Hello,
I have a hosted VPS set up running Fedora Core 3. A scant 8 hours after setup, it was hacked... So now I am trying to lock it down properly, but having some problems. It seems, as far as I can tell, the default fedora security tool (lokkit) to configure the firewall does not actually work. When you fire it up and tell it to only allow ssh and www, it generates the following:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2058:139501]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p ipv6-crypt -j ACCEPT
-A RH-Firewall-1-INPUT -p ipv6-auth -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
OK great. For some reason when you only want ssh, it defaults to accept everything. Huh? Am I doing something wrong here, or is this tool just this stupid? The last parts says reject, but even with this setup I can still portscan other ports and telnet to them.
Anyway, the problem here is that I only have remote ssh access, I can't sit down at this box. So, how am I supposed to go about setting the default policy to DROP for proper security? Obviously if I just do the iptables command for that I'm locked out of the box... Can I save the config to a file, edit it and then load it without kicking me off? I'm a bit scared to try
Also I'm not sure what the appropriate file syntax is, since all the iptables documentation is on using the iptables command. I just want the firewall to allow ssh and http, with everything else completely blocked.