LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   iptables and services ?s (https://www.linuxquestions.org/questions/linux-security-4/iptables-and-services-s-255930/)

rhb327 11-17-2004 07:23 AM
iptables and services ?s
 
Ok, I'm new to security...just started reading about iptables, tripwire and chkrootkit. I have a recent install of slack 10 ran chkrootkit passing looked for some other common intrusion factors from a checklist and didn't see anything strange so I downloaded and decided to install tripwire. My network topology is simple...I serve nothing and have a signle pc connected via PPP to an ISP.

1) Here is part of my rc.local. Is this where I should setup iptables? This is pretty generic (and mostly copied from Security Quick-Start HOWTO for Red AHt Linux)...any other suggestions for my current situation?

cat /etc/rc.d/rc.local (part)
# **** iptables setup *****
## Insert connection-tracking modules (not needed if built into kernel).
modprobe ip_conntrack
modprobe ip_conntrack_ftp

## Flush all current rules.
iptables -F
iptables -X

## Set the default policies of the bulit-in chains (no match below these are
defaults)
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP

## Create chain which blocks new connections, except if coming from inside.
iptables -N block
iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT
iptables -A block -j DROP

## Jump to that chain from INPUT and FORWARD chains.
iptables -A INPUT -j block
iptables -A FORWARD -j block

2) Here are my rules summary...seems to agree with my rc.local
iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
block all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
block all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain block (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW
DROP all -- anywhere anywhere

3) Here is a summary of services. I'm trying to shut everything down I'm not using. Unfortunately it cut the last line off (on winblows at work now) but the 631 is cups. If I just want a local printer, then I shouldn't see this entry right? And, I must have cups configured as a service? Also, why does my spamassassin dameon appear...I think this means only the LAN could use it based on the localhost part or in my case just my PC, right?

netstat -tap
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
PID/Program name
tcp 0 0 localhost:783 *:* LISTEN 2948/spamd -c -d
tcp 0 0 *:631

Sorry for the very basic questions and cleary I need to do more RingTFM but any comments welcome.

Thanks!

unSpawn 11-27-2004 07:50 AM
1) Here is part of my rc.local. Is this where I should setup iptables?
No. There's a service (/etc/rc.d/init.d/iptables) which references source file /etc/sysconfig/iptables. If not already done on restart/reboot, running "iptables-save > /etc/sysconfig/iptables" manually will save the rules there.

This is pretty generic (and mostly copied from Security Quick-Start HOWTO for Red AHt Linux)...any other suggestions for my current situation?
Looks good. One thing most forgotten is to use LOG target rules for everything DROPped, so you can easily see what doesn't get tru. Also usefull when debugging connection failures. Call me paranoid, but I block & log everything before the interface goes up. This way I can be pretty much sure nothing get's in or out before the "proper" firewall rules are set.

3) (..) If I just want a local printer, then I shouldn't see this entry right? And, I must have cups configured as a service?
Localhost *is* IP address 127.0.0.1. So that's OK. Cupsd is a service, yes.

Also, why does my spamassassin dameon appear...I think this means only the LAN could use it based on the localhost part or in my case just my PC, right?
The asterisk means it's bound to any interface IP address. If you want it bound to only localhost change the line in /etc/sysconfig/spamassassin and add "-i 127.0.0.1" (weird, I thought it would only bind to loopback, are you running an old version?).

netstat -tap
I favour using "netstat -alnp -A inet". Shows me listening UPD and TCP proto ports.

Sorry for the very basic questions
NP. We're here to help.
People often miss the purpose of RTFM'ing: it's too often abused for muting ppl.
For me it simply means independence, being able to do stuff w/o having to rely on others.
That way the mistakes I make are mine, and not cuz someone made a typo or such...

rhb327 11-28-2004 08:34 AM
1/2) Hmmm, I don't have an /etc/sysconfig nor a /etc/rc.d/init.d. So I still have my rules in rc.local for now. Here are the rules I now have...I think they are a bit better but I'm not sure how to log prior to the interface coming up.

# **** iptables setup begin *****
## Clean and flush all chains to an empty state.
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -t nat -X
iptables -t mangle -X

## Set the default policies of the built-in chains. If no match for any of
## the rules below, these will be the defaults that iptables uses
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP

## Setup masquerade: (could use this once LAN is established)
#iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

## Insert connection-tracking modules (not needed if built into kernel)
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc

## New Chain: block, create chain which blocks new connections, except if
## coming from inside
iptables -N block
iptables -A block -m state --state INVALID -j dlog
iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT
iptables -A block -j dlog

## New Chain: dlog, Drop and Log (log before drop!)
iptables -N dlog
iptables -A dlog -m limit --limit 15/minute -j LOG --log-prefix="iptables: " --log-tcp-options --log-ip-options
iptables -A dlog -j DROP

## Jump to the block chain from INPUT and FORWARD chains
iptables -A INPUT -j block
iptables -A FORWARD -j block
# **** iptables setup end *****

3) Ok, in my rc.local I have this to fix the spamd call (as aforementioned uncertain why I don't have the directories you mentioned):

# **** spamd call for spamassassin ****
spamd -c -d -i 127.0.0.1

I just added the latter portion based on your recommendation. The version information is:

spamd --version
SpamAssassin Server version 3.0.1
running on Perl 5.8.4

4) A new ?. I've enabled sendmail as a service and wanted to limit it to local use only so cron can email root aliased to my main user account about issues. So I added ALL: ALL to /etc/hosts.deny and ALL: bairco to hosts.allow. Is this the correct method?

Thanks so much!

One other note about the directories...I installed spamassassin from source and had to add some of the perl modules...not sure if this could be the difference. Of course, for iptables I just checked my kernel configs and recompiled my kernel.


All times are GMT -5. The time now is 04:48 AM.