[wplug] dialup security
Vance Kochenderfer
vkochend at nyx.net
Tue Jul 19 22:39:31 EDT 2005
Zachary Uram <netrek at gmail.com> wrote:
> SNORT, IDS, etc) assume one has a 24x7 net connection! I am wondering
> if anyone has found some good security resources for dialup users
> using PPP? I'm running Debian unstable with 2.4.18 kernel.
I'm not sure how Debian handles firewall configuration. Mandrake and
Red Hat have a file /etc/sysconfig/iptables which is read in when the
iptables service is started. I've appended an edited version of the
rules I use.
A brief description:
- Allow all packets out of the machine (probably safe)
- Drop all packets coming in by default
- Allow all packets coming in on the loopback interface
- Allow all packets coming in on the ethernet card (could be unsafe
if you have potentially compromised machines on your network)
- Allow packets in for time synchronization (I'm not aware of any
ntpd exploits)
- Log and drop packets coming in on PPP interfaces to certain
interesting ports (since drop is the default, you can remove
these lines if you're not excited by reading logs of failed
attacks) - needs ipt_LOG kernel module loaded
- Drop ICMP redirect packets (probably redundant?)
- Allow in packets associated with an existing connection - needs
ip_conntrack and ipt_state kernel modules loaded
- Disable forwarding between PPP and other networks
This is for a (mostly) standalone workstation that connects to the
Internet via dialup. I'm sure if there are any problems with this
configuration they'll be pointed out either on the list or by
someone hacking my machine.
Vance Kochenderfer | "Get me out of these ropes and into a
vkochend at nyx.net | good belt of Scotch" -Nick Danger
# Generated by iptables-save v1.2.1 on Tue Aug 7 22:24:59 2001
*mangle
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Tue Aug 7 22:24:59 2001
# Generated by iptables-save v1.2.1 on Tue Aug 7 22:24:59 2001
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Tue Aug 7 22:24:59 2001
# Generated by iptables-save v1.2.1 on Tue Aug 7 22:24:59 2001
#
# Default: let all packets out, none in
#
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# Bad Things happen if you drop packets on the loopback interface
-A INPUT -i lo -j ACCEPT
# Let all packets on the local network in
-A INPUT -i eth0 -j ACCEPT
# Allow UDP packets for NTP service
-A INPUT -p udp -m udp --dport 123 -i ppp+ -j ACCEPT
########## Note: If you don't care about logging, you can remove everything
########## from here down to the next "##########"
# Log and block all attempts to connect to privileged ports
# via ppp interfaces
-A INPUT -i ppp+ -p tcp -m tcp --dport 0:1024 -j LOG --log-prefix iptables:
-A INPUT -i ppp+ -p tcp -m tcp --dport 0:1024 -j DROP
-A INPUT -i ppp+ -p udp -m udp --dport 0:1024 -j LOG --log-prefix iptables:
-A INPUT -i ppp+ -p udp -m udp --dport 0:1024 -j DROP
# The same, for X11 ports
-A INPUT -i ppp+ -p tcp -m tcp --dport 6000:6063 -j LOG --log-prefix iptables:
-A INPUT -i ppp+ -p tcp -m tcp --dport 6000:6063 -j DROP
-A INPUT -i ppp+ -p udp -m udp --dport 6000:6063 -j LOG --log-prefix iptables:
-A INPUT -i ppp+ -p udp -m udp --dport 6000:6063 -j DROP
# The same, for X font server port
-A INPUT -i ppp+ -p tcp -m tcp --dport 7100 -j LOG --log-prefix iptables:
-A INPUT -i ppp+ -p tcp -m tcp --dport 7100 -j DROP
-A INPUT -i ppp+ -p udp -m udp --dport 7100 -j LOG --log-prefix iptables:
-A INPUT -i ppp+ -p udp -m udp --dport 7100 -j DROP
########## end of logging entries
# Block all ICMP redirect packets on ppp interfaces
-A INPUT -i ppp+ -p icmp -m icmp --icmp-type 5 -j DROP
# Accept all ppp packets which are part of an established or
# requested connection (stateful inspection)
-A INPUT -i ppp+ -m state --state RELATED,ESTABLISHED -j ACCEPT
# Don't forward any packets to or from ppp interfaces
-A FORWARD -i ppp+ -j DROP
-A FORWARD -o ppp+ -j DROP
COMMIT
# Completed on Tue Aug 7 22:24:59 2001
More information about the wplug
mailing list