[Fwd: Help with ipchains rules]

["Marnix Petrarca, DaemonLabs.com." <Marnix () DaemonLabs com>]

> --- Begin Message ---
>
>
> From: "Marnix Petrarca, DaemonLabs.com." <Marnix () DaemonLabs com>
>
> Date: Sat, 27 Jan 2001 11:41:29 -0100
>
> In other words, you don't need named if you can get your current
> dns-server (where you registered your web/domain-names) to point at the
> IP or the virtual IP's of your webserver to-be.
>
> Much more beatiful is in the end only an open port 80. And while you're
> at it, disable XFS after configuration - saves you another port. That's
> the GUI-server that serves 'windows' to you.
>
> Bye now -- Marnix
>
>
>
> "Marnix Petrarca, DaemonLabs.com." wrote:
> > Hi again,
> >
> > the beauty of it is that local also means localhost, which is basically
> > you when you do what you want to do. It doesn't matter that there's no
> > network behind it. If you want to set up a full-featured dns-server,
> > that's really something else. You don't just do that by running named as
> > a caching-only server. You will have to build dns-records and so on, and
> > make sure somewhere on the net the machines know who the first
> > Nameserver was, i.e. where it was first created.
> > It's a lot easier if you just let the current DNS server point to your
> > caching-dns machine, just adjust the the point-to address. You find the
> > current one by typing in your domain-names and see where you come out.
> > Or use nslookup. If you registered at Register.com then for $70,-/2 Yrs
> > it would have been settled - no extra charge. At register.com you can
> > simply set the point-to to the IP# of your webserver/DNS server. Check
> > it out - you will be less vulnerable.
> >
> > And yes, it's that simple. A lot simpler than your ruleset. Don't forget
> > to first flush the rules, then set up the Deny rule, forget the DHCP
> > ports if you dont use them, forget the timings - you don't need them
> > really (defaults OK), and allow for local packets to be forwarded, and
> > deny all others.
> >
> > Really, that's all. Try it out. And if you can arrange for physically
> > making changes instead of via SSH, you'll be a lot safer again.
> >
> > And if you're really up to speed, try and use snort for an IDS - it's
> > free. (www.snort.org)
> >
> > Cheers -- M
> >
> > I'm a Swinger wrote:
> > > Hi, thanx for the reply...
> > > The reason why the home networking how-to was a little confusing for me was
> > > that I don't have any sort of network.  Just the linux box.  And it's sole
> > > purpose is to serve webpages (virtual hosting), and DNS (the four domains I
> > > have registered for the four webpages), and SSH (for obvious reasons).
> > > That's why I'm assuming I need a VERY simple ruleset.  (I just don't think
> > > it's quite as simple as the sample I provided) :-)
> > >
> > > Curtis
> > >
> > > > From: Marnix Petrarca <Marnix () DaemonLabs com>
> > > > To: I'm a Swinger <imaswinger () hotmail com>, firewall-wizards () nfr com,
> > > >  Marnix () DaemonLabs com
> > > > Subject: Re: [fw-wiz] Help with ipchains rules
> > > > Date: Fri, 26 Jan 2001 11:59:08 -0100
> > > >
> > > >
> > > >
> > > >
> > > > Hi,
> > > >
> > > > take a (good) look at the home-networking how-to. It's not the Fortress
> > > > kind of ruleset, but it will get you up and running.
> > > > Basically the suggested ruleset says Deny all, but forward all local
> > > > packets and masq them. That way you will not have these problems (I
> > > > hope). You can load additional modules (ICQ, FTP, etc) via
> > > > /sbin/modprobe ip_masq_icq and so on. After adjusting, run
> > > > sysctlconfig-gtk and under the options >Networking>ICMP>ICMP2 you can
> > > > adjust ICMP-response to your likings. Try marking all three options,
> > > > reboot and ping yourself again. You may like what you find. Dont't
> > > > forget setting yor nameserver to the user nobody and group nobody -
> > > > default it's named.
> > > >
> > > > For stronger rulesets, look at the IP-masquerading how-to. That will put
> > > > you on track.
> > > >
> > > > Good luck and oh, use Nmap (www.insecure.org/nmap) for scanning, if you
> > > > didn't have it already.
> > > >
> > > > Redgards,
> > > >
> > > > Marnix
> > > > DaemonLabs.com, The Netherlands
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > I'm a Swinger wrote:
> > > > > Hello, I am running a Redhat 7.0 server (by itself, there are no
> > > > computers
> > > > > behind it) running DNS (to host my domain names for WWW), WWW, and SSH.
> > > > The
> > > > > only open ports (judging by a nessus report) were 22, 53, 80, and 443
> > > > (I'd
> > > > > like to shutdown 443, but that's not a question for this particular
> > > > list).
> > > > > A friend gave me his ipchains ruleset to use, but when its running I can
> > > > not
> > > > > ftp or lynx out of the machine (it's also supposed to drop all ping
> > > > > requests, but it does not).  It (ftp or lynx) just hangs.  So I started
> > > > > reading up on ipchains so that I could implement my own ruleset.
> > > > Judging by
> > > > > the HOWTO (and the simple example given), I really only have to worry
> > > > about
> > > > > allowing incoming to 22, 53, and 80.  There were some issues with the
> > > > ftp
> > > > > (needing a port <1024), but I think if I run passive mode I can ignore
> > > > them.
> > > > > Now disregarding ip-spoofing and forwarding, I'm guessing that this is
> > > > what
> > > > > I would include in my ipchains (This is most likely wrong, which is why
> > > > I'm
> > > > > writing this letter):
> > > > >
> > > > > ~~
> > > > > #(I'm substituting 123.123.123.123 for my real ip)
> > > > > #I allow UDP/TCP packets in for DNS, TCP for WWW, and TCP for SSH
> > > > > ipchains -A -p UDP -s 123.123.123.123 dns -j ACCEPT
> > > > > ipchains -A -p tcp -s 123.123.123.123 dns -j ACCEPT
> > > > > ipchains -A -p tcp -s 123.123.123.123 www -j ACCEPT
> > > > > ipchains -A -p tcp -s 123.123.123.123 ssh -j ACCEPT
> > > > >
> > > > > #Local-to-local packets are OK:
> > > > > ipchains -A -i lo -j ACCEPT
> > > > >
> > > > > #Now, my default policy on the input chain is DENY, so everything else
> > > > gets
> > > > > dropped:
> > > > > ipchains -P input DENY
> > > > > ~~
> > > > >
> > > > > Now this seems far to simple to me to be what I need.  Can anyone help
> > > > > explain to me what I need to allow to simply run DNS, WWW, and SSH?  I
> > > > want
> > > > > to allow access to those, and block everything else.  The only thing
> > > > else I
> > > > > have to do is occasional use of lynx (I could probably do without that
> > > > > actually) and ftp (I need to access updates.redhat.com, etc.).
> > > > > Any help with this matter (along with a cc to my address
> > > > > imaswinger () hotmail com because I may not be on the mailing list just yet
> > > > - I
> > > > > don't know how long it takes) would be extremely appreciated.
> > > > >
> > > > > Curtis
> > > > >
> > > > > PS - I apologize for the longwindedness of this letter (and it's
> > > > postscript
> > > > > :-), I just wanted to give as much info as possible.
> > > > _________________________________________________________________________
> > > > > Get Your Private, Free E-mail from MSN Hotmail at
> > > > http://www.hotmail.com.
> > > > > _______________________________________________
> > > > > firewall-wizards mailing list
> > > > > firewall-wizards () nfr com
> > > > > http://www.nfr.com/mailman/listinfo/firewall-wizards
> > >
> > > _________________________________________________________________________
> > > Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
>
>
> --- End Message ---