I'm not a linux security guru, but I can answer some of your questions...
>I am using the Linux server as internal pop server, smtp server
>(using qmail) , samba server and ssh server.
>When I run nmap -v in each interface, I get that the POP3 (110), smtp
>(25), ssh(22), smb, sunrpc(111) are open in both interfaces.
>How do I do it to close the ports POP3 and samba only for the external
>interface (eth1 or ppp0 ?) or to deny incoming connections from the
>internet?
>Should I close the smtp port for the external interface too?
>What do you need the sunrpc (111) port open for?
>Do you know of a good tutorial to understand ipchain rules better?
>RH 7.2 sets some rules to secure your server but I don't know if they
>are good enough.
First, if you're on RH 7.2, you should be using iptables, not ipchains. I
think they actually still default to using the ipchains compatibility module
if it's installed. You can rpm -e to get rid of it, or use "chkconfig
ipchains off" to just turn it off. If it's installed, iptables should load
on startup if ipchains isn't already loaded.
If you have the resources, any security person will tell you that a firewall
should be doing only firewalling, and nothing else. Any old cheap pentium+
computer should be able to handle that job. In addition, a firewall
shouldn't be accessable remotely _at all_. That said, I use ssh to control
my firewall box :) , but you should really keep the services to a minimum.
If a hacker/worm gets in through a vulnerable service on your firewall,
you've just lost your first and best line of defense.
I'll take a leap and assume you're using Redhat's default firewall tool
in... medium setting? This is probably the simplest way to get what you
want. Unfortunately it doesn't leave you much configurability, and hand
written rules by someone knowledgeable tend to be a lot better. If I
remember correctly, the medium setting sets up halfway decent rules, though.
It will deny any connections from the internet unless you specify the
incoming port number in the setup screen.
Port scanning in this case can get tricky. Make sure you're not trying to
scan the machine you're scanning from. If you want to see what's on the
internal interface, scan from a machine on the internal net. -This is the
tricky part-> If you want a reliable scan of the external interface, scan
from a machine out on the internet. Most default rulesets will allow _any_
connection from the internal net, whether that packet is destined for the
internal IP or the external IP. This would give you a false "open"
indication.
To answer the smtp question: If you're using it for internal mail only, then
no, it doesn't need to be open. If you're using it for regular internet
email, then yes, it does. :) Same with pop3. If you want people to be able
to check their mail from home or whatever, then it needs to be open also.
I'm not too familiar with the mail side of things, so someone else can cover
general smtp security, not related to the firewall itself.
sunrpc: If you're not using a service that requires it, then you don't need
it and you should turn it off. It shouldn't be accessable from the internet
anyway unless you have some special case I'm not aware of. The only major
service needing it that you might be using is nfs. Most of the others I'm
aware of that need it are stuff you'd never want to have on a firewall
anyway. (remote user lists and statuses, etc)
I really should get back to work, so I'll leave you with these links:
http://www.iptables.org (www.netfilter.org goes to the same place)
http://www.netfilter.org/documentation/index.html to get specific. :)
http://netfilter.samba.org/unreliable-guides/
http://www.linuxguruz.org/iptables/ - Has lots of example scripts
-Ken
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 18:42:53 EDT