Re: Iptables Clues and Advices.

[Pierre BETOUIN <info16 () ifrance com>]

        Hello,
You should change the default policy to DROP using :
        iptables -P INPUT DROP
        iptables -P OUTPUT DROP
        iptables -P FORWARD DROP

Your box will, then, reject all packets that are non-authorized.
Then, allow others...

In your case :
--------------
#MySql
iptables -A INPUT -p tcp --destination-port 3306 -j ACCEPT
iptables -A OUTPUT -p tcp --source-port 3306 -j ACCEPT

#Web server
iptables -A INPUT  -p tcp --destination-port 80 -j ACCEPT
iptables -A OUTPUT -p tcp --source-port 80 -j ACCEPT


Le mer 02/04/2003 à 22:55, Nahual Guerrero a écrit :
> Hi list.
>
> I began using iptables a few months ago , I've managed to make a perl script 
> wich contains al basic rules of packet filitering in my box. but now that I 
> managed and learned how to do it , i really don't know how to secure my box 
> from possible attacks comming from internet.
>
> I use the error and test method , I mean , I use against myself classical 
> attacks such a smurf , different types of scans using nmap etc...
>
> I'd like to make several questions , so i'll set the variables of my sistem 
> in order to have better answers , if anyone wants to answer any of them.
>
> ->Security programs installed (and probably misconfigured...remember , i'm a 
> newbie):
>
> -tcplog 1.6
> -portsentry 1.1
> -iptables 1.2.2
>
> ->Services I run , in order to make tests in my own box (so we deduce I don't 
> want anyone from the internet to know they exist)
>
> MySql (3306)
> Apache (80)
>
> ->Script made to try to detect and prevent any kind of investigation on my 
> box.
> ###################################################################
> #!/usr/bin/perl
>
> my $iptfh = 'iptables -F';
> my $iptin = 'iptables -A INPUT -j DROP -p tcp -s ! 127.0.0.0/255.255.255.0 
> --destination-port';
> my $iptil = 'iptables -A INPUT -j LOG -p tcp -s ! 127.0.0.0/255.255.255.0 
> --destination-port';
> my $iptol = 'iptables -A OUTPUT -j LOG';
> my $iptfl = 'iptables -A FORWARD -j LOG';
>
> system ("clear");
> print "Tirando de la Cadena....\n";
> system ("$iptfh");
>
> #Input
> system ("$iptin 80");
> system ("$iptin xxx");
> system ("$iptin xxx");
> system ("$iptin xxxx");
> system ("$iptin xxxx");
> system ("$iptin 3306");
> system ("$iptin xxxx");
> system ("$iptin xxxx");
>
> system ("$iptil 80");
> system ("$iptil xxx");
> system ("$iptil xxxx");
> system ("$iptil xxxx");
> system ("$iptil 3306");
> system ("$iptil xxxx");
> system ("$iptil xxxx");
>
> #Output
>
> #Forward
>
> system ("$iptfl");
>
>
> #Port Sentry
> print "Iniciando Port Sentry\n";
> system ("portsentry -stcp");
> system ("portsentry -sudp");
> #######################################################################
>
> I know , It's very simplistic , that's why I ask for help. 
> So with this configuration , it's obvious that it only blocks some type of 
> scans , and direct conections on tcp ports , but i'd like to hide these ports 
> from any kind of scan (at least any kind of scan wich nmap can perform).
You can't hide your 80 and 3306 ports to everyone if you want to allow
everybody to connect to your host..
Ex: some scripts will scan only your webserver trying to find known
exploits...


> Now the questions.
>
> Is it a good idea to block icmp packets to avoid smurf attacks?If we drop all 
> icmp attacks won't we have any trouble during regular surfing?
It's often very useful to allow icmp... Smurf attacks use icmp
broadcasts so you have to drop any broadcasts which comes to your
internet interface if you trust your lan... and if you don't, add the
same rule for your lan interface...

> How can I completely hide ports(udp and tcp) when connected to the 
> internet?In case of being impossible , How can i hide them as much as 
> possible?
You can detect some kinds of aggressive scans and reject them, by example using portsentry
and adding a iptables rules in order to deny everything from attacker.

> If any of the questions i've made are abusive , feel free to say it , but 
> please , pleeease , do not flame me. 
No way ! ;)

> Thank you in advance.
>
> Un abrazo.
> ------------------------------------------------------------------------------------------------------.
>                       Nahual Guerrero
>         Llave pgp: http://www.rootshell.be/~nahual/pub_key.asc
> -------------------------------------------------------------------
-- 
Pierre BETOUIN <info16 () ifrance com>

Attachment: signature.asc
Description: