iptables and services ?s
Ok, I'm new to security...just started reading about iptables, tripwire and chkrootkit. I have a recent install of slack 10 ran chkrootkit passing looked for some other common intrusion factors from a checklist and didn't see anything strange so I downloaded and decided to install tripwire. My network topology is simple...I serve nothing and have a signle pc connected via PPP to an ISP.
1) Here is part of my rc.local. Is this where I should setup iptables? This is pretty generic (and mostly copied from Security Quick-Start HOWTO for Red AHt Linux)...any other suggestions for my current situation? cat /etc/rc.d/rc.local (part) # **** iptables setup ***** ## Insert connection-tracking modules (not needed if built into kernel). modprobe ip_conntrack modprobe ip_conntrack_ftp ## Flush all current rules. iptables -F iptables -X ## Set the default policies of the bulit-in chains (no match below these are defaults) iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT iptables -P INPUT DROP ## Create chain which blocks new connections, except if coming from inside. iptables -N block iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT iptables -A block -j DROP ## Jump to that chain from INPUT and FORWARD chains. iptables -A INPUT -j block iptables -A FORWARD -j block 2) Here are my rules summary...seems to agree with my rc.local iptables -L Chain INPUT (policy DROP) target prot opt source destination block all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination block all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain block (2 references) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere state NEW DROP all -- anywhere anywhere 3) Here is a summary of services. I'm trying to shut everything down I'm not using. Unfortunately it cut the last line off (on winblows at work now) but the 631 is cups. If I just want a local printer, then I shouldn't see this entry right? And, I must have cups configured as a service? Also, why does my spamassassin dameon appear...I think this means only the LAN could use it based on the localhost part or in my case just my PC, right? netstat -tap Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 localhost:783 *:* LISTEN 2948/spamd -c -d tcp 0 0 *:631 Sorry for the very basic questions and cleary I need to do more RingTFM but any comments welcome. Thanks! |
1) Here is part of my rc.local. Is this where I should setup iptables?
No. There's a service (/etc/rc.d/init.d/iptables) which references source file /etc/sysconfig/iptables. If not already done on restart/reboot, running "iptables-save > /etc/sysconfig/iptables" manually will save the rules there. This is pretty generic (and mostly copied from Security Quick-Start HOWTO for Red AHt Linux)...any other suggestions for my current situation? Looks good. One thing most forgotten is to use LOG target rules for everything DROPped, so you can easily see what doesn't get tru. Also usefull when debugging connection failures. Call me paranoid, but I block & log everything before the interface goes up. This way I can be pretty much sure nothing get's in or out before the "proper" firewall rules are set. 3) (..) If I just want a local printer, then I shouldn't see this entry right? And, I must have cups configured as a service? Localhost *is* IP address 127.0.0.1. So that's OK. Cupsd is a service, yes. Also, why does my spamassassin dameon appear...I think this means only the LAN could use it based on the localhost part or in my case just my PC, right? The asterisk means it's bound to any interface IP address. If you want it bound to only localhost change the line in /etc/sysconfig/spamassassin and add "-i 127.0.0.1" (weird, I thought it would only bind to loopback, are you running an old version?). netstat -tap I favour using "netstat -alnp -A inet". Shows me listening UPD and TCP proto ports. Sorry for the very basic questions NP. We're here to help. People often miss the purpose of RTFM'ing: it's too often abused for muting ppl. For me it simply means independence, being able to do stuff w/o having to rely on others. That way the mistakes I make are mine, and not cuz someone made a typo or such... |
1/2) Hmmm, I don't have an /etc/sysconfig nor a /etc/rc.d/init.d. So I still have my rules in rc.local for now. Here are the rules I now have...I think they are a bit better but I'm not sure how to log prior to the interface coming up.
# **** iptables setup begin ***** ## Clean and flush all chains to an empty state. iptables -F iptables -t nat -F iptables -t mangle -F iptables -X iptables -t nat -X iptables -t mangle -X ## Set the default policies of the built-in chains. If no match for any of ## the rules below, these will be the defaults that iptables uses iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT iptables -P INPUT DROP ## Setup masquerade: (could use this once LAN is established) #iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE ## Insert connection-tracking modules (not needed if built into kernel) modprobe ip_conntrack modprobe ip_conntrack_ftp modprobe ip_conntrack_irc ## New Chain: block, create chain which blocks new connections, except if ## coming from inside iptables -N block iptables -A block -m state --state INVALID -j dlog iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT iptables -A block -j dlog ## New Chain: dlog, Drop and Log (log before drop!) iptables -N dlog iptables -A dlog -m limit --limit 15/minute -j LOG --log-prefix="iptables: " --log-tcp-options --log-ip-options iptables -A dlog -j DROP ## Jump to the block chain from INPUT and FORWARD chains iptables -A INPUT -j block iptables -A FORWARD -j block # **** iptables setup end ***** 3) Ok, in my rc.local I have this to fix the spamd call (as aforementioned uncertain why I don't have the directories you mentioned): # **** spamd call for spamassassin **** spamd -c -d -i 127.0.0.1 I just added the latter portion based on your recommendation. The version information is: spamd --version SpamAssassin Server version 3.0.1 running on Perl 5.8.4 4) A new ?. I've enabled sendmail as a service and wanted to limit it to local use only so cron can email root aliased to my main user account about issues. So I added ALL: ALL to /etc/hosts.deny and ALL: bairco to hosts.allow. Is this the correct method? Thanks so much! One other note about the directories...I installed spamassassin from source and had to add some of the perl modules...not sure if this could be the difference. Of course, for iptables I just checked my kernel configs and recompiled my kernel. |
All times are GMT -5. The time now is 04:48 AM. |