HI, I'm very new with Firewalling and have read some HOWTOs ... not the whole IPTABLES or NAT Howto ... haven't much time at the moment. My Question is quiet simple : How do I setup a rule, that specify that the localhost ( linux-box ) cannot be pinged from outside ??? And ... how can I log all connection tried from outside ??? I've setup a "simple" isdn-router and a quiet simple firewall ... nearly everything is allowed, yet ... but this will change in some days/weeks :-) Mit freundlichen Grüßen Bruno Leonhardt CLP Domino R5 Systemadministrator ________________________________________________________________________________________________________ AnalyTek Systemhaus Hospitalstr. 2a D-65589 Hadamar Tel.: 06433/81403-15 Fax : 06433/81403-40
Try "iptables -I INPUT -i eth0 -p icmp -j DENY". Arthur H. Johnson II arthur@linuxbox.nu The Linux Box http://www.linuxbox.nu On Tue, 27 Nov 2001 BLeonhardt@analytek.de wrote:
HI,
I'm very new with Firewalling and have read some HOWTOs ... not the whole IPTABLES or NAT Howto ... haven't much time at the moment.
My Question is quiet simple :
How do I setup a rule, that specify that the localhost ( linux-box ) cannot be pinged from outside ??? And ... how can I log all connection tried from outside ???
I've setup a "simple" isdn-router and a quiet simple firewall ... nearly everything is allowed, yet ... but this will change in some days/weeks :-)
Mit freundlichen Gr��en Bruno Leonhardt
CLP Domino R5 Systemadministrator ________________________________________________________________________________________________________
AnalyTek Systemhaus Hospitalstr. 2a
D-65589 Hadamar
Tel.: 06433/81403-15 Fax : 06433/81403-40
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
On Tuesday, 27. November 2001 15:55, Arthur H. Johnson II wrote:
Try "iptables -I INPUT -i eth0 -p icmp -j DENY".
I wouldn't do that because ICMP is not evil, it helps your box if errors occur. Better try iptables -A INPUT -i eth0 -p icmp --icmp-types \ destination-unreachable source-quench time-exceeded echo-reply \ parameter-problem -j ACCEPT iptables -A INPUT -i eth0 -p icmp -j DENY
Arthur H. Johnson II
Bjoern
On Tuesday, 27. November 2001 16:06, Bjoern Engels wrote:
occur. Better try
iptables -A INPUT -i eth0 -p icmp --icmp-types \ destination-unreachable source-quench time-exceeded echo-reply \ parameter-problem -j ACCEPT
iptables -A INPUT -i eth0 -p icmp -j DENY
Sorry, I didn't see that it's an ISDN box. You will want to use ippp0 instead of eth0. Bjoern
If you want to log every connection attempt: iptables -A INPUT -i ippp0 -p tcp --syn -m limit --limit 1/sec -j LOG \ --log-prefix "Connection attempted" This works for tcp connection only, though. Praise
iptables -A INPUT -i eth0 -p icmp --icmp-types \ destination-unreachable source-quench time-exceeded echo-reply \ parameter-problem -j ACCEPT
iptables -A INPUT -i eth0 -p icmp -j DENY
Sorry, I didn't see that it's an ISDN box. You will want to use ippp0 instead of eth0.
On Tuesday, 27. November 2001 16:06 Bjoern Engels wrote:
On Tuesday, 27. November 2001 15:55, Arthur H. Johnson II wrote:
Try "iptables -I INPUT -i eth0 -p icmp -j DENY".
I wouldn't do that because ICMP is not evil, it helps your box if errors occur. Better try
iptables -A INPUT -i eth0 -p icmp --icmp-types \ destination-unreachable source-quench time-exceeded echo-reply \ parameter-problem -j ACCEPT
iptables -A INPUT -i eth0 -p icmp -j DENY
or don't use iptables for an option which can be handled by the kernel directly: /proc/sys/net/ipv4/icmp_echo_ignore_all e.g. put "cat 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all" in boot.local Peter
* Christopher Mahmood (ckm@suse.com) [011127 12:12]:
* Peter Wiersig (wiersig@glamus.de) [011127 07:23]:
or don't use iptables for an option which can be handled by the kernel directly: /proc/sys/net/ipv4/icmp_echo_ignore_all
UGH, this is just as bad as '-I INPUT -i eth0 -p icmp -j DENY'.
wob@swobspace.de just pointed out that I'm being an idiot...I wasn't reading the icmp_echo_ignore_all response carefully. Sorry, -- -ckm
Rear municipality I have a problem I do not want to be able to close that first times all port openly am upd tcp ICMP at later everything only unfortunately go to anything ssh HTTP etc. Who can render to me fast help eth0 is the Web server eth1 is the internal INTERFACE to data base the computer of the railways computer is 192.168.0.4 eth2 is connect the IP for the Extenen the data base . I do not have socks servers Thanks you here mine is script #!/bin/sh ARG=$1 MAIL= NS= DB_serv=192.168.0.4 A_NET=195.143.193.66/32 D_NET=192.168.0.1/24 DB_NET=195.143.232.2/32 p_webm=10000:10100 m_port=0:65536 case $ARG in start) echo Firewall starting ... #### # Löschen aller Rules iptables -t filter -F iptables -t nat -F iptables -X iptables -t nat -P PREROUTING ACCEPT iptables -t nat -P POSTROUTING ACCEPT iptables -t nat -P OUTPUT REJECT #### # Lokale sytsem dürfen iptables -t filter -A OUTPUT -o lo -j ACCEPT iptables -t filter -A INPUT -i lo -j ACCEPT #### # erstmal einige freigeben iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source eth0 iptables -t filter -A INPUT -i eth0 -p udp -s 0/0 --sport $m_port -d $A_NET --dport $m_port -j ACCEPT iptables -t filter -A OUTPUT -o eth0 -p udp -s 0/0 --sport $m_port -d $A_NET --dport $m_port -j ACCEPT iptables -t filter -A FORWARD -i eth0 -o eth0 -p tcp -s $A_NET --sport $m_port -d ! $A_NET --dport $m_port -j ACCEPT iptables -t filter -A FORWARD -i eth0 -o eth0 -p udp -s $A_NET --sport $m_port -d ! $A_NET --dport $m_port -j ACCEPT # Debugging Regel iptables -t filter -A INPUT -j LOG iptables -t filter -A FORWARD -j LOG iptables -t filter -A OUTPUT -j LOG iptables -t filter -A INPUT -j REJECT iptables -t filter -A FORWARD -j REJECT iptables -t filter -A OUTPUT -j REJECT ;; stop) echo Firewall stopping ... iptables -t filter -F iptables -t filter -P INPUT ACCEPT iptables -t filter -P OUTPUT ACCEPT ;; esac
On http://www.swobspace.de/ext/firewall/contrib/fw-scripte/surfer1/fw-dyn2.scri... you can find a really good iptables script from a book for a workstation. That one should be just perfect for your purposes and does deny ping, too. Greetings, Ralf BLeonhardt@analytek.de wrote:
HI,
I'm very new with Firewalling and have read some HOWTOs ... not the whole IPTABLES or NAT Howto ... haven't much time at the moment.
My Question is quiet simple :
How do I setup a rule, that specify that the localhost ( linux-box ) cannot be pinged from outside ??? And ... how can I log all connection tried from outside ???
I've setup a "simple" isdn-router and a quiet simple firewall ... nearly everything is allowed, yet ... but this will change in some days/weeks :-)
Mit freundlichen Grüßen Bruno Leonhardt
CLP Domino R5 Systemadministrator ________________________________________________________________________________________________________
AnalyTek Systemhaus Hospitalstr. 2a
D-65589 Hadamar
Tel.: 06433/81403-15 Fax : 06433/81403-40
participants (8)
-
Arthur H. Johnson II
-
Bjoern Engels
-
BLeonhardt@analytek.de
-
Christopher Mahmood
-
Nils Wunsch
-
Peter Wiersig
-
Praise
-
Ralf Ronneburger