Re: ipchains help

From: Dave (david.morris@curvalue.nl)
Date: 09/21/02 

From: Dave <david.morris@curvalue.nl>
To: Nikolai <nikolai@pneumaticus.com>, security-basics@securityfocus.com
Date: Sat, 21 Sep 2002 13:54:21 +0200

Hi,

Well in your line

   -A input -i eth0 -s 0/0 -d 0/0 -p tcp -y -j DENY -l

you specifically block ONLY tcp connection attempts.

so udp/icmp etc are still allowed.

You can use
-A input -p icmp -j DENY -l

but that still allows for UDP. You cannot block all UDP if you want DNS to
work, so at this point you have to know what ports to allow through. i.e. 53

So that you allow DNS through first

-A input -p udp -s DNS 53 -d MACHINE UNPRIVILEGED_PORTS -j ACCEPT

Where:
DNS is your DNS Server
MACHINE is your local ip_address (harder to get if Dynamic IP, so you can use
0/0 it isn't much of a hole)
UNPRIVILEGED_PORTS are ports from 1024:65535

then have a line.

-A input -p udp -j DENY -l

This starts to become very easy to get in the wrong order, which is why most
people? recommend setting up a firewall the other way round.

i.e. you should have

input DENY
forward DENY
output DENY

And then specically allow through (in and out) the services that you want.
You can still have nice input blocking lines like yours at the top; they just
narrow down the available space for allowed connections.

It is more complex to set up and maintain this way, but you learn about
IP, and it is slightly more secure.

Note:
Currently your setup allows you to send anything out to the internet, and
that can be as big a problem as allowing things in. However someone would
have to be much more determined to get on to your box with your current rules
than on to 90% of boxes out there. So it is a good start.

Good luck.

/Dave

On Friday 20 September 2002 02:05, Nikolai wrote:
> I have setup the following rules for my ipchains:
> :input ACCEPT
> :forward DENY
> :output ACCEPT
>
> -A input -j DENY -p all -l -s 127.0.0.0/8 -i eth0 -d 0.0.0.0/0
> -A input -i eth0 -s 0/0 -d 0/0 -p tcp -y -j DENY -l
>
> I did an online-based scan at scan.sygate.com and everything appears to
> be 'blocked' except ICMP service on port 8.
>
> Can someone please help me with how to close this hole as well?
>
> Some background:
> my kernel is 2.4.18 (with Mandrake 8.2)
> I'm new to Linux/GNU in general and security in particular.
>
> Thanks
> Nikolai

Relevant Pages

  • Re: NETDIAG problem - SPN queries
    ... Ethernet adapter Local Area Connection: ... Connection-specific DNS Suffix. ... There is no primary WINS server defined for this adapter. ... Description: RSVP UDP Service Provider ...
    (microsoft.public.win2000.dns)
  • Re: SMP and networking under FreeBSD 5.3
    ... $ipfw_cmd add deny all from 127.0.0.1 to 127.0.0.1 ... $ipfw_cmd add allow udp from x.x.x.x y to x.x.255.255 y via ... $INTERNET_IFACE keep-state ... $ipfw_cmd add allow icmp from $FULL_LAN to any out xmit ...
    (freebsd-questions)
  • RE: DNS ACL ?
    ... > Not all DNS clients automatically try to negotiate bigger UDP ... The same goes for DNS servers. ... as a part of the response, but could not be included in its entirety. ...
    (Pen-Test)
  • Re: Some help interpreting log snipped please?
    ... >apps only, with fw set to block anything else -all protocols,even dns, ... >for each app). ... UDP Source address _can_ and usually IS faked. ... As I'm not stupid enough to be using windoze, ...
    (comp.security.firewalls)
  • Re: Cisco 827 - logging on, but nothing being logged
    ... Did you notice the location of the 'deny ip any any' ACL Statement? ... When I send UDP & TCP Packets using a tool to send UDP ... TCP & UDP permit lists. ...
    (comp.dcom.sys.cisco)