firewall

Lisa Kachold lisakachold at obnosis.com
Wed Aug 8 20:08:04 MST 2012 

On Wed, Aug 8, 2012 at 12:34 AM, Derek Trotter <expat.arizonan at gmail.com>wrote:

>  On 8/7/2012 21:36, Lisa Kachold wrote:
>
> Hi Derek,
>
> How are you?
>
> I'm able to walk upright and breathe so I won't complain.  Thanks for
> asking.
>
>
> We didn't really cover if you are using a singular dsl device or a small
> switch/dsl modem on the upstream?
>
> I have a dsl modem.  Its only output is one place to plug in an ethernet
> cable.
>
> So if you have your two boxes (Ladmo and Wallace) connected via a
> crossover cable or small switch to eth1 on Wallace which has eth0 connected
> to your dsl, that's good.
>
> The dsl modem connects directly to eth0 on the linux box (Wallace)
>
> If you have both boxes connected to the dsl switch/modem, there might be a
> problem?
>
> I can see how it would be.
>
> The best way to verify your settings is via nmap from outside.
>
> I don't have access to anything outside my home that I can run nmap on.  I
> guess I could ask a friend if they will let me install nmap on their
> machine long enough for me to run the test.  I ran the shields up test at
> grc.com.  The only port it found open is the one I use for bittorrent on
> the windows box.
>

Don't publish your external IP, but send to me and I will nmap for you.

>
> Assumptions without real tests are the basis of bad security everywhere.
>
> Assuming anything without checking is an invitation for bad things to
> happen.  How many people have ended up on the side of the road between Gila
> Bend an Yuma saying "But honey, I thought we had enough gas to get there."
>
> nmap each server from the other server.  Run a nmap from a shell or linux
> box externally.
>
> I can check each computer from the other.
>
>
> Also run this tool on the Windows system to verify what is really running:
>
> http://www.youtube.com/watch?v=Kh4UeGfzO9o&playnext=1&list=PL908F54F9D05EE965&feature=results_video
>
>  I saw the video and like it.  Once I get the firewall straightened out
> I'll try it.
>
> SNIP
>
>
>  You can tighten up your source and destination by network subnet also:
>
> iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -d \! 10.0.1.0/24 -j MASQUERADE
>
>
> I did this but changed 192.168.1.0 to 192.168.0.0 and 10.0.1.0 to 10.0.0.0
> because the ip address for eth1 is 192.168.0.1
>
>
>  #Opening both tcp and udp DNS (from EVERYONE) will allow me to do all
> sorts of nepharious things via DNS (trusted port) attack:
> #
> http://cipherdyne.org/blog/2008/07/mitigating-dns-cache-poisoning-attacks-with-iptables.html
> #http://www.watchguard.com/training/lss/60/Proxies/proxies9.htm
> #http://www.exploit-db.com/exploits/16748/
> #At the very least open instead source and destination udp only to your
> DNS servers and use random ports:
>
> iptables -A INPUT -p udp -s 8.8.8.8 --sport 1024:65535 -d 192.168.1.23 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -p udp -s 192.168.1.23 --sport 53 -d 8.8.8. --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
> iptables -A INPUT -p udp -s 8.8.8.8 --sport 53 -d 192.168.1.23 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -p udp -s 192.168.1.23 --sport 53 -d 8.8.8.8 --dport 53 -m state --state ESTABLISHED -j ACCEPT
>
>   I did this but used 192.168.0.2 instead because that's the ip address
> of the windows box.
>
>
> #Add logging:  You need both rules
> iptables -A INPUT -j LOG --log-level 4 --log-prefix 'InDrop '
>
>> iptables -A INPUT -i eth0 -j DROP
>> #Drops unwanted incoming packets.
>>
>  I did this.  Now I have to figure out where the log file is.
>

Sorry,

It's in the /var/log directory or whatever you have configured as log-level
4 in /etc/syslog.conf for kernel messages:

Here's an explanation of the log levels:

-l 9 = error
-l 8 = panic
-l 7 = debug
-l 6 = info
-l 5 = notice
-l 4 =warning

This example is log level 7:

 Code:

kern.=debug     /var/log/firewall

If the "log-level" specified in iptables entry is the "debug" level (7),
then the syslog.conf file example above reflects this fact and sets up the
file /var/log/firewall to capture all of these messages. To invoke issue a
"/sbin/service syslog restart", and then the file "/var/log/firewall" will
appear, and happily start filling up.

Reference:
http://www.cyberciti.biz/tips/force-iptables-to-log-messages-to-a-different-log-file.html

>
> Here is what I have now.  Lisa thanks for your help.
>
> iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -d \! 10.0.0.0/24-j MASQUERADE
>
>
> iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 40998 -j DNAT --to
> 192.168.0.2:40998
>
> iptables -A OUTPUT -o eth0 -p tcp --dport 80 -m state --state
> NEW,ESTABLISHED -j ACCEPT
> iptables -A INPUT -i eth0 -p tcp --sport 80 -m state --state ESTABLISHED
> -j ACCEPT
>
> iptables -A OUTPUT -o eth0 -p udp --dport 53 -m state --state
> NEW,ESTABLISHED -j ACCEPT
> iptables -A INPUT -i eth0 -p udp --sport 53 -m state --state ESTABLISHED
> -j ACCEPT
>
> iptables -A INPUT -p udp -s 8.8.8.8 --sport 1024:65535 -d 192.168.0.2
> --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -p udp -s 192.168.0.2 --sport 53 -d 8.8.8.8 --dport
> 1024:65535 -m state --state ESTABLISHED -j ACCEPT
> iptables -A INPUT -p udp -s 8.8.8.8 --sport 53 -d 192.168.0.2 --dport 53
> -m state --state NEW,ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -p udp -s 192.168.0.2 --sport 53 -d 8.8.8.8 --dport 53
> -m state --state ESTABLISHED -j ACCEPT
>
> iptables -A INPUT -p udp -s 8.8.4.4 --sport 1024:65535 -d 192.168.0.2
> --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -p udp -s 192.168.0.2 --sport 53 -d 8.8.4.4 --dport
> 1024:65535 -m state --state ESTABLISHED -j ACCEPT
> iptables -A INPUT -p udp -s 8.8.4.4 --sport 53 -d 192.168.0.2 --dport 53
> -m state --state NEW,ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -p udp -s 192.168.0.2 --sport 53 -d 8.8.4.4 --dport 53
> -m state --state ESTABLISHED -j ACCEPT
>
> iptables -A INPUT -p udp -s 98.86.100.1 --sport 1024:65535 -d 192.168.0.2
> --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -p udp -s 192.168.0.2 --sport 53 -d 98.86.100.1 --dport
> 1024:65535 -m state --state ESTABLISHED -j ACCEPT
> iptables -A INPUT -p udp -s 98.86.100.1 --sport 53 -d 192.168.0.2 --dport
> 53 -m state --state NEW,ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -p udp -s 192.168.0.2 --sport 53 -d 98.86.100.1 --dport
> 53 -m state --state ESTABLISHED -j ACCEPT
>
>
> iptables -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -p icmp -j ACCEPT
>
>
> iptables -A INPUT -j LOG --log-level 4 --log-prefix 'InDrop '
> iptables -A INPUT -i eth0 -j DROP
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>



-- 
(503) 754-4452 Android
(623) 239-3392 Skype
(623) 688-3392 Google Voice
**
<http://it-clowns.com>Safeway.com
Automation Engineer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20120808/4ba7b445/attachment.html>

More information about the PLUG-discuss mailing list