[wplug] dialup security

Zach netrek at gmail.com
Wed Oct 10 20:28:44 EDT 2007 

On 7/19/05, Vance Kochenderfer <vkochend at nyx.net> wrote:
>
> I'm not sure how Debian handles firewall configuration.  Mandrake and
> Red Hat have a file /etc/sysconfig/iptables which is read in when the
> iptables service is started.  I've appended an edited version of the
> rules I use.
[...]

Thanks for the rules Vance. Any idea how I can have my firewall loaded
when I am online? I am only online 3-4 hours a day so I don't want
this firewall running during all my uptime :) I use pon to manuallyt
start my PPP dialup connection and poff to end it manually.

> A brief description:
>  - Allow all packets out of the machine (probably safe)
>  - Drop all packets coming in by default
>  - Allow all packets coming in on the loopback interface
>  - Allow all packets coming in on the ethernet card (could be unsafe
>    if you have potentially compromised machines on your network)
>  - Allow packets in for time synchronization (I'm not aware of any
>    ntpd exploits)

Will i still be able to read/send email, play netrek (uses UDP), use
IM (gaim/amsn), browse the web and accept cookies, use
ping/traceroute/nslookup, and use ssh?
Oh I also run the Open AFS client (uses kerberos).

>  - Log and drop packets coming in on PPP interfaces to certain
>    interesting ports (since drop is the default, you can remove
>    these lines if you're not excited by reading logs of failed
>    attacks) - needs ipt_LOG kernel module loaded

How can I enable this kernel module? I run a Debianized stock 2.6.18
kernel image.

>  - Drop ICMP redirect packets (probably redundant?)
>  - Allow in packets associated with an existing connection - needs
>    ip_conntrack and ipt_state kernel modules loaded
>  - Disable forwarding between PPP and other networks

How do I load these 2 kernel modules? I want them to stay loaded so I
don't have to do it each time I boot.

Oh and what do I do with that iptables ruleset you gave me? I mean how
do I load the rules? I never used a firewall before. Trying to become
more security conscious.

BTW how do you know if an attack is in progress? What tool(s) can I
use to alert me to what is happening? I can't spend all my time
reading /var/log/messages :)

And I get so much root mail my mailbox is has 3,000 unread messages :(

Zach


> # Generated by iptables-save v1.2.1 on Tue Aug  7 22:24:59 2001
> *mangle
> :PREROUTING ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> COMMIT
> # Completed on Tue Aug  7 22:24:59 2001
> # Generated by iptables-save v1.2.1 on Tue Aug  7 22:24:59 2001
> *nat
> :PREROUTING ACCEPT [0:0]
> :POSTROUTING ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> COMMIT
> # Completed on Tue Aug  7 22:24:59 2001
> # Generated by iptables-save v1.2.1 on Tue Aug  7 22:24:59 2001
> #
> # Default: let all packets out, none in
> #
> *filter
> :INPUT DROP [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> # Bad Things happen if you drop packets on the loopback interface
> -A INPUT -i lo -j ACCEPT
> # Let all packets on the local network in
> -A INPUT -i eth0 -j ACCEPT
> # Allow UDP packets for NTP service
> -A INPUT -p udp -m udp --dport 123 -i ppp+ -j ACCEPT
> ########## Note: If you don't care about logging, you can remove everything
> ########## from here down to the next "##########"
> # Log and block all attempts to connect to privileged ports
> # via ppp interfaces
> -A INPUT -i ppp+ -p tcp -m tcp --dport 0:1024 -j LOG --log-prefix iptables:
> -A INPUT -i ppp+ -p tcp -m tcp --dport 0:1024 -j DROP
> -A INPUT -i ppp+ -p udp -m udp --dport 0:1024 -j LOG --log-prefix iptables:
> -A INPUT -i ppp+ -p udp -m udp --dport 0:1024 -j DROP
> # The same, for X11 ports
> -A INPUT -i ppp+ -p tcp -m tcp --dport 6000:6063 -j LOG --log-prefix iptables:
> -A INPUT -i ppp+ -p tcp -m tcp --dport 6000:6063 -j DROP
> -A INPUT -i ppp+ -p udp -m udp --dport 6000:6063 -j LOG --log-prefix iptables:
> -A INPUT -i ppp+ -p udp -m udp --dport 6000:6063 -j DROP
> # The same, for X font server port
> -A INPUT -i ppp+ -p tcp -m tcp --dport 7100 -j LOG --log-prefix iptables:
> -A INPUT -i ppp+ -p tcp -m tcp --dport 7100 -j DROP
> -A INPUT -i ppp+ -p udp -m udp --dport 7100 -j LOG --log-prefix iptables:
> -A INPUT -i ppp+ -p udp -m udp --dport 7100 -j DROP
> ########## end of logging entries
> # Block all ICMP redirect packets on ppp interfaces
> -A INPUT -i ppp+ -p icmp -m icmp --icmp-type 5 -j DROP
> # Accept all ppp packets which are part of an established or
> # requested connection (stateful inspection)
> -A INPUT -i ppp+ -m state --state RELATED,ESTABLISHED -j ACCEPT
> # Don't forward any packets to or from ppp interfaces
> -A FORWARD -i ppp+ -j DROP
> -A FORWARD -o ppp+ -j DROP
> COMMIT
> # Completed on Tue Aug  7 22:24:59 2001

More information about the wplug mailing list