Re: iptables: cannot talk to localhost
From: David (davidwnh_at_adelphia.net)
Date: 12/30/03
- Next message: David: "Re: Firewall stops Internet Sharing from Clie"
- Previous message: David: "Re: D-Link DI-804HV Router Firewall SPI Function"
- In reply to: NeoSadist: "iptables: cannot talk to localhost"
- Next in thread: The Saint: "Re: iptables: cannot talk to localhost"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 30 Dec 2003 07:28:34 GMT
Is your host file correct?
Any how this is not a good way to allow loopback traffic. You are
allowing packets from any interface to use a spoofed localhost source
address to pass your firewall. You also need to allow your own IP
addresses to talk to the loopback for certain things.
Try something like:
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
In other words specify the adapter in which you are allowing it.
>
> # Allow all loopback
> iptables -A INPUT -s localhost -j ACCEPT
> iptables -A OUTPUT -d localhost -j ACCEPT
>
You also want to jump elsewhere to look for spoofs. Best used with
connection tracking so you only have to check the initial packets and
not every packet in a session.
iptables -A INPUT -i eth0 -j source-address-check
Within your source-address-check chain you can append rules to look
for your own address being spoofed as well as the loopback, private
network addresses, and if you wish broadcast and multicast addresses.
These FTP rules allow for a total compromise of your firewall and
possibly machine. A hacker simply has to specify his scanning then
hacking tool to use port 20 or 21 as the source address. That
effectively bypasses your firewall for a complete scan and if you have a
service listening for which he/she knows a crack....Game over....unless
you have a properly configured firewall or cable/dsl router in front of
this machine.
> # FTP:
> iptables -A INPUT -p tcp --sport 20:21 -j ACCEPT
> iptables -A INPUT -p udp --sport 20:21 -j ACCEPT
> iptables -A OUTPUT -p tcp --dport 20:21 -j ACCEPT
> iptables -A OUTPUT -p udp --dport 20:21 -j ACCEPT
>
Same thing for several of your other rules.
> # HTTP:
> iptables -A INPUT -p tcp --sport 80 -j ACCEPT
> iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
>
>
> # HTTPS:
> iptables -A INPUT -p tcp --sport 443 -j ACCEPT
> iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
>
> # MSN Messenger:
> iptables -A INPUT -p tcp --sport 1863 -j ACCEPT
> iptables -A INPUT -p tcp --sport 6891:6900 -j ACCEPT
> iptables -A OUTPUT -p tcp --dport 1863 -j ACCEPT
> iptables -A OUTPUT -p tcp --dport 6891:6900 -j ACCEPT
>
> # AOL:
> iptables -A INPUT -p tcp --sport 5190 -j ACCEPT
> iptables -A OUTPUT -p tcp --dport 5190 -j ACCEPT
>
> # Yahoo:
> iptables -A INPUT -p tcp --sport 5050 -j ACCEPT
> iptables -A OUTPUT -p tcp --dport 5050 -j ACCEPT
> iptables -A INPUT -p tcp --sport 5000:5001 -j ACCEPT
> iptables -A OUTPUT -p tcp --dport 5000:5001 -j ACCEPT
>
> # IRC (chat):
> iptables -A INPUT -p tcp --sport 6667 -j ACCEPT
> iptables -A OUTPUT -p tcp --dport 6667 -j ACCEPT
>
> # Shoutcast
> iptables -A INPUT -p tcp --sport 8888 -j ACCEPT
> iptables -A OUTPUT -p tcp --dport 8888 -j ACCEPT
>
>
- Next message: David: "Re: Firewall stops Internet Sharing from Clie"
- Previous message: David: "Re: D-Link DI-804HV Router Firewall SPI Function"
- In reply to: NeoSadist: "iptables: cannot talk to localhost"
- Next in thread: The Saint: "Re: iptables: cannot talk to localhost"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
