Flylib.com

Books Software

 
 
 

Category list


Similar pages

Recipe 2.13 Prohibiting Outgoing Telnet Connections


Buy on amazon.com >>
Barrett D. J. Byrnes R. G. Silverman R.
    << Previous page
    Table of contents
    Next page >>

    Recipe 2.13 Prohibiting Outgoing Telnet Connections

    2.13.1 Problem

    You want to block outgoing Telnet connections.

    2.13.2 Solution

    To block all outgoing Telnet connections:

    For iptables : 

    # iptables -A OUTPUT -p tcp --dport telnet -j REJECT

    For ipchains : 

    # ipchains -A output -p tcp --dport telnet -j REJECT

    To block all outgoing Telnet connections except to yourself from yourself:

    For iptables : 

    # iptables -A OUTPUT -p tcp -o lo --dport telnet -j ACCEPT
# iptables -A OUTPUT -p tcp --dport telnet -j REJECT

    For ipchains : 

    # ipchains -A output -p tcp -i lo --dport telnet -j ACCEPT
# ipchains -A output -p tcp --dport telnet -j REJECT

    2.13.3 Discussion

    Telnet is notoriously insecure in its most common form, which transmits your login name and password in plaintext over the network. This recipe is a sneaky way to encourage your users to find a more secure alternative, such as ssh . (Unless your users are running Telnet in a secure fashion with Kerberos authentication. [Recipe 4.15])

    2.13.4 See Also

    iptables(8), ipchains(8), telnet(1).

    Recipe 2.14 Protecting a Dedicated Server

    2.14.1 Problem

    You want to run a specific set of services on your machine, accessible to the outside world. All other services should be rejected and logged. Internally, however, local users can access all services.

    2.14.2 Solution

    Suppose your services are www, ssh, and smtp.

    For iptables : 

    # iptables -F INPUT
# iptables -A INPUT -i lo -j ACCEPT
# iptables -A INPUT -m multiport -p tcp --dport www,ssh,smtp -j ACCEPT
# iptables -A INPUT -j LOG -m limit
# iptables -A INPUT -j REJECT

    For ipchains : 

    # ipchains -F input
# ipchains -A input -i lo -j ACCEPT
# ipchains -A input -p tcp --dport www -j ACCEPT
# ipchains -A input -p tcp --dport ssh -j ACCEPT
# ipchains -A input -p tcp --dport smtp -j ACCEPT
# ipchains -A input -l -j REJECT

    2.14.3 Discussion

    Local connections from your own host arrive via the loopback interface.

    2.14.4 See Also

    iptables(8), ipchains(8).

    Recipe 2.15 Preventing pings

    2.15.1 Problem

    You don't want remote sites to receive responses if they ping you.

    2.15.2 Solution

    For iptables : 

    # iptables -A INPUT -p icmp --icmp-type echo-request -j DROP

    For ipchains : 

    # ipchains -A input -p icmp --icmp-type echo-request -j DENY

    2.15.3 Discussion

    In this case, we use DROP and DENY instead of REJECT. If you're trying to hide from pings, then replying with a rejection kind of defeats the purpose, eh?

    Don't make the mistake of dropping all ICMP messages, e.g.: 

    
WRONG!! DON'T DO THIS!

# iptables -A INPUT -p icmp -j DROP

    because pings are only one type of ICMP message, and you might not want to block all types. That being said, you might want to block some others, like redirects and source quench. List the available ICMP messages with: 

    $ iptables -p icmp -h
$ ipchains -h icmp

    2.15.4 See Also

    iptables(8), ipchains(8). The history of ping , by its author, is at http://ftp.arl.mil/~mike/ping.html.

    Recipe 2.16 Listing Your Firewall Rules

    2.16.1 Problem

    You want to see your firewall rules.

    2.16.2 Solution

    For iptables : 

    # iptables -L [


chain


]

    For ipchains : 

    # ipchains -L [


chain


]

    For more detailed output, append the -v option.

    If iptables takes a long time to print the rule list, try appending the -n option to disable reverse DNS lookups. Such lookups of local addresses, such as 192.168.0.2, may cause delays due to timeouts.

    2.16.3 Discussion

    An iptables rule like: 

    # iptables -A mychain -p tcp -s 1.2.3.4 -d 5.6.7.8 --dport smtp -j chain2

    has a listing like: 

    Chain mychain (3 references)
target     prot opt source               destination
chain2     tcp  --  1.2.3.4              5.6.7.8            tcp dpt:smtp

    which is basically a repeat of what you specified: any SMTP packets from IP address 1.2.3.4 to 5.6.7.8 should be forwarded to target chain2. Here's a similar ipchains rule that adds logging: 

    # ipchains -A mychain -p tcp -s 1.2.3.4 -d 5.6.7.8 --dport smtp -l -j chain2

    Its listing looks like: 

    Chain mychain (3 references):
target   prot opt     source      destination    ports
chain2   tcp  ----l-  1.2.3.4     5.6.7.8        any -> smtp

    A detailed listing ( -L -v ) adds packet and byte counts and more: 

    Chain mychain (3 references): 
pkts bytes  target  prot opt     tosa tosx ifname source   destination  ports
15   2640   chain2  tcp  ----l-  0xFF 0x00 any    1.2.3.4  5.6.7.8      any -> smtp

    Another way to view your rules is in the output of iptables-save or ipchains-save [Recipe 2.19], but this more concise format is not as readable. It's meant only to be processed by iptables-restore or ipchains-restore , respectively: 

    # ipchains-save
 ... Saving 'mychain'.
-A foo -s 1.2.3.4/255.255.255.255 -d 5.6.7.8/255.255.255.255 25:25 -p 6 -j chain2 -l

    2.16.4 See Also

    iptables(8), ipchains(8).


    Buy on amazon.com >>
    Barrett D. J. Byrnes R. G. Silverman R.
      << Previous page
      Table of contents
      Next page >>

      Similar products

      Similar products

       
      flylib.com © Copyright 2008-2013. All Rights Reserved.
      if you may any questions please contact us: flylib@qtcs.net
      Privacy policy