David A. Ranch wrote:
>
> >I have two machines, "charlesc" and "server". Both are Red Hat 5.2.
> >Server is a fresh installation.
>
> I hope you've hardened those machines. Redhat is pretty insecure
> out of the box if you ask me.
No, I have not. Can you point me to any resources on how to harden it?
I plan to get IP masquerading first, and then harden it. If hardening it
breaks IP masquerading, I'll know what to roll back to fix it.
>
> >Normal route on charlesc is:
> >
> >[root@charlesc /root]# route
> >Kernel IP routing table
> >Destination Gateway Genmask Flags Metric Ref Use
> >Iface
> >192.168.1.0 * 255.255.255.0 U 0 0 10
> >eth0
> >127.0.0.0 * 255.0.0.0 U 0 0 10
> >lo
> >
> >
> >When I run a shell script to add the default gateway, I get:
> >
> >[root@charlesc /root]# ./add.gateway
> >Kernel IP routing table
> >Destination Gateway Genmask Flags Metric Ref Use
> >Iface
> >192.168.1.0 * 255.255.255.0 U 0 0 10
> >eth0
> >127.0.0.0 * 255.0.0.0 U 0 0 11
> >lo
> >default server 0.0.0.0 UG 0 0 0
> >eth0
>
> Hmmmmm... You didn't post your route table on "server". You
> need to have the 192.168.1.0 network defined on it. Its
> probably there since you can ping server in the first place.
Server with no PPP link:
[root@server /root]# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
192.168.1.0 * 255.255.255.0 U 0 0 70
eth0
127.0.0.0 * 255.0.0.0 U 0 0 28
lo
Server with the PPP link up:
[root@server /root]# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
wor-ascend1.tri * 255.255.255.255 UH 0 0 0
ppp0
192.168.1.0 * 255.255.255.0 U 0 0 71
eth0
127.0.0.0 * 255.0.0.0 U 0 0 28
lo
default wor-ascend1.tri 0.0.0.0 UG 0 0 0
ppp0
[root@server /root]# ifconfig
lo Link encap:Local Loopback
inet addr:127.0.0.1 Bcast:127.255.255.255 Mask:255.0.0.0
UP BROADCAST LOOPBACK RUNNING MTU:3584 Metric:1
RX packets:8363 errors:0 dropped:0 overruns:0 frame:0
TX packets:8363 errors:0 dropped:0 overruns:0 carrier:0
collisions:0
eth0 Link encap:Ethernet HWaddr 00:40:33:E0:B7:A0
inet addr:192.168.1.64 Bcast:192.168.1.255
Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:208071 errors:0 dropped:37 overruns:0 frame:30
TX packets:162370 errors:0 dropped:0 overruns:0 carrier:0
collisions:2114
Interrupt:9 Base address:0x320
ppp0 Link encap:Point-to-Point Protocol
inet addr:206.100.179.28 P-t-P:206.100.179.125
Mask:255.255.255.0
UP POINTOPOINT RUNNING MTU:1524 Metric:1
RX packets:12 errors:0 dropped:0 overruns:0 frame:0
TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
collisions:0
Memory:b88038-b88c34
>
> >case "$1" in
> >'start')
> ># /sbin/ipfwadm -F -a m -S 192.168.1.3/32 -D 0.0.0.0/0
> >
> > /sbin/ipfwadm -F -p deny
> > /sbin/ipfwadm -F -a m -S 192.168.1.3/32 -D 0.0.0.0/0
> > ;;
> >'stop')
> > ;;
> >*)
> > echo "Usage: $0 { start | stop }"
> > ;;
> >esac
> >exit 0
>
> First, I would change it to say:
>
> /sbin/ipfwadm -F -a m -S 192.168.1.0/24 -D 0.0.0.0/0
> ^^^^
I tried adding that manually, and got nowhere.
[root@server /root]# /sbin/ipfwadm -F -a m -S 192.168.1.0/24 -D
0.0.0.0/0
[root@server /root]# ipfwadm -F -l
IP firewall forward rules, default policy: deny
type prot source destination ports
acc/m all charlesc anywhere n/a
acc/m all charlesc anywhere n/a
acc/m all charlesc anywhere n/a
acc/m all charlesc anywhere n/a
acc/m all 192.168.1.0/24 anywhere n/a
[root@server /root]#
I then deleted the more specific rules (which should have been redundant
at that point). That also got me nowhere.
[root@server /root]# ipfwadm -F -d m -S 192.168.1.3/32 -D 0.0.0.0/0
[root@server /root]# ipfwadm -F -l
IP firewall forward rules, default policy: deny
type prot source destination ports
acc/m all 192.168.1.0/24 anywhere n/a
>
> Try that out and see if that helps. Next, your ruleset is
> ok but VERY insecure. Impliment a stronger firewall
> ruleset like the one in TrinityOS (Linux distro hardening
> is in there too).
I'll check on that. Thanks.
>
> --David
> .----------------------------------------------------------------------------.
> | David A. Ranch - Linux/Networking/PC hardware [EMAIL PROTECTED] |
> !---- ----!
> `----- For more detailed info, see http://www.ecst.csuchico.edu/~dranch -----'
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> For daily digest info, email [EMAIL PROTECTED]
--
-- C^2
I have sworn upon the altar of God eternal hostility against every form
of tyranny over the mind of man.
-- Thomas Jefferson, letter to Benjamin Rush, 1800 A.D.
Thomas Jefferson, Patron Saint of the Internet:
http://w3.trib.com/~ccurley/Jefferson.html
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]
