Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm a Linux newbie. Thus far, I have built a RH9 machine with 2 NIC's, and built in iptables and configured the firewalls. I have the Linux box working as a firewall filtering router system for my Internet. I finally accomplished this last week. Now, I am going back and tightening down the screws on the system. I read through some of the Security References FAQ main post in this group and found the Linux Security.com Quick reference guide. There are several commands listed on this card (below) for Kernel Security. However, some of them sound pretty binding, and I do not want them to override my iptables or lock out my Windoze machines from the Internet. I also do not want to open any holes (obviously). Will any of these do that?
Windoze machine (static IP)
XXX.XXX.XXX.100 IP
255.255.255.0 Subnet
XXX.XXX.XXX.101 Gateway(from eth1)
XXX.XXX.XXX.19 DNS (same as ISP)
XXX.XXX.XXX.21 DNS (same as ISP)
Below is a copy of my IPTables
# Generated by iptables-save v1.2.7a on Thu Sep 25 13:45:12 2003
*mangle
:PREROUTING ACCEPT [157731:9180541]
:INPUT ACCEPT [157703:9178680]
:FORWARD ACCEPT [25:1627]
:OUTPUT ACCEPT [159258:9276153]
:POSTROUTING ACCEPT [159229:9269724]
COMMIT
# Completed on Thu Sep 25 13:45:12 2003
# Generated by iptables-save v1.2.7a on Thu Sep 25 13:45:12 2003
*nat
:PREROUTING ACCEPT [142:11923]
:POSTROUTING ACCEPT [4113:181126]
:OUTPUT ACCEPT [4973:241108]
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -s XXX.XXX.XXX.128/XXX.XXX.XXX.192 -j ACCEPT
-A POSTROUTING -o eth0 -j SNAT --to-source XXX.XXX.XXX.185
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Thu Sep 25 13:45:13 2003
# Generated by iptables-save v1.2.7a on Thu Sep 25 13:45:13 2003
*filter
:INPUT DROP [102:10085]
:FORWARD DROP [0:0]
:OUTPUT DROP [54:8056]
:LD - [0:0]
:SANITY - [0:0]
:STATE - [0:0]
:UNCLEAN - [0:0]
-A FORWARD -s 192.168.1.0/255.255.255.0 -j ACCEPT
-A FORWARD -d 192.168.1.0/255.255.255.0 -j ACCEPT
-A FORWARD -s ! 192.168.1.0/255.255.255.0 -j DROP
COMMIT
# Completed on Thu Sep 25 13:45:13 2003
If you need the specific commands that I used to build the IPtables, LMK. As with everyone, security is the main objective, but I don't want to kill what I've done already.
Commands:
A description of those is in /usr/src/linux/Documentation, filesystems/proc.txt and networking/ip-sysctl.txt. Please mind the notes in proc.txt. All sysctl's could be acceptable use within your private LAN if you wish so, but should NOT apply to the interface receiving foreign traffic because of spoofing etc etc. So all except ip_masq_debug should be used.
# Generated by iptables-save v1.2.7a
I won't comment on these, I'm more at ease reading rule files, not save states, sorry. I'd recommend checking out the linuxguruz.com sites scripts tho, you're missing all default stuff from rate limits and spoof rules to "bad packet" and LOG target rules.
Adding LOG target rules on both in and out interfaces is good for many reasons, it should give you a better idea of what goes in and out. If not for accounting reasons, then for adjusting or debugging.
You're also forwarding everything which can't be good if it's a specific server you're forwarding to. Use a DMZ and restrict traffic to only what's needed.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.