Re: How can I sabotage all networking functionality in a fedora system?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Allegedly, on or about 04 May 2014, Someone sent:
> I'm planning to install a fedora system to a USB flash drive, and
> then give that to someone to boot their machine from. I don't have
> details on the hardware of the target machine, but I'd like to ensure
> that there's no network activity for the duration of their session in
> the environment.

And you can't simply get them to unplug the network cable?

Are you trying to protect them from some expected harm while resolving
some problem?

Without knowing what network hardware is on the PC, it's a bit hard to
block the modules or drivers that might be loaded.  You'd have to block
them all, to be sure.

A simpler method may be to turn on the firewall, or hard code some
iptables rules, so that only 127.0.0.1 can communicate with itself.  I
think you will need to keep that going, or they'll never be able to do
anything with the computer (such as start X).

With prior releases, I would have run this script (below), I'm not sure
if it covers any more recent changes to iptables.  See the man file, but
it seems to work on Fedora 17.  You can't even ping another PC on the
LAN using its numerical IP address.  The last line saves it as the
default iptables configuration, so after you've run this script just the
once, these rules will get loaded when the machine boots up.

#!/bin/bash

## Flush any pre-existing rules:
iptables --flush INPUT
iptables --flush OUTPUT
iptables --flush FORWARD

iptables --flush
iptables --table nat --flush

iptables --delete-chain
iptables --table nat --delete-chain


## Set default (policy) rules:
iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FORWARD DROP

## It MAY be necessary to allow 127.0.0.1 traffic:
iptables --append INPUT --jump ACCEPT --out-interface lo --source 127.0.0.1/255.0.0.0
iptables --append OUTPUT --jump ACCEPT --out-interface lo --source 127.0.0.1/255.0.0.0

iptables-save > /etc/sysconfig/iptables


-- 
[tim@localhost ~]$ uname -rsvp
Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64

All mail to my mailbox is automatically deleted, there is no point
trying to privately email me, I will only read messages posted to the
public lists.

George Orwell's '1984' was supposed to be a warning against tyranny, not
a set of instructions for supposedly democratic governments.



-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org




[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux