| View previous topic :: View next topic |
| Author |
Message |
jbstew32
n00b
Joined: 12 Jul 2003
Posts: 18
Location: Atlanta, GA
|
 Posted: Sat Aug 02, 2003 5:39 pm Post subject: College Network |
 |
|
| I will be on a college network for sometime with my linux box What are some security measures that I could take to prevent "browsers" or script kiddies from screwing with me, aside from turning off services and the basic hosts.deny and such? Is there a website any of you know of that has a good howto on firewalls/iptables? |
|
| Back to top |
|
 |
fragbert
Tux's lil' helper
Joined: 18 Apr 2003
Posts: 75
Location: Dallas, TX
|
| Posted: Sat Aug 02, 2003 7:19 pm Post subject: |
|
|
The www.netfilter.org site has a lot of good information and FAQ's. If all you want to do is firewall yourself from remote users, this will give you a good start:
| Code: | iptables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter |
I'll explain the code line by line:
First, it sets the default INPUT policy to DROP (all packets not otherwise matching a rule will be dropped)
Next, it accepts packets coming into the local loopback interface. This is useful if you run program that connect to local network sockets
And finally it turns on reverse path filtering. This will prevent people from exploiting the loopback interface's accept policy by checking to make sure that all packets come from the interface they would leave on.
Assuming that you have no other iptables rules, and that you don't have forwarding on (the default), you should be safe. If you want these settings to come up on every boot, you need to do three things: execute '/etc/init.d/iptables save' to save the settings, run 'rc-update add iptables default', and put the rp_filter setting in your /etc/sysctl.conf:
| Code: | | net.ipv4.conf.all.rp_filter = 1 |
Good luck,
Michael |
|
| Back to top |
|
|
zeky
Guru
Joined: 24 Feb 2003
Posts: 470
Location: Vukojebina, Europe
|
|
| Back to top |
|
|
dma
Guru
Joined: 31 Jan 2003
Posts: 437
Location: Charlotte, NC, USA
|
| Posted: Sun Aug 03, 2003 1:45 am Post subject: |
|
|
This has almost everything you want (very well-written in my opinion, but buried back in the docs section):
Gentoo Linux Security Guide |
|
| Back to top |
|
|
Spida
Tux's lil' helper
Joined: 08 Feb 2003
Posts: 97
Location: Germany
|
| Posted: Sun Aug 03, 2003 1:56 pm Post subject: |
|
|
| You may want to have a look at the Gentoo-Server-Pages |
|
| Back to top |
|
|
Kalmairn
n00b
Joined: 27 Jan 2003
Posts: 61
|
| Posted: Sun Aug 03, 2003 3:27 pm Post subject: |
|
|
| fragbert wrote: | The www.netfilter.org site has a lot of good information and FAQ's. If all you want to do is firewall yourself from remote users, this will give you a good start:
| Code: | iptables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter |
|
Don't forget to have:
| Code: | | iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT |
Otherwise the traffic you requested from the outside world will be nailed by the default policy of the INPUT chain.
Kal. |
|
| Back to top |
|
|
fragbert
Tux's lil' helper
Joined: 18 Apr 2003
Posts: 75
Location: Dallas, TX
|
| Posted: Sun Aug 03, 2003 5:46 pm Post subject: |
|
|
| Kalmairn wrote: | | Code: | | iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT |
Otherwise the traffic you requested from the outside world will be nailed by the default policy of the INPUT chain.
Kal. |
Doh, yeah that would be an important one I left out.  Usually people will do '-m state --state ESTABLISHED,RELATED'. RELATED will help assist with opening ports which are related to already opened connections (like in FTP, etc).
Michael |
|
| Back to top |
|
|
|
Networking & Security
