptables -N block iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT iptables -A block -j DROP ## Jump to that chain from INPUT and FORWARD chains. iptables -A INPUT -j block iptables -A FORWARD -j block |
This simple script will allow all outbound connections that we initiate, i.e. any NEW connections (since the default policy of ACCEPT is not changed). Then any connections that are "ESTABLISHED" and "RELATED" to these are also allowed. And, any connections that are not incoming from our WAN side interface, ppp0, are also allowed. This would be lo or possibly a LAN interface like eth1. So we can do whatever we want, but no unwanted, incoming connection attempts are allowed from the Internet. None.
This script also demonstrates the creation of a custom chain, defined here as "block", which is used both for the INPUT and FORWARD chains.