LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 10-08-2007, 02:25 AM   #46
raskin
Senior Member
 
Registered: Sep 2005
Location: France
Distribution: approximately NixOS (http://nixos.org)
Posts: 1,900

Rep: Reputation: 69

No, I mean make iptables accept all incoming local traffic and also allow all outgoing local traffic.
 
Old 10-16-2007, 10:36 AM   #47
satimis
Senior Member
 
Registered: Apr 2003
Posts: 3,687

Original Poster
Rep: Reputation: 55
Quote:
Originally Posted by raskin View Post
No, I mean make iptables accept all incoming local traffic and also allow all outgoing local traffic.
If /etc/rc.local on server modified as follow;
Code:
# INPUT
#

# allow all incoming traffic from the management interface NIC
# as long as it is a part of an established connection
iptables -I INPUT 1 -j ACCEPT -d MGMT_NIC_IP -m state --state RELATED,ESTABLISHED

# allow all ssh traffic to the management interface NIC
iptables -I INPUT 2 -j ACCEPT -p TCP -d MGMT_NIC_IP --destination-port 22

# allow all VMware MUI HTTP traffic to the management interface NIC
iptables -I INPUT 3 -j ACCEPT -p TCP -d MGMT_NIC_IP --destination-port 8222

# allow all VMware MUI HTTPS traffic to the management interface NIC
iptables -I INPUT 4 -j ACCEPT -p TCP -d MGMT_NIC_IP --destination-port 8333

# allow all VMware Authorization Daemon traffic to the management interface NIC
iptables -I INPUT 5 -j ACCEPT -p TCP -d MGMT_NIC_IP --destination-port 902

# reject all other traffic to the management interface NIC
iptables -I INPUT 6 -j REJECT -d MGMT_NIC_IP --reject-with icmp-port-unreachable

#
# OUTPUT
#

# allow all outgoing traffic from the management interface NIC
# if it is a part of an established connection
iptables -A OUTPUT -j ACCEPT -s MGMT_NIC_IP -m state --state RELATED,ESTABLISHED

# allow all DNS queries from the management interface NIC
iptables -A OUTPUT -j ACCEPT -s MGMT_NIC_IP -p UDP --destination-port 53


#  to allow X forwarding, allow traffic to and from proxy X servers
#  This port range will allow up to 10 proxy servers to be running.

iptables -A OUTPUT -s 127.0.0.1 -p tcp --dport 6010:6019 -j ACCEPT
iptables -A OUTPUT -s 127.0.0.1 -p tcp --sport 6010:6019 -j ACCEPT

# reject all other traffic from localhost
iptables -A OUTPUT -j REJECT -s 127.0.0.1 --reject-with icmp-port-unreachable

# reject all other traffic from the management interface NIC
iptables -A OUTPUT -j REJECT -s MGMT_NIC_IP --reject-with icmp-port-unreachable
ssh works both ways w/o problem with X forwarded. I don't know whether such a change would weaken the security on the server?


satimis
 
Old 10-16-2007, 01:10 PM   #48
raskin
Senior Member
 
Registered: Sep 2005
Location: France
Distribution: approximately NixOS (http://nixos.org)
Posts: 1,900

Rep: Reputation: 69
Well, theoretically everything can somewhat reduce security. But if you already have a malicious process on server where you ssh... Well, I would say that you have lost the server and need to reinstall it anyway. There is a significant risk that they have already cracked root. Then ssh can be already compromised. Well, yes,chance to access your X server through forwarding can give enemy an advantage when trying to take over your desktop (and -X is better than -Y from that point of view), but you still don't have options better than 'ssh -X' (Though it is interesting if VNC is better).
 
Old 10-16-2007, 07:37 PM   #49
satimis
Senior Member
 
Registered: Apr 2003
Posts: 3,687

Original Poster
Rep: Reputation: 55
Quote:
Originally Posted by raskin View Post
Well, theoretically everything can somewhat reduce security. But if you already have a malicious process on server where you ssh... Well, I would say that you have lost the server and need to reinstall it anyway. There is a significant risk that they have already cracked root. Then ssh can be already compromised. Well, yes,chance to access your X server through forwarding can give enemy an advantage when trying to take over your desktop (and -X is better than -Y from that point of view), but you still don't have options better than 'ssh -X'
OK I'll stick to the iptables rules suggested by that doc. I don't need ssh-connecting the server from a workstation with X forwarding except to remote configure a headless server. Thanks for your advice.

Quote:
(Though it is interesting if VNC is better).
which of follows would you recommend?
Code:
http://www.realvnc.com/

http://www.uvnc.com/

http://www.tightvnc.com/
???

What will the difference in function between VNC and ssh? TIA


satimis
 
Old 10-17-2007, 03:08 PM   #50
raskin
Senior Member
 
Registered: Sep 2005
Location: France
Distribution: approximately NixOS (http://nixos.org)
Posts: 1,900

Rep: Reputation: 69
I used TightVNC. They recommend to tunnel it through SSH tunneling - to get encryption with no extra configuration. The benefit of VNC (compared to ssh) is that entire VNC session is just a window on your desktop, so sniffing your keyboard requires finding actual arbitrary-code-execution hole in TightVNC or a really obscure way to force vncviewer deivate from acceptable behavior.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Running GUI in SSH Towlies Linux - Newbie 10 05-17-2007 05:23 PM
Do I need ssh running? reesee Linux - Security 7 01-02-2006 10:01 PM
problem in running ssh command skvasistha Linux - General 1 11-29-2004 06:12 AM
running ssh on redhat 8.0 sheek Linux - Newbie 2 07-22-2003 06:46 PM
Running X through SSH cdakin Linux - Newbie 0 04-23-2002 08:40 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 04:23 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration