Re: iptables & tcp wrappers

From: TJ Easter (tjeaster_at_gmail.com)
Date: 09/28/04

  • Next message: Whelan, Paul: "RE: iptables & tcp wrappers"
    Date: Tue, 28 Sep 2004 05:51:20 -0400
    To: Meatplow <greg@meatplow.com>
    
    

    On Fri, 24 Sep 2004 13:57:26 -0700, Meatplow <greg@meatplow.com> wrote:
    >
    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    > Hello.
    >
    > I'm running RH Enterprise edition.
    >
    > I'm relatively new to iptables. I am getting the common intrusion
    > attempts with some of the common uses of test/guest/root/ and a
    > couple others I've been able to add the IPs to the to iptables.,
    > but
    > I'd really like a log that tells me the info that I want to know.
    >
    > My basic input command is this :
    > #iptables -A INPUT -p tcp -s PUT_IP_HERE -d 0/0 --syn -j DROP
    >
    > iptables seem a little convoluted. Example. To delete a line -
    > supposedly give it a line and it will be deleted/modified. My
    > problem is even with #iptable -L -v there is no line number ?
    >
    > My goal is to block all incoming ssh attempts except IP#.
    > This is where I got into hosts.allow/deny as mentioned below.
    >
    > I've tried to find many different types of commands and it works to
    > some degree, but not the way I'd expect it to.
    >
    > Any help would be appreciated. I'm not completely sure that I
    > understand iptables as well as I want/need to. I've also toyed
    > around with the hosts.allow/hosts.deny and have not been successful.
    >
    > I know that there is a lot of info in here, and I'm tired. I'll
    > leave it at that
    >
    > Thanks in advance for your time and help.
    >
    > Meatplow
    > greg ta meatplow.com
    >
    > Thanks again.
    >
    > -----BEGIN PGP SIGNATURE-----
    > Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
    >
    > iQA/AwUBQVSBsR42gIcyjrnjEQJIqwCfWAShp7r+J1XNNjQq6sbvvD03WZ8AoNrg
    > ctQ837g5pQDafgBhTTeeMr1V
    > =niWK
    > -----END PGP SIGNATURE-----
    >
    > --
    > Fedora-config-list mailing list
    > Fedora-config-list@redhat.com
    > http://www.redhat.com/mailman/listinfo/fedora-config-list
    >
    >

    Greg,
       I've found it quite helpful to create a shell script to load the
    firewall rules. The first line of the script blows away all rules
    (iptables -F), then it proceeds to load the rules below that.

      I have a basic script that follows the "explicitly allow what you
    want, deny everything else" stance available at
    http://tje.ssllink.net/firewall.tar.gz It should work with your
    RedHat system. You can add the list of IPs and/or subnets that you
    want SSH allowed to in your /etc/firewall/tcp.ssh file, and that's it
    (provided you call it from cron - else you will need to run
    /etc/init.d/firewall restart). All others will be denied SSH access
    by the kernel.

      All in all, nothing can replace reading and understanding the
    documentation. The man page for iptables is quite informative, as is
    the "packet filtering howto" available on www.netfilter.org.

    HTH...

    -tj-

    -- 
    Linux -- Because rebooting is for adding new hardware.
    http://pgp.dtype.org:11371/pks/lookup?op=get&search=0x31185D8E
    

  • Next message: Whelan, Paul: "RE: iptables & tcp wrappers"

    Relevant Pages

    • Re: SSH IP Blocking
      ... I'd also rather do it with iptables. ... to introduce new security holes in ssh. ... Your script parsing syslog output ...
      (comp.os.linux.security)
    • Re: Help with Iptables on with RH linux
      ... iptables -P OUTPUT DROP ... INPUT only when packets have a destination IP of your firewall. ... the FORWARD chain contains rules that affect packets passing through ... Yes I flushed the rules before calling the script... ...
      (RedHat)
    • Re: some reality about iptables, please
      ... >>the script which can only be run by a root user. ... but it could re-inforce the fact that maybe running your iptables ... "I'm a packet filtering interface not a firewall tool." ... Generally Debian systems run at init runlevel 3 (this is a change if ...
      (Debian-User)
    • Re: IPTABLES Beginner Example Needed!
      ... after i runned this script nothing works on my computer. ... > I think i just need the translation to iptables. ... $MODPROBE ip_conntrack ... # FORWARD chain rules ...
      (linux.redhat)
    • Re: Setting Up NTP for Time Sync
      ... > I've made no changes to the script file that I know of. ... called iptables after the command "iptables" that manipulates the ... The /etc/init.d/ntpd script is the one run when ntpd is started. ... [enter root password] ...
      (comp.os.linux.networking)