Testing IPTABLES Firewall
Hello I have a query I'd appreciate if you guys could help me with. I want to thoroughly TEST A FIREWALL I've built.
I've blocked off all incoming ports (INPUT) except 22 and 80 (the firewall's running apache) and it will only FORWARD port 80, 22, 25, 443. All output is accepted. I've done some port scanning using nmap both from the outside and from within. Looks good. Is there any other way I can test the firewall coz I've got 3 or 4 windows clients behind it and I want to make sure they aren't drawing unwanted traffic back inside. I'm only allowing incoming packets to be forwarded that are part of an established connection over ports 80, 25, 443 and 22. Cheers jamie (NZ) |
|
So are you saying form the internal perspective. Only connections going to ports 22, 25, 80, 443. Get out onto the internet? Thats a start as that prevents some potentionly bad stuff from going on. Like IRC trojans trying to phone home, or spyware and/or legit software phoning home to some arbitrary port. Only allowing 22 and 80 into your server is good as long as you further secure those services. Maybe only allow SSH connections from specific IPs and certain users. Think about possibly chrooting that apache daemon. Someone on here can help you with that or look it up.
--tarballedtux |
Hey thanks guys for your input, it's going be really useful. I was going to use firewall tester and I'll check out that nessus stuff too.
I remotely connect to this network to administer it. I have a dial up connection so my IP address changes every time. So I can't restrict access to ssh to certain IP addresses, right? Once again thanks for your input, Jamie (NZ) |
If the IP you connect from to adminster it never changes then you can restrict access.
Just make a rule like so: IPTABLES -A INPUT -s <ip of where you're administering your network from> -p tcp --dport 22 -j ACCEPT IPTABLES -A INPUT -p tcp --dport 22 -j DENY #Or just let your final DENY ALL rule handle it. --tarballedtux |
Quote:
|
Adding to HangDog42's post
You can use tcpwrappers to restrict access to sshd by ipaddress e.g. in /etc/hosts.allow sshd: 172.16.254.100 192.168.21. |
All times are GMT -5. The time now is 02:30 PM. |