Salam,
Long answer:
Iptables and netfilter (the kernel component of iptables) is a host-based firewall for UNIX-like operating systems. More specifically, it is a stateful packet filter. (It has no application intelligence - yet).
It's true that your broadband router gives you some protection against the many threats lurking on the Internet, but in IT Security, we like to take a defense-in-depth posture. Defense-in-depth means setting up multiple layers of hurdles between the bad guy and the stuff you value.
For example, your broadband router (your first layer of defense) keeps out most direct attack vectors from outside your home network, but what if you or your wife/son/daughter/significantother downloads a game infected with a virus or worm? Now the "bad guy" is inside. What if the payload of that virus surreptitiously opens a covert channel (e.g., a VPN connection of some type) to a "bad guy" computer? He now has unfettered access to your protected network. But if you have host-based firewalls (your second layer of defense) installed and running on all your computers, and if your operating systems are hardened and otherwise pretty secure, he's going to have a hard time doing anything significant.
If you have any ports open on the your host-based firewalls - say, SSH, HTTP, HTTPS, FTP (the ones I remember seeing in your iptables dump) and now Nessus, these represent an entry point through your second layer of defense; however, if you keep your patches up-to-date and use very strong passwords - e.g., minimum of 8 characters with a mixture of uppercase, lowercase, numbers, special characters, and punctuation - then you have an effective third layer of defense to keep the threats out.
Note also that a broadband router combined with wireless opens up another avenue of attack. If you don't use wireless encryption, or if you do use it but you have a vulnerable wireless AP (like some Linksys firmware versions), you have an open door into your home network. Even if you're using 128-bit WEP, wardrivers and neighbors can hack into your network with tools like AirSnort (granted, it takes a lot of time and a lot of traffic for them to do that). Use WPA instead.
Short answer:
Keep iptables running. It is your friend.
John Scherff
24 Hour Fitness
It's the way we make you feel - you^24
P.S., while I'm thinking about it, turn uPnP off on your broadband router, and make sure external web access is turned off, too.
-----Original Message-----
From: Salam Y. ELIAS [mailto:[EMAIL PROTECTED]]
Sent: Thursday, September 22, 2005 4:16 AM
To: John Scherff
Subject: RE: Trying to connect remotly fron Win 2003 to Nessus on Linux
Wonderfull, so many thanks for your help.
However, there is something I dont catch, is iptables a service related to TCP/IP networking stuff or a firewall that its name is iptables?
As I said, I have a router/Firewall ADSL Braodband which all my servers are behind and it acts like a DHCP as well. So souyld I, or do I need really iptables running?
On the other server, I stopped the firewall that ships with Win 2003 because I think the router/firewall is sufficient, NO?
Salam
On Wed, 2005-09-21 at 14:29 -0700, John Scherff wrote:
> Salam,
>
> Okay, open /etc/sysconfig/iptables and add the following line below
> the one that says --dport 22:
>
> -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 1241
> -j ACCEPT
>
> By the way, editing the /etc/sysconfig/iptables file is not usually
> the best way to alter your Linux personal firewall, but for simple
> changes like this, it's the quickest. Make sure you copy the original
> file to iptables.orig or something like that.
>
> Also, if you don't know iptables, you should learn it. It's a good
> way to close up some of the vulnerabilities that Nessus finds -
> particularly when there are no patches available to fix them.
>
> - John Scherff
>
> -----Original Message-----
> From: Salam Y. ELIAS [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, September 21, 2005 2:08 PM
> To: John Scherff
> Subject: Re: Trying to connect remotly fron Win 2003 to Nessus on
> Linux
>
> Enclosed is the iptabl;es file, to be honest with you, I have never
> touched it. This is a fresh new install Fedora Core 4 I did 10 days
> ago
>
> Thasnks again for your help
>
> On Wed, 2005-09-21 at 12:54 -0700, John Scherff wrote:
> > Send me your /etc/sysconfig/iptables file so I can tell you without
> > breaking something else.
> >
> > -----Original Message-----
> > From: Salam Y. ELIAS <[EMAIL PROTECTED]>
> > To: John Scherff <[EMAIL PROTECTED]>
> > Sent: Wed Sep 21 12:48:59 2005
> > Subject: RE: Trying to connect remotly fron Win 2003 to Nessus on
> > Linux
> >
> > So many thanks, you are correct, I ran Nessus client on the linux
> > machine by typing nessus in a terminal session. However, when
> > connecting there is a box where this port is specified.
> >
> > As I said, I am new to Linux and nessus, so how can I open the port,
> > how do I use IPTABLES? I have my Router who assign IPs to my
> > machines,
>
> > my Linux has always 192.168.0.10
> >
> > On Wed, 2005-09-21 at 11:32 -0700, John Scherff wrote:
> > > Is iptables running on the Linux server running Nessus? (My
> > question
> > > assumes you were running the X client on the same machine as the
> > Nessus
> > > daemon.) If it is, you'll have to open up port 1241.
> > >
> > > -----Original Message-----
> > > From: [EMAIL PROTECTED]
> > > [mailto:[EMAIL PROTECTED]] On Behalf Of Salam Y.
> > > ELIAS
> > > Sent: Wednesday, September 21, 2005 10:54 AM
> > > To: [email protected]
> > > Subject: Trying to connect remotly fron Win 2003 to Nessus on
> > > Linux
> > >
> > > Thanks everybody, my nessus server is working fine, thanks folks.
> > > However, when running the client on Linux, it connects and I
> > > managed
> > to
> > > scan 2 servers. However, I downloaded the win32 version on a win
> > 2003
> > > box, I can not connect to the server on linux. Of course I ping
> > > the linux machine. Iget the following error in the output window
> > >
> > >
> > > ERROR: Cannot establish connection with 192.168.0.10 (Socket error
> > 0).
> > >
> > > So is there a config param to allow/Deny clients remotly?
> > >
> > > Second question, in the win32 interface, in setting dialog box I
> > have
> > > the possibility to designate a database. On Linux I issue "nessus"
> > on a
> > > terminal session to laumchthe client, is there another way or just
> > it is
> > > not possible to point to a database.
> > >
> > > Thanks
> > >
> > > _______________________________________________
> > > Nessus mailing list
> > > [email protected]
> > > http://mail.nessus.org/mailman/listinfo/nessus
> > >
> >
> >
> >
>
_______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
