Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
No, I mean make iptables accept all incoming local traffic and also allow all outgoing local traffic.
If /etc/rc.local on server modified as follow;
Code:
# INPUT
#
# allow all incoming traffic from the management interface NIC
# as long as it is a part of an established connection
iptables -I INPUT 1 -j ACCEPT -d MGMT_NIC_IP -m state --state RELATED,ESTABLISHED
# allow all ssh traffic to the management interface NIC
iptables -I INPUT 2 -j ACCEPT -p TCP -d MGMT_NIC_IP --destination-port 22
# allow all VMware MUI HTTP traffic to the management interface NIC
iptables -I INPUT 3 -j ACCEPT -p TCP -d MGMT_NIC_IP --destination-port 8222
# allow all VMware MUI HTTPS traffic to the management interface NIC
iptables -I INPUT 4 -j ACCEPT -p TCP -d MGMT_NIC_IP --destination-port 8333
# allow all VMware Authorization Daemon traffic to the management interface NIC
iptables -I INPUT 5 -j ACCEPT -p TCP -d MGMT_NIC_IP --destination-port 902
# reject all other traffic to the management interface NIC
iptables -I INPUT 6 -j REJECT -d MGMT_NIC_IP --reject-with icmp-port-unreachable
#
# OUTPUT
#
# allow all outgoing traffic from the management interface NIC
# if it is a part of an established connection
iptables -A OUTPUT -j ACCEPT -s MGMT_NIC_IP -m state --state RELATED,ESTABLISHED
# allow all DNS queries from the management interface NIC
iptables -A OUTPUT -j ACCEPT -s MGMT_NIC_IP -p UDP --destination-port 53
# to allow X forwarding, allow traffic to and from proxy X servers
# This port range will allow up to 10 proxy servers to be running.
iptables -A OUTPUT -s 127.0.0.1 -p tcp --dport 6010:6019 -j ACCEPT
iptables -A OUTPUT -s 127.0.0.1 -p tcp --sport 6010:6019 -j ACCEPT
# reject all other traffic from localhost
iptables -A OUTPUT -j REJECT -s 127.0.0.1 --reject-with icmp-port-unreachable
# reject all other traffic from the management interface NIC
iptables -A OUTPUT -j REJECT -s MGMT_NIC_IP --reject-with icmp-port-unreachable
ssh works both ways w/o problem with X forwarded. I don't know whether such a change would weaken the security on the server?
Distribution: approximately NixOS (http://nixos.org)
Posts: 1,900
Rep:
Well, theoretically everything can somewhat reduce security. But if you already have a malicious process on server where you ssh... Well, I would say that you have lost the server and need to reinstall it anyway. There is a significant risk that they have already cracked root. Then ssh can be already compromised. Well, yes,chance to access your X server through forwarding can give enemy an advantage when trying to take over your desktop (and -X is better than -Y from that point of view), but you still don't have options better than 'ssh -X' (Though it is interesting if VNC is better).
Well, theoretically everything can somewhat reduce security. But if you already have a malicious process on server where you ssh... Well, I would say that you have lost the server and need to reinstall it anyway. There is a significant risk that they have already cracked root. Then ssh can be already compromised. Well, yes,chance to access your X server through forwarding can give enemy an advantage when trying to take over your desktop (and -X is better than -Y from that point of view), but you still don't have options better than 'ssh -X'
OK I'll stick to the iptables rules suggested by that doc. I don't need ssh-connecting the server from a workstation with X forwarding except to remote configure a headless server. Thanks for your advice.
Distribution: approximately NixOS (http://nixos.org)
Posts: 1,900
Rep:
I used TightVNC. They recommend to tunnel it through SSH tunneling - to get encryption with no extra configuration. The benefit of VNC (compared to ssh) is that entire VNC session is just a window on your desktop, so sniffing your keyboard requires finding actual arbitrary-code-execution hole in TightVNC or a really obscure way to force vncviewer deivate from acceptable behavior.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.