security precautionswith iptables?
Littlefield, Tyler
compgeek13 at gmail.com
Sun May 20 17:59:29 EDT 2007
I've done something to this soart, and done iptables -P OUTPUT ACCEPT.
Then, I have things hanging, such as apt-get, etc...
----- Original Message -----
From: "Igor Gueths" <igueths at lava-net.com>
To: "Speakup is a screen review system for Linux." <speakup at braille.uwo.ca>
Sent: Sunday, May 20, 2007 3:52 PM
Subject: Re: security precautionswith iptables?
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Hi. Another idea is putting this in a script:
> /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> services ports go here
> /sbin/iptables -P INPUT DROP
> Only apply that policy when you know that all your required ports are
open; if not, you may find yourself locked out of your machine, and only
console access can fix things again.
> Igor
> On Sun, May 20, 2007 at 05:33:15PM -0400, Travis Siegel wrote:
> > If you turn off the various utilities in the inetd.conf file that you
> > don't use, that can help too.
> > I.E. since you're using ssh, you won't need telnet and rlogin.
> > Simply comment them out. That way, no matter how many packets go to
> > that destination port, it won't do a bit of good.
> > You are of course welcome to block any ports you like, and it's
> > likely that'll help too, but the inetd daemon is a nice way to secure
> > the machine as well.
> >
> > As for the problem with the outgoing ping packets, there are ways to
> > specify incoming/outgoing packets, but I've not fiddled with ip rules
> > for several years, so i don't remember the syntax. However, there's
> > a very good how-to on the linux how-to site explaining ipfwadm and
> > ipchains. One of the examples in there is how to secure the machine
> > for a particular service (don't remember which one) but it covers
> > that exact problem (if I remember correctly)
> > Try to see if you can find it. If not, I'm sure I have it *somewhere*.
> > But, just so you know, there is a solution, I (unfortunately) no
> > longer remember what it is though.
> >
> >
> > On May 20, 2007, at 11:34 AM, Littlefield, Tyler wrote:
> >
> > > Hello list,
> > > I've been told to block ping requests with iptables. I made the
> > > following rule:
> > > iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
> > > The only problem with this, is it drops all pings incoming as well,
> > > which causes a slight problem.
> > > Any way around this?
> > > Also, is there anything else that can be done in order to make the
> > > system more secure? I was told to block fragmented packets. I know
> > > what they are, but don't know enough about tcp in order to be able
> > > to do much with them.
> > > Help is appriciated.
> > > Thanks,
> > > _______________________________________________
> > > Speakup mailing list
> > > Speakup at braille.uwo.ca
> > > http://speech.braille.uwo.ca/mailman/listinfo/speakup
> > >
> > >
> >
> >
> > _______________________________________________
> > Speakup mailing list
> > Speakup at braille.uwo.ca
> > http://speech.braille.uwo.ca/mailman/listinfo/speakup
> >
> > --
> > This message has been scanned for viruses and
> > dangerous content by MailScanner, and is
> > believed to be clean.
> >
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2.2 (GNU/Linux)
>
> iQIVAwUBRlDDM6e2pgKIdGq4AQoodw//UDbhKeBebi522JidjBEKfbgGEHMQ5pQi
> kQcXVOn7bU9Z8n5Orm0m07eQIWPYxFFYMC5P/9wkaJHNy5dmEYUXYWLbt7ke9yje
> gbPAWvo4xzRt0GGHFoiqU5I5kYdD7I2fJ9ASEAXzliY2UdCZ/StKKDkJVHhJ1OZi
> hokQRjINMR4th0Gz2LcAXu2hN16KRQibnMYBzan+zn1sHhuLG4rer5eLq+8cr1Qb
> bl85kFqBG4Xp9FYQ1+R9tsgR0G0ifqikan7NzE7eIy1rEyWL0GbfaqWNNYro6+3j
> EaPjB+OdH16thcAc4tq6pjxxuTcBAWXGDxdpA0D+U3L8Z2kjgVdqStLfl+T/1B3z
> lS7pB9nkykc6mpVrzb6NZDkEcuo73jfCYEO+Yx36GjAwCkTZXhvaTvr0sFGHTWV4
> xIFI8OXhJip93x1jLt7/2+DhsbsRCd6sWYAakWdCXEK8xgt9/TxZ9xZLosq2f8v+
> OB7Sg51X02C9HaDJF3Jim5SJoMbZYhV6w/bv5icSL/wUQQv7L8teP1qAtCK0uxHm
> MA9BPjbuTNTrpzB+7oRTchD5InlFMotnpd4FVXAmMYu2EqViroM21Ge5o9vAUFZq
> ktj17fFzjyf8PA5fBSlZy4J/+G1OveS9/5ZIoRc8v9/NVABCkB+RG53Zo6fjdAqd
> aFI+HFrlcLg=
> =6Fu5
> -----END PGP SIGNATURE-----
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
> _______________________________________________
> Speakup mailing list
> Speakup at braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup
More information about the Speakup
mailing list