Security Basics mailing list archives
Re: Iptables Clues and Advices.
From: Pierre BETOUIN <info16 () ifrance com>
Date: 03 Apr 2003 21:58:14 +0200
Hello, You should change the default policy to DROP using : iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP Your box will, then, reject all packets that are non-authorized. Then, allow others... In your case : -------------- #MySql iptables -A INPUT -p tcp --destination-port 3306 -j ACCEPT iptables -A OUTPUT -p tcp --source-port 3306 -j ACCEPT #Web server iptables -A INPUT -p tcp --destination-port 80 -j ACCEPT iptables -A OUTPUT -p tcp --source-port 80 -j ACCEPT Le mer 02/04/2003 à 22:55, Nahual Guerrero a écrit :
Hi list. I began using iptables a few months ago , I've managed to make a perl script wich contains al basic rules of packet filitering in my box. but now that I managed and learned how to do it , i really don't know how to secure my box from possible attacks comming from internet. I use the error and test method , I mean , I use against myself classical attacks such a smurf , different types of scans using nmap etc... I'd like to make several questions , so i'll set the variables of my sistem in order to have better answers , if anyone wants to answer any of them. ->Security programs installed (and probably misconfigured...remember , i'm a newbie): -tcplog 1.6 -portsentry 1.1 -iptables 1.2.2 ->Services I run , in order to make tests in my own box (so we deduce I don't want anyone from the internet to know they exist) MySql (3306) Apache (80) ->Script made to try to detect and prevent any kind of investigation on my box. ################################################################### #!/usr/bin/perl my $iptfh = 'iptables -F'; my $iptin = 'iptables -A INPUT -j DROP -p tcp -s ! 127.0.0.0/255.255.255.0 --destination-port'; my $iptil = 'iptables -A INPUT -j LOG -p tcp -s ! 127.0.0.0/255.255.255.0 --destination-port'; my $iptol = 'iptables -A OUTPUT -j LOG'; my $iptfl = 'iptables -A FORWARD -j LOG'; system ("clear"); print "Tirando de la Cadena....\n"; system ("$iptfh"); #Input system ("$iptin 80"); system ("$iptin xxx"); system ("$iptin xxx"); system ("$iptin xxxx"); system ("$iptin xxxx"); system ("$iptin 3306"); system ("$iptin xxxx"); system ("$iptin xxxx"); system ("$iptil 80"); system ("$iptil xxx"); system ("$iptil xxxx"); system ("$iptil xxxx"); system ("$iptil 3306"); system ("$iptil xxxx"); system ("$iptil xxxx"); #Output #Forward system ("$iptfl"); #Port Sentry print "Iniciando Port Sentry\n"; system ("portsentry -stcp"); system ("portsentry -sudp"); ####################################################################### I know , It's very simplistic , that's why I ask for help. So with this configuration , it's obvious that it only blocks some type of scans , and direct conections on tcp ports , but i'd like to hide these ports from any kind of scan (at least any kind of scan wich nmap can perform).
You can't hide your 80 and 3306 ports to everyone if you want to allow everybody to connect to your host.. Ex: some scripts will scan only your webserver trying to find known exploits...
Now the questions. Is it a good idea to block icmp packets to avoid smurf attacks?If we drop all icmp attacks won't we have any trouble during regular surfing?
It's often very useful to allow icmp... Smurf attacks use icmp broadcasts so you have to drop any broadcasts which comes to your internet interface if you trust your lan... and if you don't, add the same rule for your lan interface...
How can I completely hide ports(udp and tcp) when connected to the internet?In case of being impossible , How can i hide them as much as possible?
You can detect some kinds of aggressive scans and reject them, by example using portsentry and adding a iptables rules in order to deny everything from attacker.
If any of the questions i've made are abusive , feel free to say it , but please , pleeease , do not flame me.
No way ! ;)
Thank you in advance. Un abrazo. ------------------------------------------------------------------------------------------------------. Nahual Guerrero Llave pgp: http://www.rootshell.be/~nahual/pub_key.asc -------------------------------------------------------------------
-- Pierre BETOUIN <info16 () ifrance com>
Attachment:
signature.asc
Description:
Current thread:
- Iptables Clues and Advices. Nahual Guerrero (Apr 03)
- Re: Iptables Clues and Advices. Pierre BETOUIN (Apr 04)
- Re: Iptables Clues and Advices. Christian Friedl (Apr 04)
- Re: Iptables Clues and Advices. Pierre BETOUIN (Apr 04)
- Re: Iptables Clues and Advices. Andreas Happe (Apr 07)
- Re: Iptables Clues and Advices. panth3r (Apr 07)
- Re: Iptables Clues and Advices. Pierre BETOUIN (Apr 04)
- <Possible follow-ups>
- RE: Iptables Clues and Advices. Allan Schon (Apr 07)
- RE: Iptables Clues and Advices. David Gillett (Apr 08)
- RE: Iptables Clues and Advices. Jason Dixon (Apr 08)
- Re: Iptables Clues and Advices. Andres j. Ogayar (Apr 09)
- RE: Iptables Clues and Advices. Steve Bremer (Apr 09)
- Re: Iptables Clues and Advices. Salvatore Poliandro (Apr 10)
- RE: Iptables Clues and Advices. David Gillett (Apr 08)