On Sat 29 Aug 2015 at 21:39:21 +0300, Reco wrote: > Hi. > > On Sat, 29 Aug 2015 13:25:28 -0500 > rlhar...@oplink.net wrote: > > > On Sat, August 29, 2015 6:53 am, to...@tuxteam.de wrote: > > > Also netstat (issued from your laptop) gives insight. For example > > > 'netstat - -lntu' shows you the TCP or UDP listening sockets. If you are > > > root (or sudo, of course), the extra option -p tells you which process is > > > "at the other side" listening. > > > > > > Note that the dhcp client itself (which you need to get an IP address to > > > take part in your customer's network) puts you already at some risk, > > > depending on how it's configured. > > > > Here is the output from the laptop: > > > > # netstat -lntup > > Active Internet connections (only servers) > > Prot Rec Snd Local Address Foreign State PID/Program name > > -Q -Q Address > > tcp 0 0 0.0.0.0:9999 0.0.0.0:* LIS 561/inetd > > tcp 0 0 0.0.0.0:111 0.0.0.0:* LIS 530/rpcbind > > tcp 0 0 0.0.0.0:46225 0.0.0.0:* LIS 540/rpc.statd > > tcp 0 0 0.0.0.0:22 0.0.0.0:* LIS 568/sshd > > tcp 0 0 127.0.0.1:631 0.0.0.0:* LIS 1248/cupsd > > tcp 0 0 127.0.0.1:5432 0.0.0.0:* LIS 675/postgres > > tcp 0 0 127.0.0.1:25 0.0.0.0:* LIS 1063/exim4 > > tcp 0 0 127.0.0.1:2628 0.0.0.0:* LIS 599/0 > > tcp6 0 0 :::111 :::* LIS 530/rpcbind > > tcp6 0 0 :::38930 :::* LIS 540/rpc.statd > > tcp6 0 0 :::22 :::* LIS 568/sshd > > tcp6 0 0 ::1:631 :::* LIS 1248/cupsd > > tcp6 0 0 ::1:5432 :::* LIS 675/postgres > > tcp6 0 0 ::1:25 :::* LIS 1063/exim4 > > udp 0 0 0.0.0.0:36358 0.0.0.0:* 612/avahi-daemon:r > > udp 0 0 0.0.0.0:631 0.0.0.0:* 647/cups-browsed > > udp 0 0 0.0.0.0:689 0.0.0.0:* 530/rpcbind > > udp 0 0 127.0.0.1:716 0.0.0.0:* 540/rpc.statd > > udp 0 0 0.0.0.0:57106 0.0.0.0:* 540/rpc.statd > > udp 0 0 0.0.0.0:111 0.0.0.0:* 530/rpcbind > > udp 0 0 192.168.1.99:123 0.0.0.0:* 664/ntpd > > udp 0 0 127.0.0.1:123 0.0.0.0:* 664/ntpd > > udp 0 0 0.0.0.0:123 0.0.0.0:* 664/ntpd > > udp 0 0 0.0.0.0:5353 0.0.0.0:* 612/avahi-daemon:r > > udp6 0 0 :::689 :::* 530/rpcbind > > udp6 0 0 :::43913 :::* 540/rpc.statd > > udp6 0 0 :::111 :::* 530/rpcbind > > udp6 0 0 fe80::ba70:f4ff:fe2:123 :::* 664/ntpd > > udp6 0 0 ::1:123 :::* 664/ntpd > > udp6 0 0 :::123 :::* 664/ntpd > > udp6 0 0 :::5353 :::* 612/avahi-daemon:r > > udp6 0 0 :::44274 :::* 612/avahi-daemon:r > > # > > > > Regrettably, the formatting of the output does not consider the need to > > include the output in the body of an e-mail, so editing was required to > > remove excess spaces so as to prevent every line from being wrapped. > > > Something like this should save you from the most troubles provided > that you don't plan to use your laptop as a print server or NFS: > > iptables -P INPUT DROP > iptables -A INPUT -i lo -j ACCEPT > iptables -A INPUT -p icmp -j ACCEPT > iptables -A INPUT -m conntrack --ctstate INVALID -j DROP > iptables -A INPUT -p tcp -m conntrack --ctstate RELATED,ESTABLISHED \ > -j ACCEPT > iptables -A INPUT -p udp -m conntrack --ctstate RELATED,ESTABLISHED \ > -j ACCEPT > iptables -A INPUT -p tcp --dport 22 -j ACCEPT > iptables -A INPUT -p udp --dport 123 -j ACCEPT > > iptables -P FORWARD DROP > > ip6tables -P INPUT DROP > ip6tables -A INPUT -p ipv6-icmp -j ACCEPT > ip6tables -A INPUT -m conntrack --ctstate INVALID -j DROP > ip6tables -A INPUT -p tcp -m conntrack --ctstate RELATED,ESTABLISHED \ > -j ACCEPT > ip6tables -A INPUT -p udp -m conntrack --ctstate RELATED,ESTABLISHED \ > -j ACCEPT > ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT > ip6tables -A INPUT -p udp --dport 123 -j ACCEPT > > ip6tables -P FORWARD DROP > > > Of course, it's *very* simplistic set of rules (for example, someone > may consider accepting ssh connections from arbitrary hosts a bad idea), > but it should work.
Why does he need any iptables rules? I see nothing at risk there. It seems to me he can be confident his computer is safe. > Two things I'm unsure of are: > > 1) Avahi's udp 5353. I don't see any value in mDNS (especially in office > network), but YMMV. There is much value in mDNS in an office network with CUPS nowadays. > 2) Whatever thing you're listening for on tcp 9999 with inetd. Ditto.