Re: Questions on secure remote access to Fedora Core 2
- From: "C. J. Clegg" <reply.in.group@xxxxxxxxx>
- Date: Sun, 29 Oct 2006 22:18:35 -0500
Heartfelt thanks to all of y'all who gave me so much help on the security
questions, and everyone else who replied to the "Disabling telnet on
Linux" thread.
After most of a day of research on iptables, and a bunch of trial and
error, I came up with the following /etc/sysconfig/iptables file (I hope
the formatting doesn't get screwed too badly):
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
#
-A INPUT -j RH-Firewall-1-INPUT
#
-A FORWARD -j RH-Firewall-1-INPUT
#
-A OUTPUT -o lo -p tcp --dport 143 -j RETURN
-A OUTPUT -o lo -p tcp --sport 143 -j RETURN
-A OUTPUT -m state --state NEW -m tcp -p tcp --dport 21 -j DROP
-A OUTPUT -m state --state NEW -m tcp -p tcp --dport 23 -j DROP
-A OUTPUT -m tcp -p tcp -d aaa.bbb.0.0/16 --sport 22 -j RETURN
-A OUTPUT -m tcp -p tcp -d ccc.ddd.0.0/16 --sport 22 -j RETURN
-A OUTPUT -m tcp -p tcp -d eee.fff.ggg.0/24 --sport 22 -j RETURN
-A OUTPUT -m tcp -p tcp --sport 25 -j RETURN
-A OUTPUT -m tcp -p tcp --dport 25 -j RETURN
-A OUTPUT -m tcp -p tcp --sport 80 -j RETURN
-A OUTPUT -p icmp --icmp-type any -j RETURN
-A OUTPUT -p udp --dport 53 -j RETURN
-A OUTPUT -j LOG
#
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -j DROP
COMMIT
Objectives:
1. Keep HTTP and HTTPS open for everybody
2. Open inbound SSH, FTP, and mail for everybody ... but, they are
severely restricted in /etc/hosts.allow, and the few allowed FTP users are
kept in chroot jails. FTP is really just needed for three individual
users who for whatever reason can't use SFTP.
3. Disable outgoing telnet and FTP
4. Log all other outbound activity EXCEPT: SSH going to three trusted
networks; any SMTP, HTTP, DNS activity; any pings; any IMAP activity on
the localhost.
I used DROP rather than REJECT because I don't want messages going out
explaining why the connection is being rejected.
Look reasonable?
.
- Follow-Ups:
- Re: Questions on secure remote access to Fedora Core 2
- From: responder
- Re: Questions on secure remote access to Fedora Core 2
- From: Moe Trin
- Re: Questions on secure remote access to Fedora Core 2
- References:
- Questions on secure remote access to Fedora Core 2
- From: C. J. Clegg
- Re: Questions on secure remote access to Fedora Core 2
- From: left_coast
- Re: Questions on secure remote access to Fedora Core 2
- From: C. J. Clegg
- Re: Questions on secure remote access to Fedora Core 2
- From: Keith Keller
- Re: Questions on secure remote access to Fedora Core 2
- From: C. J. Clegg
- Questions on secure remote access to Fedora Core 2
- Prev by Date: Re: Disabling telnet on Linux iptables firewall
- Next by Date: Re: Disabling telnet on Linux iptables firewall
- Previous by thread: Re: Questions on secure remote access to Fedora Core 2
- Next by thread: Re: Questions on secure remote access to Fedora Core 2
- Index(es):
Relevant Pages
|
