Re: [suse-security] Is it iptables enough?
----- Original Message ----- From: "Keith Roberts" <keith@kar.eclipse.co.uk> To: "John" <isofroni@cc.uoi.gr> Sent: Tuesday, February 03, 2004 8:06 AM Subject: Re: [suse-security] Is it iptables enough?
IPTables operates at the kernel level, and it's conceiveable that some clever shithead could
write
a kernel module that alters IPTables' behavior in a way that nullifies it's protection of your server. Remember, a rootkit gives anyone who accesses it absolute power over the server to do anything they want, including poisoning your detection mechanisms.
Or just type:
# iptables -P INPUT ACCEPT # iptables -P OUTPUT ACCEPT # iptables -P FORWARD ACCEPT # iptables -F
as root to flush your IPTables script!
Regards - Keith Roberts
How can i put the above commands at the boot time. I put iptables command in the boot.local but nothing happened.
Or just type:
# iptables -P INPUT ACCEPT # iptables -P OUTPUT ACCEPT # iptables -P FORWARD ACCEPT # iptables -F
as root to flush your IPTables script!
How can i put the above commands at the boot time.
I put iptables command in the boot.local but nothing happened.
Why would you want to flush your firewall script at boot time??? Regards - Keith Roberts
To make sure that nothing is in there that isn't supposed to be and to bring it to a known clean state. It's often setup so that you run a script that flushes the firewall rules and then inserts the ruleset you want in there (as a bootscript in rc.d, usually). alternately, this approach also means that an emergency reboot will kill whatever the firewall rules were (if you suspect they were bad). -- David Keith Roberts wrote:
Or just type:
# iptables -P INPUT ACCEPT # iptables -P OUTPUT ACCEPT # iptables -P FORWARD ACCEPT # iptables -F
as root to flush your IPTables script!
How can i put the above commands at the boot time.
I put iptables command in the boot.local but nothing happened.
Why would you want to flush your firewall script at boot time???
Regards - Keith Roberts
Here is a skeleton firewall script for you to use. Just call the following firewall script from boot.local, using the full pathname to your firewall script, and exiting with a valid code. USE AND MODIFY AT YOUR OWN RISK!!! #! /bin/bash # file-id: /path/to/firewall/script/firewall # # custom script to start iptables packet filter firewall rules # # run from /etc/init.d/boot.local # # ADSL-Modem version # # last updated 02-FEB-2004 # #------------------------------------------------------# echo; echo "======================================================================="; echo "Running /path/to/firewall/script/firewall" echo " - Initial status of firewall is:" echo "======================================================================="; echo; #------------------------------------------------------# #------------------------------------------------------# echo; echo "======================================================================="; echo "NAT table initial status" echo "======================================================================="; echo; #------------------------------------------------------# # list status of NAT table iptables -t nat -L -v #------------------------------------------------------# #------------------------------------------------------# echo; echo "======================================================================="; echo "MANGLE table initial status" echo "======================================================================="; echo; #------------------------------------------------------# # list status of MANGLE table iptables -t mangle -L -v #------------------------------------------------------# #------------------------------------------------------# echo; echo "======================================================================="; echo "FILTER table initial status" echo "======================================================================="; echo; #------------------------------------------------------# # list status of FILTER table iptables -t filter -L -v #------------------------------------------------------# #------------------------------------------------------# # flush ALL rules in ALL tables iptables -t nat -F iptables -t mangle -F iptables -t filter -F # clear packet & byte counters iptables -t nat -Z iptables -t mangle -Z iptables -t filter -Z # delete ALL user-defined chains in ALL tables iptables -t nat -X iptables -t mangle -X iptables -t filter -X #------------------------------------------------------# echo; echo "======================================================================="; echo "Starting up my own custom firewall now!" echo "======================================================================="; echo; #------------------------------------------------------# #******************************************************# # NAT table rules # #******************************************************# # NOT USED #******************************************************# # MANGLE table rules # #******************************************************# # NOT USED #******************************************************# # FILTER table rules # #******************************************************# #------------------------------------------------------# # set default policy for INPUT & FORWARD chains to DROP iptables -P INPUT DROP iptables -P FORWARD DROP #------------------------------------------------------# # LOG all packets coming through the INPUT chain - should disable this really iptables -A INPUT -j LOG --log-prefix 'FILTER-INPUT PKTS ' #------------------------------------------------------# # LOG all packets going through the FORWARD chain - should disable this really iptables -A FORWARD -j LOG --log-prefix 'FILTER-FWD PKTS ' #------------------------------------------------------# # LOG all packets going through the OUTPUT chain - should disable this really iptables -A OUTPUT -j LOG --log-prefix 'FILTER-OUTPUT PKTS ' #------------------------------------------------------# # Put the rest of your firewall script here #------------------------------------------------------# echo; echo "======================================================================="; echo "New status of firewall using my own custom rules is:" echo "======================================================================="; echo; #------------------------------------------------------# #------------------------------------------------------# echo; echo "======================================================================="; echo "NAT table - new status" echo "======================================================================="; echo; #------------------------------------------------------# # list current status of NAT table iptables -t nat -L -v #------------------------------------------------------# #------------------------------------------------------# echo; echo "======================================================================="; echo "MANGLE table - new status" echo "======================================================================="; echo; #------------------------------------------------------# # list current status of MANGLE table iptables -t mangle -L -v #------------------------------------------------------# #------------------------------------------------------# echo; echo "======================================================================="; echo "FILTER table - new rules" echo "======================================================================="; echo; #------------------------------------------------------# # list current status of FILTER table iptables -L -v #------------------------------------------------------# # exit with a valid code exit 0 #------------------------------------------------------# # end of firewall # On Thu, 5 Feb 2004, David Piniella wrote:
To: suse-security@suse.com From: David Piniella <dpiniell@newssun.med.miami.edu> Subject: Re: [suse-security] Is it iptables enough?
To make sure that nothing is in there that isn't supposed to be and to bring it to a known clean state. It's often setup so that you run a script that flushes the firewall rules and then inserts the ruleset you want in there (as a bootscript in rc.d, usually). alternately, this approach also means that an emergency reboot will kill whatever the firewall rules were (if you suspect they were bad).
-- David
Kind Regards - Keith Roberts.
participants (3)
-
David Piniella
-
John
-
Keith Roberts