[Techtalk] Re: iptables help needed ...
txjulie at austin.rr.com
txjulie at austin.rr.com
Thu Dec 26 17:44:44 EST 2002
Raven Alder wrote:
>
> Heya --
>
> Quoth txjulie at austin.rr.com (Fri, Dec 20, 2002 at 12:33:55PM -0600):
> > It was pretty trick. It seems they came in via some hole in sshd
> > and then deposited a =huge= root-kit.
>
> Yeah, there have been a few holes in various ssh implementations
> lately. When you rebuild the box, make sure that you have the very
> latest version of the ssl libs and your ssh daemon of choice installed.
Well ... my preference is to protect more with firewall rules than
current software. People can't attack what they cannot see ;-) But
yeah, ssh needs to be updated. I switched to RH 7.3 and have the
automatic update thingy turned on.
> > When I switched to iptables I had to leave a few more things open, and
> > my guess is that I left entirely too much open.
>
> Out of curiosity, why did you have to leave more things open?
> Unless your needs changed, you should have been able to filter the same
> sorts of things out as you had before.
I used to block all attempts at pinging this thing. I couldn't get
the VPN client software to work with ICMP blocked.
> > Recent enough -- but /, /usr, /var and friends were too trashed,
> > and it's faster to re-install and be done with it than dredge up
> > the backups
>
> Oh yeah -- I wouldn't restore binaries that might be rootkitted,
> etc. Just the data on the machine. /home/julie or whatever.
I did a fresh install from CDs for the basic filesystems. The other
filesystems were left alone.
> > Things I want to let in are ssh, vnc (ports 5901 through 5910)
> > from two different machines, and ftp from those same two machines.
> > I'm not sure what I want to let through just yet -- the old firewall
> > rules allowed everything out and only pre-existing connections
> > back in, plus DNS responses from wherever.
>
> Okay, this is fairly easy to do. I'm setting the default policy
> for your firewall to drop packets (defaulting to drop or reject is wise,
> it's up to you whether you'd rather silently discard or let the other
> side know you're bouncing them).
Drop. I'm a "drop it on the floor" kinda gal ;-)
> > What =must= work is ICMP has to be masqueraded. I use NAT inside
> > the house on a couple of 192.168.x/24 networks. What I was trying
> > to make work is an AT&T VPN gadget which idiotically tries to
> > ping its destinations before attempting to connect to them. Which
> > is =retarded=. ipchains doesn't handle ICMP properly, so the VPN
> > was giving it after the pings failed -- even though it could have
> > opened a TCP connection to them.
>
> How annoying.
Extremely.
> iptables -t nat -A POSTROUTING -o [output interface] -j MASQUERADE
>
> should take care of your masquerading for you. I haven't heard of any
> problems with ICMP masquerading under iptables; it's working fine for me
> at home.
>
> So in summation, you want to make a firewall script to run at
> boot that looks something like this:
Thanks. I'll check it out later today or this weekend.
--
Julianne Frances Haugh Life is either a daring adventure
txjulie at austin.rr.com or nothing at all.
-- Helen Keller
More information about the Techtalk
mailing list