On Wed, Aug 8, 2012 at 12:34 AM, Derek Trotter <
expat.arizonan@gmail.com>wrote:
> On 8/7/2012 21:36, Lisa Kachold wrote:
>
> Hi Derek,
>
> How are you?
>
> I'm able to walk upright and breathe so I won't complain. Thanks for
> asking.
>
>
> We didn't really cover if you are using a singular dsl device or a small
> switch/dsl modem on the upstream?
>
> I have a dsl modem. Its only output is one place to plug in an ethernet
> cable.
>
> So if you have your two boxes (Ladmo and Wallace) connected via a
> crossover cable or small switch to eth1 on Wallace which has eth0 connected
> to your dsl, that's good.
>
> The dsl modem connects directly to eth0 on the linux box (Wallace)
>
> If you have both boxes connected to the dsl switch/modem, there might be a
> problem?
>
> I can see how it would be.
>
> The best way to verify your settings is via nmap from outside.
>
> I don't have access to anything outside my home that I can run nmap on. I
> guess I could ask a friend if they will let me install nmap on their
> machine long enough for me to run the test. I ran the shields up test at
> grc.com. The only port it found open is the one I use for bittorrent on
> the windows box.
>
Don't publish your external IP, but send to me and I will nmap for you.
>
> Assumptions without real tests are the basis of bad security everywhere.
>
> Assuming anything without checking is an invitation for bad things to
> happen. How many people have ended up on the side of the road between Gila
> Bend an Yuma saying "But honey, I thought we had enough gas to get there."
>
> nmap each server from the other server. Run a nmap from a shell or linux
> box externally.
>
> I can check each computer from the other.
>
>
> Also run this tool on the Windows system to verify what is really running:
>
> http://www.youtube.com/watch?v=Kh4UeGfzO9o&playnext=1&list=PL908F54F9D05EE965&feature=results_video
>
> I saw the video and like it. Once I get the firewall straightened out
> I'll try it.
>
> SNIP
>
>
> You can tighten up your source and destination by network subnet also:
>
> iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -d \! 10.0.1.0/24 -j MASQUERADE
>
>
> I did this but changed 192.168.1.0 to 192.168.0.0 and 10.0.1.0 to 10.0.0.0
> because the ip address for eth1 is 192.168.0.1
>
>
> #Opening both tcp and udp DNS (from EVERYONE) will allow me to do all
> sorts of nepharious things via DNS (trusted port) attack:
> #
> http://cipherdyne.org/blog/2008/07/mitigating-dns-cache-poisoning-attacks-with-iptables.html
> #http://www.watchguard.com/training/lss/60/Proxies/proxies9.htm
> #http://www.exploit-db.com/exploits/16748/
> #At the very least open instead source and destination udp only to your
> DNS servers and use random ports:
>
> iptables -A INPUT -p udp -s 8.8.8.8 --sport 1024:65535 -d 192.168.1.23 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -p udp -s 192.168.1.23 --sport 53 -d 8.8.8. --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
> iptables -A INPUT -p udp -s 8.8.8.8 --sport 53 -d 192.168.1.23 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -p udp -s 192.168.1.23 --sport 53 -d 8.8.8.8 --dport 53 -m state --state ESTABLISHED -j ACCEPT
>
> I did this but used 192.168.0.2 instead because that's the ip address
> of the windows box.
>
>
> #Add logging: You need both rules
> iptables -A INPUT -j LOG --log-level 4 --log-prefix 'InDrop '
>
>> iptables -A INPUT -i eth0 -j DROP
>> #Drops unwanted incoming packets.
>>
> I did this. Now I have to figure out where the log file is.
>
Sorry,
It's in the /var/log directory or whatever you have configured as log-level
4 in /etc/syslog.conf for kernel messages:
Here's an explanation of the log levels:
-l 9 = error
-l 8 = panic
-l 7 = debug
-l 6 = info
-l 5 = notice
-l 4 =warning
This example is log level 7:
Code:
kern.=debug /var/log/firewall
If the "log-level" specified in iptables entry is the "debug" level (7),
then the syslog.conf file example above reflects this fact and sets up the
file /var/log/firewall to capture all of these messages. To invoke issue a
"/sbin/service syslog restart", and then the file "/var/log/firewall" will
appear, and happily start filling up.
Reference:
http://www.cyberciti.biz/tips/force-iptables-to-log-messages-to-a-different-log-file.html
>
> Here is what I have now. Lisa thanks for your help.
>
> iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -d \! 10.0.0.0/24-j MASQUERADE
>
>
> iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 40998 -j DNAT --to
> 192.168.0.2:40998
>
> iptables -A OUTPUT -o eth0 -p tcp --dport 80 -m state --state
> NEW,ESTABLISHED -j ACCEPT
> iptables -A INPUT -i eth0 -p tcp --sport 80 -m state --state ESTABLISHED
> -j ACCEPT
>
> iptables -A OUTPUT -o eth0 -p udp --dport 53 -m state --state
> NEW,ESTABLISHED -j ACCEPT
> iptables -A INPUT -i eth0 -p udp --sport 53 -m state --state ESTABLISHED
> -j ACCEPT
>
> iptables -A INPUT -p udp -s 8.8.8.8 --sport 1024:65535 -d 192.168.0.2
> --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -p udp -s 192.168.0.2 --sport 53 -d 8.8.8.8 --dport
> 1024:65535 -m state --state ESTABLISHED -j ACCEPT
> iptables -A INPUT -p udp -s 8.8.8.8 --sport 53 -d 192.168.0.2 --dport 53
> -m state --state NEW,ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -p udp -s 192.168.0.2 --sport 53 -d 8.8.8.8 --dport 53
> -m state --state ESTABLISHED -j ACCEPT
>
> iptables -A INPUT -p udp -s 8.8.4.4 --sport 1024:65535 -d 192.168.0.2
> --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -p udp -s 192.168.0.2 --sport 53 -d 8.8.4.4 --dport
> 1024:65535 -m state --state ESTABLISHED -j ACCEPT
> iptables -A INPUT -p udp -s 8.8.4.4 --sport 53 -d 192.168.0.2 --dport 53
> -m state --state NEW,ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -p udp -s 192.168.0.2 --sport 53 -d 8.8.4.4 --dport 53
> -m state --state ESTABLISHED -j ACCEPT
>
> iptables -A INPUT -p udp -s 98.86.100.1 --sport 1024:65535 -d 192.168.0.2
> --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -p udp -s 192.168.0.2 --sport 53 -d 98.86.100.1 --dport
> 1024:65535 -m state --state ESTABLISHED -j ACCEPT
> iptables -A INPUT -p udp -s 98.86.100.1 --sport 53 -d 192.168.0.2 --dport
> 53 -m state --state NEW,ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -p udp -s 192.168.0.2 --sport 53 -d 98.86.100.1 --dport
> 53 -m state --state ESTABLISHED -j ACCEPT
>
>
> iptables -A INPUT -p icmp -m state --state ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -p icmp -j ACCEPT
>
>
> iptables -A INPUT -j LOG --log-level 4 --log-prefix 'InDrop '
> iptables -A INPUT -i eth0 -j DROP
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
--
(503) 754-4452 Android
(623) 239-3392 Skype
(623) 688-3392 Google Voice
**
<
http://it-clowns.com>Safeway.com
Automation Engineer
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss