security precautionswith iptables?
Igor Gueths
igueths at lava-net.com
Sun May 20 17:52:51 EDT 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi. Another idea is putting this in a script:
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
services ports go here
/sbin/iptables -P INPUT DROP
Only apply that policy when you know that all your required ports are open; if not, you may find yourself locked out of your machine, and only console access can fix things again.
Igor
On Sun, May 20, 2007 at 05:33:15PM -0400, Travis Siegel wrote:
> If you turn off the various utilities in the inetd.conf file that you
> don't use, that can help too.
> I.E. since you're using ssh, you won't need telnet and rlogin.
> Simply comment them out. That way, no matter how many packets go to
> that destination port, it won't do a bit of good.
> You are of course welcome to block any ports you like, and it's
> likely that'll help too, but the inetd daemon is a nice way to secure
> the machine as well.
>
> As for the problem with the outgoing ping packets, there are ways to
> specify incoming/outgoing packets, but I've not fiddled with ip rules
> for several years, so i don't remember the syntax. However, there's
> a very good how-to on the linux how-to site explaining ipfwadm and
> ipchains. One of the examples in there is how to secure the machine
> for a particular service (don't remember which one) but it covers
> that exact problem (if I remember correctly)
> Try to see if you can find it. If not, I'm sure I have it *somewhere*.
> But, just so you know, there is a solution, I (unfortunately) no
> longer remember what it is though.
>
>
> On May 20, 2007, at 11:34 AM, Littlefield, Tyler wrote:
>
> > Hello list,
> > I've been told to block ping requests with iptables. I made the
> > following rule:
> > iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
> > The only problem with this, is it drops all pings incoming as well,
> > which causes a slight problem.
> > Any way around this?
> > Also, is there anything else that can be done in order to make the
> > system more secure? I was told to block fragmented packets. I know
> > what they are, but don't know enough about tcp in order to be able
> > to do much with them.
> > Help is appriciated.
> > Thanks,
> > _______________________________________________
> > Speakup mailing list
> > Speakup at braille.uwo.ca
> > http://speech.braille.uwo.ca/mailman/listinfo/speakup
> >
> >
>
>
> _______________________________________________
> Speakup mailing list
> Speakup at braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iQIVAwUBRlDDM6e2pgKIdGq4AQoodw//UDbhKeBebi522JidjBEKfbgGEHMQ5pQi
kQcXVOn7bU9Z8n5Orm0m07eQIWPYxFFYMC5P/9wkaJHNy5dmEYUXYWLbt7ke9yje
gbPAWvo4xzRt0GGHFoiqU5I5kYdD7I2fJ9ASEAXzliY2UdCZ/StKKDkJVHhJ1OZi
hokQRjINMR4th0Gz2LcAXu2hN16KRQibnMYBzan+zn1sHhuLG4rer5eLq+8cr1Qb
bl85kFqBG4Xp9FYQ1+R9tsgR0G0ifqikan7NzE7eIy1rEyWL0GbfaqWNNYro6+3j
EaPjB+OdH16thcAc4tq6pjxxuTcBAWXGDxdpA0D+U3L8Z2kjgVdqStLfl+T/1B3z
lS7pB9nkykc6mpVrzb6NZDkEcuo73jfCYEO+Yx36GjAwCkTZXhvaTvr0sFGHTWV4
xIFI8OXhJip93x1jLt7/2+DhsbsRCd6sWYAakWdCXEK8xgt9/TxZ9xZLosq2f8v+
OB7Sg51X02C9HaDJF3Jim5SJoMbZYhV6w/bv5icSL/wUQQv7L8teP1qAtCK0uxHm
MA9BPjbuTNTrpzB+7oRTchD5InlFMotnpd4FVXAmMYu2EqViroM21Ge5o9vAUFZq
ktj17fFzjyf8PA5fBSlZy4J/+G1OveS9/5ZIoRc8v9/NVABCkB+RG53Zo6fjdAqd
aFI+HFrlcLg=
=6Fu5
-----END PGP SIGNATURE-----
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the Speakup
mailing list