[ Date Index ][
Thread Index ]
[ <= Previous by date / thread ] [ Next by date / thread => ]
thanks for the advice simon, here is my ipchains rules i have mostly finished - appreciate any comments from anyone. does any one know of any sites where i can test this setup. the only one i know is http://www.secure-me.net/scan my setup is that i have a P200 PC running debian which has the modem and acts as a gateway/firewall. behind this is a duron based workstation and my girlfriend's imac all networked together. i also run a squid proxy server on the P200 machine to supply web access and ftp access. (BTW - i've just setup squid and it is brill - regular pages jump straight onto the browser). the strategy is that all packets are denied by default - and the rules are to allow through only the packets i want for the reasons described. the format is odd to look at because it is the raw data in the ipchains-save > file - my comments are after '#' marks # default actions - i'm not sure allowing ALL output is advisable. :input DENY :forward DENY :output ACCEPT # allow all icmp packets cos they are used for messaging -A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -p 1 -j ACCEPT # allow tcp and udp packets from the 2 DNS servers - -p 6 is 'tcp' - and 17 is 'udp' - thanks for the help simon! -A input -s 194.152.64.34/255.255.255.255 53:53 -d 0.0.0.0/0.0.0.0 -p 6 -j ACCEPT -A input -s 194.152.64.34/255.255.255.255 53:53 -d 0.0.0.0/0.0.0.0 -p 17 -j ACCEPT -A input -s 194.152.64.35/255.255.255.255 53:53 -d 0.0.0.0/0.0.0.0 -p 6 -j ACCEPT -A input -s 194.152.64.35/255.255.255.255 53:53 -d 0.0.0.0/0.0.0.0 -p 17 -j ACCEPT # enable local loopback -A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -i lo -j ACCEPT # allow the local network to speak to my squid proxy server which listens on port 3128 -A input -s 192.168.1.0/255.255.255.0 -d 192.168.1.1/255.255.255.255 3128:3128 -p 6 -j ACCEPT # allow communication in to port 80 for squid to be able to web browse - i am going to add # ! -y to stop requests for new connections on this port. -A input -s 0.0.0.0/0.0.0.0 80:80 -d 0.0.0.0/0.0.0.0 -p 6 -j ACCEPT # these next rules enable my workstation and the imac to collect and send email using freeserve's # servers. it is a bit extreme to implement masquerading just for so email can be used - but i can't think # of a neater way!?!?!? # pop3 on freeserve's pop3 server -A input -s 195.92.193.154/255.255.255.255 110:110 -d 0.0.0.0/0.0.0.0 -p 6 -j ACCEPT # smtp on freeserve's smtp server -A input -s 195.92.193.153/255.255.255.255 25:25 -d 0.0.0.0/0.0.0.0 -p 6 -j ACCEPT # accept all packets from the local network - and forward them and masquerade them behind # the firewall machine. -A input -s 192.168.1.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -j ACCEPT -A forward -s 192.168.1.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -j MASQ # these enable ftp to work in passive mode - ftp is a pain because it requests back a connection to # a seemingly random unpriviledged port number. according to my new book 'hacking linux exposed' ftp # is best avoided altogether - and sftp should be used - any pointers on how to set it up under debian would be gratefully # received. -A input -s 0.0.0.0/0.0.0.0 21:21 -d 0.0.0.0/0.0.0.0 1024:65535 -i ppp0 -p 6 -j ACCEPT ! -y -A input -s 0.0.0.0/0.0.0.0 1024:65535 -d 0.0.0.0/0.0.0.0 -i ppp0 -p 6 -j ACCEPT ! -y # allow connection on the https port - this was needed for internet banking. -A input -s 0.0.0.0/0.0.0.0 443:443 -d 0.0.0.0/0.0.0.0 -p 6 -j ACCEPT ! -y i have an interest in getting security right obviously for home use - it means i can carry out overnight downloads without worrying about leaving the machine connected - but also because i am trying to develop linux servers for businesses - and when ADSL is used (at some point!) the connections are permanent. thanks for any help kev -A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -p 1 -j ACCEPT -A input -s 194.152.64.34/255.255.255.255 53:53 -d 0.0.0.0/0.0.0.0 -p 6 -j ACCE -A input -s 194.152.64.34/255.255.255.255 53:53 -d 0.0.0.0/0.0.0.0 -p 17 -j ACC -A input -s 194.152.64.35/255.255.255.255 53:53 -d 0.0.0.0/0.0.0.0 -p 6 -j ACCE -A input -s 194.152.64.35/255.255.255.255 53:53 -d 0.0.0.0/0.0.0.0 -p 17 -j ACC -A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -i lo -j ACCEPT -A input -s 192.168.1.0/255.255.255.0 -d 192.168.1.1/255.255.255.255 3128:3128 -A input -s 0.0.0.0/0.0.0.0 80:80 -d 0.0.0.0/0.0.0.0 -p 6 -j ACCEPT -A input -s 195.92.195.154/255.255.255.255 110:110 -d 0.0.0.0/0.0.0.0 -p 6 -j A -A input -s 195.92.193.154/255.255.255.255 110:110 -d 0.0.0.0/0.0.0.0 -p 6 -j A -A input -s 195.92.195.153/255.255.255.255 25:25 -d 0.0.0.0/0.0.0.0 -p 6 -j ACC -A input -s 195.92.193.153/255.255.255.255 25:25 -d 0.0.0.0/0.0.0.0 -p 6 -j ACC -A input -s 192.168.1.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -j ACCEPT -A input -s 0.0.0.0/0.0.0.0 21:21 -d 0.0.0.0/0.0.0.0 1024:65535 -i ppp0 -p 6 -j -A input -s 0.0.0.0/0.0.0.0 1024:65535 -d 0.0.0.0/0.0.0.0 -i ppp0 -p 6 -j ACCEP -A forward -s 192.168.1.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -j MASQ Simon Waters wrote: > kevin bailey wrote: > > > > how many users are on this list roughly? - and how many are from plymouth? > > Loads - I let Chas ponder the numbers. > > "From Plymouth" - I fear rather more are "from" Plymouth, than > are currently at Plymouth. But the group started at Plymouth > Uni, so a fair proportion are at Plymouth, but some have > graduated (well they claimed they graduated, but we never saw > any certificates). > > > what i'd like to know is this: > > are we a very few who have 'seen a better way' - or is there a huge linux > > community beavering away at honing the OS and apps waiting for our time? > > The community is huge, I'm not sure the South West is a hotbed > of open source development, but as I discover darker corners > more come out of the woodwork. To be honest location isn't that > important any more till you want to see a human being (or your > network link is bust). > > > on a more technical note - could anyone give me some advice on the best > > ipchains settings for a server which is running the squid proxy server. what > > is the best way to allow the DNS servers to return their result? my current > > setup is that all ip packets are DENY'd - and i only allow in packets which i > > need - but i seem to be getting a lot of packets trying to get in with > > different destination port numbers. > > Okay DNS is one of those things I do. > > First understand DNS servers listen on port 53. Old DNS servers > asked questions on port 53 as well as answered them on 53. New > servers ask questions from the anonymous port range (>1023) and > answer them on 53 (Of course). > > So questions go out dnserver:>1023 to any:53 > > If incoming queries they do any:any to dnsserver:53 > > Thus if running a caching DNS only (I.E. Not hosting Internet > visible DNS records) you can block incoming to all ports less > than 1024, UDP and TCP (Well maybe mail and stuff is still > needed). SQUID I assume also uses the anonymous port range when > passing on requests. > > I always recommend BIND9 with chroot (dead easy in BIND9). If > you run this on the proxy, then it can answer questions for > other internal servers, or perhaps the other internal servers > don't need DNS. > > BIND can use listen-on to only listen on appropriate interfaces, > unless you run a DNS server there is usually no reason to listen > on the Internet interface so drop in; > > listen-on { 127.0.0.1; 192.168.12.12; }; to only listen on port > 53 on private (and loopback) interfaces. Just in case you get > the ipchains rules wrong !!!!- similarly BIND 9 rndc control > channel should listen on 127.0.0.1 only in most cases - but I > think thats the default, I always code it just in case. > > If you choose to forward queries to your ISPs DNS servers, > faster but less reliable, then you can restrict the ipchain > rules to.... > > dnsserver:>1023 to ISPDNSserver(s):53 > > Remember DNS uses TCP and UDP, some people seem to be under the > misapprehension that TCP is not needed. At least one OS had a > TCP only resolver..... > > Hope that helps - a certain amount of lost DNS packets, and > worms probing your port 53 is to be expected. BIND versions > prior to 8.2.3 have known security issues - don't run them, and > a few worms are still crawling around. > > Get stuck - drop us an e-mail. > > Do get the dshield ipchains log submission script from > www.dshield.org and join the war on scanners, worms and other > vermin..... > > If still unsure post the "suspect" ipchain log entries and we'll > make a guess at what they are doing..... > > HTH > > Simon > > -- > Are you using the Internet to best effect ? www.eighth-layer.com > Tel: +44(0)1395 232769 ICQ: 116952768 > Moderated discussion of teleworking at news:uk.business.telework > > -- > The Mailing List for the Devon & Cornwall LUG > Mail majordomo@xxxxxxxxxxxx with "unsubscribe list" in the > message body to unsubscribe. -- The Mailing List for the Devon & Cornwall LUG Mail majordomo@xxxxxxxxxxxx with "unsubscribe list" in the message body to unsubscribe.