I've done something to this soart, and done iptables -P OUTPUT ACCEPT. Then, I have things hanging, such as apt-get, etc... ----- Original Message ----- From: "Igor Gueths" <igueths@xxxxxxxxxxxx> To: "Speakup is a screen review system for Linux." <speakup at braille.uwo.ca> Sent: Sunday, May 20, 2007 3:52 PM Subject: Re: security precautionswith iptables? > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Hi. Another idea is putting this in a script: > /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > services ports go here > /sbin/iptables -P INPUT DROP > Only apply that policy when you know that all your required ports are open; if not, you may find yourself locked out of your machine, and only console access can fix things again. > Igor > On Sun, May 20, 2007 at 05:33:15PM -0400, Travis Siegel wrote: > > If you turn off the various utilities in the inetd.conf file that you > > don't use, that can help too. > > I.E. since you're using ssh, you won't need telnet and rlogin. > > Simply comment them out. That way, no matter how many packets go to > > that destination port, it won't do a bit of good. > > You are of course welcome to block any ports you like, and it's > > likely that'll help too, but the inetd daemon is a nice way to secure > > the machine as well. > > > > As for the problem with the outgoing ping packets, there are ways to > > specify incoming/outgoing packets, but I've not fiddled with ip rules > > for several years, so i don't remember the syntax. However, there's > > a very good how-to on the linux how-to site explaining ipfwadm and > > ipchains. One of the examples in there is how to secure the machine > > for a particular service (don't remember which one) but it covers > > that exact problem (if I remember correctly) > > Try to see if you can find it. If not, I'm sure I have it *somewhere*. > > But, just so you know, there is a solution, I (unfortunately) no > > longer remember what it is though. > > > > > > On May 20, 2007, at 11:34 AM, Littlefield, Tyler wrote: > > > > > Hello list, > > > I've been told to block ping requests with iptables. I made the > > > following rule: > > > iptables -A INPUT -p icmp --icmp-type echo-request -j DROP > > > The only problem with this, is it drops all pings incoming as well, > > > which causes a slight problem. > > > Any way around this? > > > Also, is there anything else that can be done in order to make the > > > system more secure? I was told to block fragmented packets. I know > > > what they are, but don't know enough about tcp in order to be able > > > to do much with them. > > > Help is appriciated. > > > Thanks, > > > _______________________________________________ > > > Speakup mailing list > > > Speakup at braille.uwo.ca > > > http://speech.braille.uwo.ca/mailman/listinfo/speakup > > > > > > > > > > > > _______________________________________________ > > Speakup mailing list > > Speakup at braille.uwo.ca > > http://speech.braille.uwo.ca/mailman/listinfo/speakup > > > > -- > > This message has been scanned for viruses and > > dangerous content by MailScanner, and is > > believed to be clean. > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.2.2 (GNU/Linux) > > iQIVAwUBRlDDM6e2pgKIdGq4AQoodw//UDbhKeBebi522JidjBEKfbgGEHMQ5pQi > kQcXVOn7bU9Z8n5Orm0m07eQIWPYxFFYMC5P/9wkaJHNy5dmEYUXYWLbt7ke9yje > gbPAWvo4xzRt0GGHFoiqU5I5kYdD7I2fJ9ASEAXzliY2UdCZ/StKKDkJVHhJ1OZi > hokQRjINMR4th0Gz2LcAXu2hN16KRQibnMYBzan+zn1sHhuLG4rer5eLq+8cr1Qb > bl85kFqBG4Xp9FYQ1+R9tsgR0G0ifqikan7NzE7eIy1rEyWL0GbfaqWNNYro6+3j > EaPjB+OdH16thcAc4tq6pjxxuTcBAWXGDxdpA0D+U3L8Z2kjgVdqStLfl+T/1B3z > lS7pB9nkykc6mpVrzb6NZDkEcuo73jfCYEO+Yx36GjAwCkTZXhvaTvr0sFGHTWV4 > xIFI8OXhJip93x1jLt7/2+DhsbsRCd6sWYAakWdCXEK8xgt9/TxZ9xZLosq2f8v+ > OB7Sg51X02C9HaDJF3Jim5SJoMbZYhV6w/bv5icSL/wUQQv7L8teP1qAtCK0uxHm > MA9BPjbuTNTrpzB+7oRTchD5InlFMotnpd4FVXAmMYu2EqViroM21Ge5o9vAUFZq > ktj17fFzjyf8PA5fBSlZy4J/+G1OveS9/5ZIoRc8v9/NVABCkB+RG53Zo6fjdAqd > aFI+HFrlcLg= > =6Fu5 > -----END PGP SIGNATURE----- > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > _______________________________________________ > Speakup mailing list > Speakup at braille.uwo.ca > http://speech.braille.uwo.ca/mailman/listinfo/speakup
