firewall
Derek Trotter
expat.arizonan at gmail.com
Wed Aug 8 00:34:58 MST 2012
On 8/7/2012 21:36, Lisa Kachold wrote:
> Hi Derek,
>
> How are you?
I'm able to walk upright and breathe so I won't complain. Thanks for
asking.
>
> We didn't really cover if you are using a singular dsl device or a
> small switch/dsl modem on the upstream?
I have a dsl modem. Its only output is one place to plug in an ethernet
cable.
> So if you have your two boxes (Ladmo and Wallace) connected via a
> crossover cable or small switch to eth1 on Wallace which has eth0
> connected to your dsl, that's good.
The dsl modem connects directly to eth0 on the linux box (Wallace)
> If you have both boxes connected to the dsl switch/modem, there might
> be a problem?
I can see how it would be.
> The best way to verify your settings is via nmap from outside.
I don't have access to anything outside my home that I can run nmap on.
I guess I could ask a friend if they will let me install nmap on their
machine long enough for me to run the test. I ran the shields up test
at grc.com. The only port it found open is the one I use for bittorrent
on the windows box.
> Assumptions without real tests are the basis of bad security everywhere.
Assuming anything without checking is an invitation for bad things to
happen. How many people have ended up on the side of the road between
Gila Bend an Yuma saying "But honey, I thought we had enough gas to get
there."
> nmap each server from the other server. Run a nmap from a shell or
> linux box externally.
I can check each computer from the other.
>
> Also run this tool on the Windows system to verify what is really running:
> http://www.youtube.com/watch?v=Kh4UeGfzO9o&playnext=1&list=PL908F54F9D05EE965&feature=results_video
>
I saw the video and like it. Once I get the firewall straightened out
I'll try it.
SNIP
> You can tighten up your source and destination by network subnet also:
> iptables -t nat -A POSTROUTING -o eth0 -s192.168.1.0/24 <http://192.168.1.0/24> -d \!10.0.1.0/24 <http://10.0.1.0/24> -j MASQUERADE
I did this but changed 192.168.1.0 to 192.168.0.0 and 10.0.1.0 to
10.0.0.0 because the ip address for eth1 is 192.168.0.1
> #Opening both tcp and udp DNS (from EVERYONE) will allow me to do all
> sorts of nepharious things via DNS (trusted port) attack:
> #http://cipherdyne.org/blog/2008/07/mitigating-dns-cache-poisoning-attacks-with-iptables.html
> #http://www.watchguard.com/training/lss/60/Proxies/proxies9.htm
> #http://www.exploit-db.com/exploits/16748/
> #At the very least open instead source and destination udp only to
> your DNS servers and use random ports:
> iptables -A INPUT -p udp -s 8.8.8.8 --sport 1024:65535 -d 192.168.1.23 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -p udp -s 192.168.1.23 --sport 53 -d 8.8.8. --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
> iptables -A INPUT -p udp -s 8.8.8.8 --sport 53 -d 192.168.1.23 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -p udp -s 192.168.1.23 --sport 53 -d 8.8.8.8 --dport 53 -m state --state ESTABLISHED -j ACCEPT
I did this but used 192.168.0.2 instead because that's the ip address of
the windows box.
>
> #Add logging: You need both rules
> iptables -A INPUT -j LOG --log-level 4 --log-prefix 'InDrop '
>
> iptables -A INPUT -i eth0 -j DROP
> #Drops unwanted incoming packets.
>
I did this. Now I have to figure out where the log file is.
Here is what I have now. Lisa thanks for your help.
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -d \!
10.0.0.0/24 -j MASQUERADE
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 40998 -j DNAT --to
192.168.0.2:40998
iptables -A OUTPUT -o eth0 -p tcp --dport 80 -m state --state
NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 80 -m state --state ESTABLISHED
-j ACCEPT
iptables -A OUTPUT -o eth0 -p udp --dport 53 -m state --state
NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p udp --sport 53 -m state --state ESTABLISHED
-j ACCEPT
iptables -A INPUT -p udp -s 8.8.8.8 --sport 1024:65535 -d 192.168.0.2
--dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -s 192.168.0.2 --sport 53 -d 8.8.8.8 --dport
1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -s 8.8.8.8 --sport 53 -d 192.168.0.2 --dport 53
-m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -s 192.168.0.2 --sport 53 -d 8.8.8.8 --dport
53 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -s 8.8.4.4 --sport 1024:65535 -d 192.168.0.2
--dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -s 192.168.0.2 --sport 53 -d 8.8.4.4 --dport
1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -s 8.8.4.4 --sport 53 -d 192.168.0.2 --dport 53
-m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -s 192.168.0.2 --sport 53 -d 8.8.4.4 --dport
53 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -s 98.86.100.1 --sport 1024:65535 -d
192.168.0.2 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -s 192.168.0.2 --sport 53 -d 98.86.100.1
--dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -s 98.86.100.1 --sport 53 -d 192.168.0.2
--dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -s 192.168.0.2 --sport 53 -d 98.86.100.1
--dport 53 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT
iptables -A INPUT -j LOG --log-level 4 --log-prefix 'InDrop '
iptables -A INPUT -i eth0 -j DROP
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20120808/4cde0b08/attachment.html>
More information about the PLUG-discuss
mailing list