LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Testing IPTABLES Firewall (https://www.linuxquestions.org/questions/linux-security-4/testing-iptables-firewall-86023/)

1jamie 08-26-2003 04:57 PM

Testing IPTABLES Firewall
 
Hello I have a query I'd appreciate if you guys could help me with. I want to thoroughly TEST A FIREWALL I've built.

I've blocked off all incoming ports (INPUT) except 22 and 80 (the firewall's running apache) and it will only FORWARD port 80, 22, 25, 443. All output is accepted.

I've done some port scanning using nmap both from the outside and from within. Looks good.

Is there any other way I can test the firewall coz I've got 3 or 4 windows clients behind it and I want to make sure they aren't drawing unwanted traffic back inside. I'm only allowing incoming packets to be forwarded that are part of an established connection over ports 80, 25, 443 and 22.

Cheers

jamie (NZ)

Capt_Caveman 08-26-2003 09:38 PM

Check out nessus:

www.nessus.org

tarballedtux 08-26-2003 09:41 PM

So are you saying form the internal perspective. Only connections going to ports 22, 25, 80, 443. Get out onto the internet? Thats a start as that prevents some potentionly bad stuff from going on. Like IRC trojans trying to phone home, or spyware and/or legit software phoning home to some arbitrary port. Only allowing 22 and 80 into your server is good as long as you further secure those services. Maybe only allow SSH connections from specific IPs and certain users. Think about possibly chrooting that apache daemon. Someone on here can help you with that or look it up.


--tarballedtux

1jamie 08-27-2003 04:09 PM

Hey thanks guys for your input, it's going be really useful. I was going to use firewall tester and I'll check out that nessus stuff too.

I remotely connect to this network to administer it. I have a dial up connection so my IP address changes every time. So I can't restrict access to ssh to certain IP addresses, right?

Once again thanks for your input,

Jamie (NZ)

tarballedtux 08-27-2003 06:29 PM

If the IP you connect from to adminster it never changes then you can restrict access.

Just make a rule like so:

IPTABLES -A INPUT -s <ip of where you're administering your network from> -p tcp --dport 22 -j ACCEPT
IPTABLES -A INPUT -p tcp --dport 22 -j DENY #Or just let your final DENY ALL rule handle it.


--tarballedtux

Hangdog42 08-28-2003 07:23 AM

Quote:

So I can't restrict access to ssh to certain IP addresses, right?
You might not be able to restrict ssh by IP address, but you CAN restrict ssh by user. In the sshd_conf file there is an AllowUsers line. Just list the users you want to have ssh access and it won't matter what IP address they are coming from.

ppuru 08-28-2003 08:17 AM

Adding to HangDog42's post

You can use tcpwrappers to restrict access to sshd by ipaddress

e.g. in /etc/hosts.allow

sshd: 172.16.254.100 192.168.21.


All times are GMT -5. The time now is 02:30 PM.