On Wed, Aug 8, 2012 at 12:34 AM, Derek Trotter <expat.arizonan@gmail.com> wrote:
On 8/7/2012 21:36, Lisa Kachold wrote:
Hi Derek,

How are you?
I'm able to walk upright and breathe so I won't complain.  Thanks for asking.


We didn't really cover if you are using a singular dsl device or a small switch/dsl modem on the upstream? 
I have a dsl modem.  Its only output is one place to plug in an ethernet cable.

So if you have your two boxes (Ladmo and Wallace) connected via a crossover cable or small switch to eth1 on Wallace which has eth0 connected to your dsl, that's good.
The dsl modem connects directly to eth0 on the linux box (Wallace)

If you have both boxes connected to the dsl switch/modem, there might be a problem?
I can see how it would be.

The best way to verify your settings is via nmap from outside. 
I don't have access to anything outside my home that I can run nmap on.  I guess I could ask a friend if they will let me install nmap on their machine long enough for me to run the test.  I ran the shields up test at grc.com.  The only port it found open is the one I use for bittorrent on the windows box.

Don't publish your external IP, but send to me and I will nmap for you.

Assumptions without real tests are the basis of bad security everywhere.
Assuming anything without checking is an invitation for bad things to happen.  How many people have ended up on the side of the road between Gila Bend an Yuma saying "But honey, I thought we had enough gas to get there."

nmap each server from the other server.  Run a nmap from a shell or linux box externally.
I can check each computer from the other.


Also run this tool on the Windows system to verify what is really running:
http://www.youtube.com/watch?v=Kh4UeGfzO9o&playnext=1&list=PL908F54F9D05EE965&feature=results_video

I saw the video and like it.  Once I get the firewall straightened out I'll try it.

SNIP


You can tighten up your source and destination by network subnet also:
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -d \! 10.0.1.0/24 -j MASQUERADE

I did this but changed 192.168.1.0 to 192.168.0.0 and 10.0.1.0 to 10.0.0.0 because the ip address for eth1 is 192.168.0.1


#Opening both tcp and udp DNS (from EVERYONE) will allow me to do all sorts of nepharious things via DNS (trusted port) attack:
#http://cipherdyne.org/blog/2008/07/mitigating-dns-cache-poisoning-attacks-with-iptables.html
#http://www.watchguard.com/training/lss/60/Proxies/proxies9.htm
#http://www.exploit-db.com/exploits/16748/
#At the very least open instead source and destination udp only to your DNS servers and use random ports:
iptables -A INPUT -p udp -s 8.8.8.8 --sport 1024:65535 -d 192.168.1.23 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -s 192.168.1.23 --sport 53 -d 8.8.8. --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -s 8.8.8.8 --sport 53 -d 192.168.1.23 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -s 192.168.1.23 --sport 53 -d 8.8.8.8 --dport 53 -m state --state ESTABLISHED -j ACCEPT
I did this but used 192.168.0.2 instead because that's the ip address of the windows box.


#Add logging:  You need both rules
iptables -A INPUT -j LOG --log-level 4 --log-prefix 'InDrop '
iptables -A INPUT -i eth0 -j DROP
#Drops unwanted incoming packets.
I did this.  Now I have to figure out where the log file is.
 
Sorry,

It's in the /var/log directory or whatever you have configured as log-level 4 in /etc/syslog.conf for kernel messages:

Here's an explanation of the log levels:

-l 9 = error
-l 8 = panic
-l 7 = debug
-l 6 = info
-l 5 = notice
-l 4 =warning

This example is log level 7:

Code:
kern.=debug     /var/log/firewall
If the "log-level" specified in iptables entry is the "debug" level (7),  then the syslog.conf file example above reflects this fact and sets up the file /var/log/firewall to capture all of these messages. To invoke issue a "/sbin/service syslog restart", and then the file "/var/log/firewall" will appear, and happily start filling up.

Reference:  http://www.cyberciti.biz/tips/force-iptables-to-log-messages-to-a-different-log-file.html

Here is what I have now.  Lisa thanks for your help.

iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -d \! 10.0.0.0/24 -j MASQUERADE


iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 40998 -j DNAT --to 192.168.0.2:40998

iptables -A OUTPUT -o eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o eth0 -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT

iptables -A INPUT -p udp -s 8.8.8.8 --sport 1024:65535 -d 192.168.0.2 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -s 192.168.0.2 --sport 53 -d 8.8.8.8 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -s 8.8.8.8 --sport 53 -d 192.168.0.2 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -s 192.168.0.2 --sport 53 -d 8.8.8.8 --dport 53 -m state --state ESTABLISHED -j ACCEPT

iptables -A INPUT -p udp -s 8.8.4.4 --sport 1024:65535 -d 192.168.0.2 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -s 192.168.0.2 --sport 53 -d 8.8.4.4 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -s 8.8.4.4 --sport 53 -d 192.168.0.2 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -s 192.168.0.2 --sport 53 -d 8.8.4.4 --dport 53 -m state --state ESTABLISHED -j ACCEPT

iptables -A INPUT -p udp -s 98.86.100.1 --sport 1024:65535 -d 192.168.0.2 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -s 192.168.0.2 --sport 53 -d 98.86.100.1 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -s 98.86.100.1 --sport 53 -d 192.168.0.2 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -s 192.168.0.2 --sport 53 -d 98.86.100.1 --dport 53 -m state --state ESTABLISHED -j ACCEPT


iptables -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT


iptables -A INPUT -j LOG --log-level 4 --log-prefix 'InDrop '
iptables -A INPUT -i eth0 -j DROP

---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss



--
(503) 754-4452 Android
(623) 239-3392 Skype
(623) 688-3392 Google Voice
**
Safeway.com
Automation Engineer