Hi Kim,
Firstly thanks for your offer to help.... it is
greatly appreciated.
> If you have been hacked, then at least you have
> taken the necessary first step
> by shutting down, but it doesn't appear like you
> have cleaned your system or
> reinstalled it. I would do that before anything
> else, to ensure that I have
> _no_ bad dudes left on my machine. Then secondly, I
> would patch the server
> with all relevant patches.
Yes, cleaning the system was my next priority, however
I thought it necessary to secure the machine first as
I didn't want to go through all this again, in case it
happened again before I had a working firewall.
> Secondly your script is very IP centric, all
> destinations for everything is
> based on IP's, why don't you try to simply fy your
> script, so it only meets
> your explicit demands. First of all, you could
> disallow packets from the
> Internet to the INPUT chain and only accept FORWARD
> packets which are
> related/established from inside.
If it is not too much too ask, would you be able to
provide me with an example to use as the basis of a
new firewall? I did have another firewall (attached)
which I used from within Webmin. This was much
simpler, but I still had the same problem! Once the
firewall was up and I was connected, everything was
working fine. Then if I disconnected and reconnected
to the server, nothing would work??? It's really got
me stumped! Actually I don't think it is the firewall,
I think it is more than that. Perhaps something not
compiled into the kernel that should be?
> Finally, if you have an immediate problem, try to
> make a script that restarts
> your Internet connection and put the firewall script
> into this, so your
> firewall is being restarted as well.
>
> Nomatter what, please give some ideas about your
> network setup - it will help
> with understanding how we can help you.
My server has a static IP address and is basically
plugged straight into the Internet via an ISP. The box
is co-located at the ISP and I remotely administer it.
I have 1 ethernet card connecting the computer to the
outside world and this is allocated the static IP
address. Our server will (eventually) be used to host
domains/email/webpages etc.
Any ideas?
Thanks again
Steve Q.
http://mobile.yahoo.com.au - Yahoo! Mobile
- Check & compose your email via SMS on your Telstra or Vodafone mobile.
# Generated by iptables-save v1.2.5 on Mon Mar 10 15:39:57 2003
*nat
:PREROUTING ACCEPT [3:341]
:POSTROUTING ACCEPT [19:1587]
:OUTPUT ACCEPT [19:1587]
COMMIT
# Completed on Mon Mar 10 15:39:57 2003
# Generated by iptables-save v1.2.5 on Mon Mar 10 15:39:57 2003
*mangle
:PREROUTING ACCEPT [274:38223]
:INPUT ACCEPT [274:38223]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [247:25738]
:POSTROUTING ACCEPT [247:25738]
COMMIT
# Completed on Mon Mar 10 15:39:57 2003
# Generated by iptables-save v1.2.5 on Mon Mar 10 15:39:57 2003
*filter
:OUTPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:INPUT DROP [0:0]
-A INPUT ! -i eth0 -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -m state --state RELATED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type source-quench -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type parameter-problem -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
COMMIT
# Completed on Mon Mar 10 15:39:57 2003
