No subject
Tue Jun 4 12:17:20 MDT 2013
telnet did not matter. I had to go to the other machine and run
/etc/rc.d/init.d/xinetd restart. No more telnet connections would
succeed till then.
>
> DStimits> I will look at freshmeat, but I would be very happy if
> DStimits> someone here could tell me exactly what modules in the more
> DStimits> recent kernels (I am using 2.4.5 with ac patches or 2.4.6
> DStimits> pre1 at the moment...except when connected to the internet I
> DStimits> must use 2.4.2) I need to do the following: ACCEPT REJECT
> DStimits> DENY MASQ
>
> ACCEPT and DROP are builtin.
> REJECT requires the ipt_REJECT.o module be loaded. (It should autoload
> tho...you shouldn't have to do anything special except make sure it's
> there).
> MASQ is taken care of by the 'nat' table.
Hmm. I wonder if I have built something in not as a module, and it is
screaming because it thinks it must be a module. I'll have to do some
kernel recompiling, I think something bogus is going on with what works
or fails as a module/compiled-in combination.
>
> Perhaps a simple example would help?
Yes! This is very much needed, thank you.
>
> ---cut---
> #!/bin/sh
> #
> # flush all rules
> #
> /sbin/iptables -F INPUT
> /sbin/iptables -F OUTPUT
> /sbin/iptables -F FORWARD
> /sbin/iptables -F POSTROUTING -t nat
> /sbin/iptables -F PREROUTING -t nat
> #
> # allow all icmp through if it's for our machine
> #
> /sbin/iptables -A INPUT -p icmp -s 0/0 -d your-outside-ip -j ACCEPT
> #
> # allow ssh from outside
> #
> /sbin/iptables -A INPUT -p tcp -s 0/0 -d your-outside-ip --dport 22 -j ACCEPT
> #
> # masquerade internal machines
> #
> /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> #
> # redirect ssh into an internal machine
> #
> /sbin/iptables -t nat -A PREROUTING -p tcp -d your-outside-ip/32 --dport 22 -j DNAT --to-destination 10.1.1.1
> #
> # log and drop everything else.
> #
> /sbin/iptables -A INPUT -j LOG --log-prefix "DROPPING packet: "
> /sbin/iptables -A INPUT -j DROP
Excellent, this is better than the HOWTO I found so far (though I
haven't browsed the one you mentioned yet).
>
> ---cut---
>
> DStimits> Next, can anyone tell me how to log? I see vague references
> DStimits> to syslog.conf containing the log levels, but absolutely no
> DStimits> samples. Is it not possible to create a rule that
> DStimits> simultaneously REJECTs or DENYs, while logging? Does each
> DStimits> log type also need its own kernel module? Documentation
> DStimits> totally sucks.
>
> you need to have a LOG target before the rule you are DROPing or
> REJECTING. See above. ;)
>
> DStimits> Needless to say, I'm not having any fun yet.
>
> awwww...learning is fun! ;)
Normally I'd agree. But when I saw ftp and telnet connect messages, and
wondered why ipchains wasn't spitting out warnings first...then
discovered bind and other ports had been tested also, for almost two
weeks...possibly leaving both my new and old system invaded...it makes
me unhappy. Things like persevering a 154 MB download of the XFS kernel
source on a slow modem add to it when I think I may need to wipe out
much of my system just to guarantee no break-ins (I keep current on most
packages, but it makes my blood turn to ice when I see an unfirewalled
pride-and-joy machine being hit while RH's scripts falsely tell me
firewalling is active...the list of exploits is huge, and without a
firewall, I really don't know what was hit).
D. Stimits, stimits at idcomm.com
>
> DStimits> D. Stimits, stimits at idcomm.com
>
> kevin
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
More information about the LUG
mailing list