On 30/03/11 16:25, Thomas Bächler wrote:
This comes with our iptables package:
$ cat /etc/iptables/simple_firewall.rules
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -p icmp -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
COMMIT
According to the source from where i got the iptables configuration ,
the approach is "Block all incoming connections except for established
connections, then open only specific ports which you want outside world
to connect to".About blocking icmp ping, i quote one website as-is:
Your system REPLIED to our Ping (ICMP Echo) requests, making it
visible on the Internet. Most personal firewalls can be configured to
block, drop, and ignore such ping requests in order to better hide
systems from hackers. This is highly recommended since "Ping" is among
the oldest and most common methods used to locate systems prior to
further exploitation
is what they say is true ?
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
isn't this seem redundant ? I mean icmp is allowed, then except for
established and related connections, a tcp rst packet is sent for all
unwanted tcp traffic and icmp-port-unreachable message is sent for
every unwanted udp packets, right ? Then what packets that rule match ?
What is a "malicious port scanner" and how can you stay "secure" from it?
I meant to avoid random packets coming from random machines at random times:
for example:
one random packet from sys.log
IN=eth0 OUT= MAC=20:cf:30:5a:ea:aa:00:00:cd:27:e5:03:08:00
SRC=182.177.140.45 DST=172.16.37.164 LEN=48 TOS=0x00 PREC=0x00 TTL=103
ID=32623 DF PROTO=TCP SPT=17511 DPT=39384 WINDOW=8192 RES=0x00 SYN URGP=0
On 30/03/11 16:40, Richard Schütz wrote:
The output of "ip addr show" would be interesting.
here is the output:
ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP qlen 1000
link/ether 20:cf:30:5a:ea:aa brd ff:ff:ff:ff:ff:ff
inet 172.16.37.164/26 brd 172.16.37.191 scope global eth0
3: vboxnet0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen
1000
link/ether 0a:00:27:00:00:00 brd ff:ff:ff:ff:ff:ff
On 30/03/11 16:44, Simon Perry wrote:
So your machine is 172.16.37.164, which you have to configure and tell
your ISP because they NAT externally from 115.187.45.97 to many
internal 172.16.37.* users?
Therefore more than one person could have an external address of
115.187.45.97 mapping back to their 172.16.37.* IP?
Even though only one person could have 115.187.45.97:80 mapped back to
them?
Are you sure about how this works?
With my previous dsl provider , an address in the range 59.93.x.x was
assigned to ppp0 interface by authenticating with rp-pppoe software.But
now i have to provide the private ip to eth0, authenticate and then
visit any website to know my public ip.