security precautionswith iptables?

security precautionswith iptables?

[Littlefield, Tyler]

Hello list,
I've been told to block ping requests with iptables. I made the following rule:
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
The only problem with this, is it drops all pings incoming as well, which causes a slight problem.
Any way around this?
Also, is there anything else that can be done in order to make the system more secure? I was told to block fragmented packets. I know what they are, but don't know enough about tcp in order to be able to do much with them.
Help is appriciated.
Thanks,

Re: security precautionswith iptables?

[Gregory Nowak]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

That's the whole point of that rule, to drop incoming pings. As for
the outgoing pings, that depends on how your outgoing chain is setup,
or possibly on if your ISP is blocking outgoing pings or not.

Greg


On Sun, May 20, 2007 at 09:34:43AM -0600, Littlefield, Tyler wrote:
> Hello list,
> I've been told to block ping requests with iptables. I made the following rule:
> iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
> The only problem with this, is it drops all pings incoming as well, which causes a slight problem.
> Any way around this?
> Also, is there anything else that can be done in order to make the system more secure? I was told to block fragmented packets. I know what they are, but don't know enough about tcp in order to be able to do much with them.
> Help is appriciated.
> Thanks,
> _______________________________________________
> Speakup mailing list
> Speakup@braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup

- -- 
web site: http://www.romuald.net.eu.org
gpg public key: http://www.romuald.net.eu.org/pubkey.asc
skype: gregn1
(authorization required, add me to your contacts list first)

- --
Free domains: http://www.eu.org/ or mail dns-manager@EU.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGUL0H7s9z/XlyUyARAtqeAKCySG6Y7JbL9+QvUObLt2KbQjd3rQCfUxhU
l/Y0fZcCAK6Wcezz3860sfI=
=JqQX
-----END PGP SIGNATURE-----

Re: security precautionswith iptables?

[Travis Siegel]

If you turn off the various utilities in the inetd.conf file that you  
don't use, that can help too.
I.E. since you're using ssh, you won't need telnet and rlogin.   
Simply comment them out.  That way, no matter how many packets go to  
that destination port, it won't do a bit of good.
You are of course welcome to block any ports you like, and it's  
likely that'll help too, but the inetd daemon is a nice way to secure  
the machine as well.

As for the problem with the outgoing ping packets, there are ways to  
specify incoming/outgoing packets, but I've not fiddled with ip rules  
for several years, so i don't remember the syntax.  However, there's  
a very good how-to on the linux how-to site explaining ipfwadm and  
ipchains.  One of the examples in there is how to secure the machine  
for a particular service (don't remember which one) but it covers  
that exact problem (if I remember correctly)
Try to see if you can find it.  If not, I'm sure I have it *somewhere*.
But, just so you know, there is a solution, I (unfortunately) no  
longer remember what it is though.


On May 20, 2007, at 11:34 AM, Littlefield, Tyler wrote:

> Hello list,
> I've been told to block ping requests with iptables. I made the  
> following rule:
> iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
> The only problem with this, is it drops all pings incoming as well,  
> which causes a slight problem.
> Any way around this?
> Also, is there anything else that can be done in order to make the  
> system more secure? I was told to block fragmented packets. I know  
> what they are, but don't know enough about tcp in order to be able  
> to do much with them.
> Help is appriciated.
> Thanks,
> _______________________________________________
> Speakup mailing list
> Speakup@braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup
>
>

Re: security precautionswith iptables?

[Igor Gueths]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi. Another idea is putting this in a script:
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
services ports go here
/sbin/iptables -P INPUT DROP
Only apply that policy when you know that all your required ports are open; if not, you may find yourself locked out of your machine, and only console access can fix things again.
Igor
On Sun, May 20, 2007 at 05:33:15PM -0400, Travis Siegel wrote:
> If you turn off the various utilities in the inetd.conf file that you  
> don't use, that can help too.
> I.E. since you're using ssh, you won't need telnet and rlogin.   
> Simply comment them out.  That way, no matter how many packets go to  
> that destination port, it won't do a bit of good.
> You are of course welcome to block any ports you like, and it's  
> likely that'll help too, but the inetd daemon is a nice way to secure  
> the machine as well.
> 
> As for the problem with the outgoing ping packets, there are ways to  
> specify incoming/outgoing packets, but I've not fiddled with ip rules  
> for several years, so i don't remember the syntax.  However, there's  
> a very good how-to on the linux how-to site explaining ipfwadm and  
> ipchains.  One of the examples in there is how to secure the machine  
> for a particular service (don't remember which one) but it covers  
> that exact problem (if I remember correctly)
> Try to see if you can find it.  If not, I'm sure I have it *somewhere*.
> But, just so you know, there is a solution, I (unfortunately) no  
> longer remember what it is though.
> 
> 
> On May 20, 2007, at 11:34 AM, Littlefield, Tyler wrote:
> 
> > Hello list,
> > I've been told to block ping requests with iptables. I made the  
> > following rule:
> > iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
> > The only problem with this, is it drops all pings incoming as well,  
> > which causes a slight problem.
> > Any way around this?
> > Also, is there anything else that can be done in order to make the  
> > system more secure? I was told to block fragmented packets. I know  
> > what they are, but don't know enough about tcp in order to be able  
> > to do much with them.
> > Help is appriciated.
> > Thanks,
> > _______________________________________________
> > Speakup mailing list
> > Speakup@braille.uwo.ca
> > http://speech.braille.uwo.ca/mailman/listinfo/speakup
> >
> >
> 
> 
> _______________________________________________
> Speakup mailing list
> Speakup@braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup
> 
> -- 
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iQIVAwUBRlDDM6e2pgKIdGq4AQoodw//UDbhKeBebi522JidjBEKfbgGEHMQ5pQi
kQcXVOn7bU9Z8n5Orm0m07eQIWPYxFFYMC5P/9wkaJHNy5dmEYUXYWLbt7ke9yje
gbPAWvo4xzRt0GGHFoiqU5I5kYdD7I2fJ9ASEAXzliY2UdCZ/StKKDkJVHhJ1OZi
hokQRjINMR4th0Gz2LcAXu2hN16KRQibnMYBzan+zn1sHhuLG4rer5eLq+8cr1Qb
bl85kFqBG4Xp9FYQ1+R9tsgR0G0ifqikan7NzE7eIy1rEyWL0GbfaqWNNYro6+3j
EaPjB+OdH16thcAc4tq6pjxxuTcBAWXGDxdpA0D+U3L8Z2kjgVdqStLfl+T/1B3z
lS7pB9nkykc6mpVrzb6NZDkEcuo73jfCYEO+Yx36GjAwCkTZXhvaTvr0sFGHTWV4
xIFI8OXhJip93x1jLt7/2+DhsbsRCd6sWYAakWdCXEK8xgt9/TxZ9xZLosq2f8v+
OB7Sg51X02C9HaDJF3Jim5SJoMbZYhV6w/bv5icSL/wUQQv7L8teP1qAtCK0uxHm
MA9BPjbuTNTrpzB+7oRTchD5InlFMotnpd4FVXAmMYu2EqViroM21Ge5o9vAUFZq
ktj17fFzjyf8PA5fBSlZy4J/+G1OveS9/5ZIoRc8v9/NVABCkB+RG53Zo6fjdAqd
aFI+HFrlcLg=
=6Fu5
-----END PGP SIGNATURE-----

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Re: security precautionswith iptables?

[Littlefield, Tyler]

I've done something to this soart, and done iptables -P OUTPUT ACCEPT.
Then, I have things hanging, such as apt-get, etc...
----- Original Message ----- 
From: "Igor Gueths" <igueths@lava-net.com>
To: "Speakup is a screen review system for Linux." <speakup@braille.uwo.ca>
Sent: Sunday, May 20, 2007 3:52 PM
Subject: Re: security precautionswith iptables?


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Hi. Another idea is putting this in a script:
> /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> services ports go here
> /sbin/iptables -P INPUT DROP
> Only apply that policy when you know that all your required ports are
open; if not, you may find yourself locked out of your machine, and only
console access can fix things again.
> Igor
> On Sun, May 20, 2007 at 05:33:15PM -0400, Travis Siegel wrote:
> > If you turn off the various utilities in the inetd.conf file that you
> > don't use, that can help too.
> > I.E. since you're using ssh, you won't need telnet and rlogin.
> > Simply comment them out.  That way, no matter how many packets go to
> > that destination port, it won't do a bit of good.
> > You are of course welcome to block any ports you like, and it's
> > likely that'll help too, but the inetd daemon is a nice way to secure
> > the machine as well.
> >
> > As for the problem with the outgoing ping packets, there are ways to
> > specify incoming/outgoing packets, but I've not fiddled with ip rules
> > for several years, so i don't remember the syntax.  However, there's
> > a very good how-to on the linux how-to site explaining ipfwadm and
> > ipchains.  One of the examples in there is how to secure the machine
> > for a particular service (don't remember which one) but it covers
> > that exact problem (if I remember correctly)
> > Try to see if you can find it.  If not, I'm sure I have it *somewhere*.
> > But, just so you know, there is a solution, I (unfortunately) no
> > longer remember what it is though.
> >
> >
> > On May 20, 2007, at 11:34 AM, Littlefield, Tyler wrote:
> >
> > > Hello list,
> > > I've been told to block ping requests with iptables. I made the
> > > following rule:
> > > iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
> > > The only problem with this, is it drops all pings incoming as well,
> > > which causes a slight problem.
> > > Any way around this?
> > > Also, is there anything else that can be done in order to make the
> > > system more secure? I was told to block fragmented packets. I know
> > > what they are, but don't know enough about tcp in order to be able
> > > to do much with them.
> > > Help is appriciated.
> > > Thanks,
> > > _______________________________________________
> > > Speakup mailing list
> > > Speakup@braille.uwo.ca
> > > http://speech.braille.uwo.ca/mailman/listinfo/speakup
> > >
> > >
> >
> >
> > _______________________________________________
> > Speakup mailing list
> > Speakup@braille.uwo.ca
> > http://speech.braille.uwo.ca/mailman/listinfo/speakup
> >
> > -- 
> > This message has been scanned for viruses and
> > dangerous content by MailScanner, and is
> > believed to be clean.
> >
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2.2 (GNU/Linux)
>
> iQIVAwUBRlDDM6e2pgKIdGq4AQoodw//UDbhKeBebi522JidjBEKfbgGEHMQ5pQi
> kQcXVOn7bU9Z8n5Orm0m07eQIWPYxFFYMC5P/9wkaJHNy5dmEYUXYWLbt7ke9yje
> gbPAWvo4xzRt0GGHFoiqU5I5kYdD7I2fJ9ASEAXzliY2UdCZ/StKKDkJVHhJ1OZi
> hokQRjINMR4th0Gz2LcAXu2hN16KRQibnMYBzan+zn1sHhuLG4rer5eLq+8cr1Qb
> bl85kFqBG4Xp9FYQ1+R9tsgR0G0ifqikan7NzE7eIy1rEyWL0GbfaqWNNYro6+3j
> EaPjB+OdH16thcAc4tq6pjxxuTcBAWXGDxdpA0D+U3L8Z2kjgVdqStLfl+T/1B3z
> lS7pB9nkykc6mpVrzb6NZDkEcuo73jfCYEO+Yx36GjAwCkTZXhvaTvr0sFGHTWV4
> xIFI8OXhJip93x1jLt7/2+DhsbsRCd6sWYAakWdCXEK8xgt9/TxZ9xZLosq2f8v+
> OB7Sg51X02C9HaDJF3Jim5SJoMbZYhV6w/bv5icSL/wUQQv7L8teP1qAtCK0uxHm
> MA9BPjbuTNTrpzB+7oRTchD5InlFMotnpd4FVXAmMYu2EqViroM21Ge5o9vAUFZq
> ktj17fFzjyf8PA5fBSlZy4J/+G1OveS9/5ZIoRc8v9/NVABCkB+RG53Zo6fjdAqd
> aFI+HFrlcLg=
> =6Fu5
> -----END PGP SIGNATURE-----
>
> -- 
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
> _______________________________________________
> Speakup mailing list
> Speakup@braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup