[SLUG] IPTables
I am not very good at IPTables and was seeking opinions as to whether this formula would work to fully block a connection from computer A to B but allow ssh and web only from B to A. The tables would reside on A. iptables -A INPUT -m multiport -p tcp --dport www,ssh -i ethX -j ACCEPT iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o ethX -j DROP The network is off site and quite a distance away with no external admin so I would like to have it right before I visit. Thanks in advance. Rick -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] IPTables
You most likely want to allow outbound dns and the subsequent reply Keep in mind that blocking outbound usually requires a few more allowances than just the basic service you plan the box to provide. NTP also springs to mind, so that you can keep the clock in sync. You can also allow ping requests and limit the rate and packet size, which gives you the niceties of being able to determine some level of connectivity, whilst reducing scope for abuse. Dean Rick Phillips wrote: I am not very good at IPTables and was seeking opinions as to whether this formula would work to fully block a connection from computer A to B but allow ssh and web only from B to A. The tables would reside on A. iptables -A INPUT -m multiport -p tcp --dport www,ssh -i ethX -j ACCEPT iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o ethX -j DROP The network is off site and quite a distance away with no external admin so I would like to have it right before I visit. Thanks in advance. Rick -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] IPTables
HI Dean You most likely want to allow outbound dns and the subsequent reply Keep in mind that blocking outbound usually requires a few more allowances than just the basic service you plan the box to provide. NTP also springs to mind, so that you can keep the clock in sync. You can also allow ping requests and limit the rate and packet size, which gives you the niceties of being able to determine some level of connectivity, whilst reducing scope for abuse. Thanks for the comments but none of the services you mention are used or even turned on. It's an unusual situation I know. Regards, Rick -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] IPTables
No guarantees, as I'd have to think about it a bit more, but I would think you might want to add '-m state --state NEW' to the first rule otherwise the 2nd rule is irrelevant. The 2nd rule will presently allow ALL established connections from anywhere that managed to get in to the machine (from other interfaces as well) If you want B to talk to A ONLY, add a '-o ethX' to the 3rd rule. Then you also need a 'iptables -A INPUT -j DROP' (depending line above, add a '-i ethX' to this) I think... Kind Regards Kyle Rick Phillips wrote: I am not very good at IPTables and was seeking opinions as to whether this formula would work to fully block a connection from computer A to B but allow ssh and web only from B to A. The tables would reside on A. iptables -A INPUT -m multiport -p tcp --dport www,ssh -i ethX -j ACCEPT iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o ethX -j DROP The network is off site and quite a distance away with no external admin so I would like to have it right before I visit. Thanks in advance. Rick -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] IPTables
Even though dns may not be 'turned on', almost everything tcpip related wants dns look ups. sshd for example, will stall for quite an annoying amount of time trying to do a reverse lookup. unless you dont actually have name servers configured at all. also, not syncing the clock makes date stamps in logs almost entirely unreliable. Dean Rick Phillips wrote: HI Dean You most likely want to allow outbound dns and the subsequent reply Keep in mind that blocking outbound usually requires a few more allowances than just the basic service you plan the box to provide. NTP also springs to mind, so that you can keep the clock in sync. You can also allow ping requests and limit the rate and packet size, which gives you the niceties of being able to determine some level of connectivity, whilst reducing scope for abuse. Thanks for the comments but none of the services you mention are used or even turned on. It's an unusual situation I know. Regards, Rick -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Asset Tracking / Inventory Management
Dean Hamstead wrote: try racktables.org Sorry, I don't want to be a bastard about this, but don't you think it would be nice to say what basis you are recommended this on? The response you gave could mean anything from: Try it because I did, and it was difficult to set up, didn't do what I wanted, was buggy as hell and it ate every single nice fluffy kitten within a 10km radius of our server room. through to: This is the most awesome piece of software I have ever used and when I asked for a feature, the author coded it up in 10 minutes emailed me a new version and the new feature worked perfectly. with: I came across it on freshmeat.net but I don't know if its any good. somewhere in the middle. Erik -- -- Erik de Castro Lopo http://www.mega-nerd.com/ -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] IPTables
Kyle apologies for the top posting - mail2web is a bit dumb as this. Do you mean that the script should look like this iptables -A INPUT -m state --state NEW -m multiport -p tcp --dport www,ssh -i ethX -j ACCEPT iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -j DROP iptables -A OUTPUT -o ethX -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o ethX -j DROP Can you have two -m statements on the one line? Regards, Rick No guarantees, as I'd have to think about it a bit more, but I would think you might want to add '-m state --state NEW' to the first rule otherwise the 2nd rule is irrelevant. The 2nd rule will presently allow ALL established connections from anywhere that managed to get in to the machine (from other interfaces as well) If you want B to talk to A ONLY, add a '-o ethX' to the 3rd rule. Then you also need a 'iptables -A INPUT -j DROP' (depending line above, add a '-i ethX' to this) I think... Kind Regards Kyle Rick Phillips wrote: I am not very good at IPTables and was seeking opinions as to whether this formula would work to fully block a connection from computer A to B but allow ssh and web only from B to A. The tables would reside on A. iptables -A INPUT -m multiport -p tcp --dport www,ssh -i ethX -j ACCEPT iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o ethX -j DROP The network is off site and quite a distance away with no external admin so I would like to have it right before I visit. Thanks in advance. Rick -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html mail2web.com - Microsoft® Exchange solutions from a leading provider - http://link.mail2web.com/Business/Exchange -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] IPTables
On Tue, 10 Nov 2009 18:06:50 +1000, Rick Phillips r...@greyheads.net said: I am not very good at IPTables and was seeking opinions as to whether this formula would work to fully block a connection from computer A to B but allow ssh and web only from B to A. The tables would reside on A. In addition to rate limiting, dns, ntp (which others have mentioned), you should also consider protecting against route spoofing and RFC1918 addresses (192.168, etc). You can write all the iptables rules yourselves, or better use something like Shorewall http://www.shorewall.net/ Sonia. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] IPTables
2009/11/11 Dean Hamstead d...@fragfest.com.au: sshd for example, will stall for quite an annoying amount of time trying to do a reverse lookup. unless you dont actually have name servers configured at all. Correct. Though specifically with sshd you can turn off reverse-dns lookup with UseDNS no in /etc/ssh/sshd_config. He should probably sniff his own traffic and see what needs to be allowed through or turned off. also, not syncing the clock makes date stamps in logs almost entirely unreliable. Also very true unless maybe his sever is a virtual one on top of a platform which provides an accurate clock. --Amos -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] IPTables
also, not syncing the clock makes date stamps in logs almost entirely unreliable. Also very true unless maybe his sever is a virtual one on top of a platform which provides an accurate clock. Or an external clock, perhaps GPS or some other solution for time sync. Dean -- http://fragfest.com.au -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] Netgear's NMRP protocol
Has anyone reverse-engineered a tool to write NMRP packets? It looks pretty easym, but fiddly; I'd rather avoid the work if someone else has already done it. Especially as it looks as if I'd need to hook up a serial port to be able to debug whatever I came up with. (NMRP is a protocol spoken by U-Boot on Netgear routers. Ethernet code 0x0912. It allows a router to be told to download and run a new firmware image. Because U-Boot is GPLed the source for the client side is available; but I haven't been able to find a spec, or a server source). -- Dr Peter Chubb www.nicta.com.aupeter DOT chubb AT nicta.com.au http://www.ertos.nicta.com.au ERTOS within National ICT Australia -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Netgear's NMRP protocol
maybe ask the dd-wrt or openwrt guys? Dean Peter Chubb wrote: Has anyone reverse-engineered a tool to write NMRP packets? It looks pretty easym, but fiddly; I'd rather avoid the work if someone else has already done it. Especially as it looks as if I'd need to hook up a serial port to be able to debug whatever I came up with. (NMRP is a protocol spoken by U-Boot on Netgear routers. Ethernet code 0x0912. It allows a router to be told to download and run a new firmware image. Because U-Boot is GPLed the source for the client side is available; but I haven't been able to find a spec, or a server source). -- Dr Peter Chubb www.nicta.com.aupeter DOT chubb AT nicta.com.au http://www.ertos.nicta.com.au ERTOS within National ICT Australia -- http://fragfest.com.au -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] Netgear's NMRP protocol
Peter == Peter Chubb pet...@cse.unsw.edu.au writes: Peter (NMRP is a protocol spoken by U-Boot on Netgear routers. Peter Ethernet code 0x0912. It allows a router to be told to Peter download and run a new firmware image. Because U-Boot is GPLed Peter the source for the client side is available; but I haven't been Peter able to find a spec, or a server source). I've just put up a web page on it. http://www.chubb.wattle.id.au/PeterChubb/nmrp.html Share and enjoy. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] IPTables
Rick, I do. I don't know whether it makes any difference or not your using the multiport keyword (I would imagine not), but I use three '-m' statements on one line as in; -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m limit --limit 2/minute --limit-burst 2 -m state --state NEW -j ACCEPT Without wishing to join the debate others have initiated about DNS NTP, etc., but I would suggest that if you are going to open 22 up to the big bad world, I would at least rate limit the connection[1] so as to avoid DOS, dictionary attacks and the like. Likewise, as mentioned previously by someone else, a very limited ping enables connectivity checking. -A INPUT -i eth0 -p icmp --icmp-type any -m state --state NEW -j REJECT --reject-with icmp-host-prohibited Finally, the second rule will still presently allow established connections from ethY, ethZ, ethA, ethB, ethC (you get the picture) IF they exist on the host. [1] Depending upon your needs. Kind Regards Kyle r...@greyheads.net wrote: Kyle apologies for the top posting - mail2web is a bit dumb as this. Do you mean that the script should look like this iptables -A INPUT -m state --state NEW -m multiport -p tcp --dport www,ssh -i ethX -j ACCEPT iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -j DROP iptables -A OUTPUT -o ethX -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o ethX -j DROP Can you have two -m statements on the one line? Regards, Rick No guarantees, as I'd have to think about it a bit more, but I would think you might want to add '-m state --state NEW' to the first rule otherwise the 2nd rule is irrelevant. The 2nd rule will presently allow ALL established connections from anywhere that managed to get in to the machine (from other interfaces as well) If you want B to talk to A ONLY, add a '-o ethX' to the 3rd rule. Then you also need a 'iptables -A INPUT -j DROP' (depending line above, add a '-i ethX' to this) I think... Kind Regards Kyle Rick Phillips wrote: I am not very good at IPTables and was seeking opinions as to whether this formula would work to fully block a connection from computer A to B but allow ssh and web only from B to A. The tables would reside on A. iptables -A INPUT -m multiport -p tcp --dport www,ssh -i ethX -j ACCEPT iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o ethX -j DROP The network is off site and quite a distance away with no external admin so I would like to have it right before I visit. Thanks in advance. Rick -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html