On Wed, Aug 8, 2012 at 12:34 AM, Derek Trotter wrote: > On 8/7/2012 21:36, Lisa Kachold wrote: > > Hi Derek, > > How are you? > > I'm able to walk upright and breathe so I won't complain. Thanks for > asking. > > > We didn't really cover if you are using a singular dsl device or a small > switch/dsl modem on the upstream? > > I have a dsl modem. Its only output is one place to plug in an ethernet > cable. > > So if you have your two boxes (Ladmo and Wallace) connected via a > crossover cable or small switch to eth1 on Wallace which has eth0 connected > to your dsl, that's good. > > The dsl modem connects directly to eth0 on the linux box (Wallace) > > If you have both boxes connected to the dsl switch/modem, there might be a > problem? > > I can see how it would be. > > The best way to verify your settings is via nmap from outside. > > I don't have access to anything outside my home that I can run nmap on. I > guess I could ask a friend if they will let me install nmap on their > machine long enough for me to run the test. I ran the shields up test at > grc.com. The only port it found open is the one I use for bittorrent on > the windows box. > Don't publish your external IP, but send to me and I will nmap for you. > > Assumptions without real tests are the basis of bad security everywhere. > > Assuming anything without checking is an invitation for bad things to > happen. How many people have ended up on the side of the road between Gila > Bend an Yuma saying "But honey, I thought we had enough gas to get there." > > nmap each server from the other server. Run a nmap from a shell or linux > box externally. > > I can check each computer from the other. > > > Also run this tool on the Windows system to verify what is really running: > > http://www.youtube.com/watch?v=Kh4UeGfzO9o&playnext=1&list=PL908F54F9D05EE965&feature=results_video > > I saw the video and like it. Once I get the firewall straightened out > I'll try it. > > SNIP > > > You can tighten up your source and destination by network subnet also: > > iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -d \! 10.0.1.0/24 -j MASQUERADE > > > I did this but changed 192.168.1.0 to 192.168.0.0 and 10.0.1.0 to 10.0.0.0 > because the ip address for eth1 is 192.168.0.1 > > > #Opening both tcp and udp DNS (from EVERYONE) will allow me to do all > sorts of nepharious things via DNS (trusted port) attack: > # > http://cipherdyne.org/blog/2008/07/mitigating-dns-cache-poisoning-attacks-with-iptables.html > #http://www.watchguard.com/training/lss/60/Proxies/proxies9.htm > #http://www.exploit-db.com/exploits/16748/ > #At the very least open instead source and destination udp only to your > DNS servers and use random ports: > > iptables -A INPUT -p udp -s 8.8.8.8 --sport 1024:65535 -d 192.168.1.23 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT > iptables -A OUTPUT -p udp -s 192.168.1.23 --sport 53 -d 8.8.8. --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT > iptables -A INPUT -p udp -s 8.8.8.8 --sport 53 -d 192.168.1.23 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT > iptables -A OUTPUT -p udp -s 192.168.1.23 --sport 53 -d 8.8.8.8 --dport 53 -m state --state ESTABLISHED -j ACCEPT > > I did this but used 192.168.0.2 instead because that's the ip address > of the windows box. > > > #Add logging: You need both rules > iptables -A INPUT -j LOG --log-level 4 --log-prefix 'InDrop ' > >> iptables -A INPUT -i eth0 -j DROP >> #Drops unwanted incoming packets. >> > I did this. Now I have to figure out where the log file is. > Sorry, It's in the /var/log directory or whatever you have configured as log-level 4 in /etc/syslog.conf for kernel messages: Here's an explanation of the log levels: -l 9 = error -l 8 = panic -l 7 = debug -l 6 = info -l 5 = notice -l 4 =warning This example is log level 7: Code: kern.=debug /var/log/firewall If the "log-level" specified in iptables entry is the "debug" level (7), then the syslog.conf file example above reflects this fact and sets up the file /var/log/firewall to capture all of these messages. To invoke issue a "/sbin/service syslog restart", and then the file "/var/log/firewall" will appear, and happily start filling up. Reference: http://www.cyberciti.biz/tips/force-iptables-to-log-messages-to-a-different-log-file.html > > Here is what I have now. Lisa thanks for your help. > > iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -d \! 10.0.0.0/24-j MASQUERADE > > > iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 40998 -j DNAT --to > 192.168.0.2:40998 > > iptables -A OUTPUT -o eth0 -p tcp --dport 80 -m state --state > NEW,ESTABLISHED -j ACCEPT > iptables -A INPUT -i eth0 -p tcp --sport 80 -m state --state ESTABLISHED > -j ACCEPT > > iptables -A OUTPUT -o eth0 -p udp --dport 53 -m state --state > NEW,ESTABLISHED -j ACCEPT > iptables -A INPUT -i eth0 -p udp --sport 53 -m state --state ESTABLISHED > -j ACCEPT > > iptables -A INPUT -p udp -s 8.8.8.8 --sport 1024:65535 -d 192.168.0.2 > --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT > iptables -A OUTPUT -p udp -s 192.168.0.2 --sport 53 -d 8.8.8.8 --dport > 1024:65535 -m state --state ESTABLISHED -j ACCEPT > iptables -A INPUT -p udp -s 8.8.8.8 --sport 53 -d 192.168.0.2 --dport 53 > -m state --state NEW,ESTABLISHED -j ACCEPT > iptables -A OUTPUT -p udp -s 192.168.0.2 --sport 53 -d 8.8.8.8 --dport 53 > -m state --state ESTABLISHED -j ACCEPT > > iptables -A INPUT -p udp -s 8.8.4.4 --sport 1024:65535 -d 192.168.0.2 > --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT > iptables -A OUTPUT -p udp -s 192.168.0.2 --sport 53 -d 8.8.4.4 --dport > 1024:65535 -m state --state ESTABLISHED -j ACCEPT > iptables -A INPUT -p udp -s 8.8.4.4 --sport 53 -d 192.168.0.2 --dport 53 > -m state --state NEW,ESTABLISHED -j ACCEPT > iptables -A OUTPUT -p udp -s 192.168.0.2 --sport 53 -d 8.8.4.4 --dport 53 > -m state --state ESTABLISHED -j ACCEPT > > iptables -A INPUT -p udp -s 98.86.100.1 --sport 1024:65535 -d 192.168.0.2 > --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT > iptables -A OUTPUT -p udp -s 192.168.0.2 --sport 53 -d 98.86.100.1 --dport > 1024:65535 -m state --state ESTABLISHED -j ACCEPT > iptables -A INPUT -p udp -s 98.86.100.1 --sport 53 -d 192.168.0.2 --dport > 53 -m state --state NEW,ESTABLISHED -j ACCEPT > iptables -A OUTPUT -p udp -s 192.168.0.2 --sport 53 -d 98.86.100.1 --dport > 53 -m state --state ESTABLISHED -j ACCEPT > > > iptables -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT > iptables -A OUTPUT -p icmp -j ACCEPT > > > iptables -A INPUT -j LOG --log-level 4 --log-prefix 'InDrop ' > iptables -A INPUT -i eth0 -j DROP > > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > To subscribe, unsubscribe, or to change your mail settings: > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > -- (503) 754-4452 Android (623) 239-3392 Skype (623) 688-3392 Google Voice ** Safeway.com Automation Engineer