Ok. I put these suggestions in place. Now I'll see if I can get in from somewhere else.
Thanks Brad Davidson ([EMAIL PROTECTED]) wrote: > >I used to hang out on the LARTC list, so here's my analysis. Quite >possibly flawed. You may want to ask the LARTC guys, they eat stuff like >this for breakfast. > >Bob Crandell wrote: >> Here is rc.iptables: >> #=================================== >> #/bin/sh >> >> LOOPNET="127.0.0.0/8" >> LOCALNET="216.239.175.0/24" >> >> echo " Clearing existing configuration." >> /usr/sbin/iptables -P INPUT ACCEPT >> /usr/sbin/iptables -F INPUT >> /usr/sbin/iptables -P OUTPUT ACCEPT >> /usr/sbin/iptables -F OUTPUT >> /usr/sbin/iptables -P FORWARD ACCEPT >> /usr/sbin/iptables -F FORWARD >> /usr/sbin/iptables -F -t nat >> /usr/sbin/iptables -F logdrop >> /usr/sbin/iptables -X logdrop >> >> echo "Create Drop Chain." >> /usr/sbin/iptables -N logdrop >> /usr/sbin/iptables -A logdrop -j LOG --log-level info >> /usr/sbin/iptables -A logdrop -j DROP >> >> echo "INPUT Rule sets." >> /usr/sbin/iptables -A INPUT -i lo -j ACCEPT >Accept everything from your loopback addy >> /usr/sbin/iptables -A INPUT -i eth0 -j ACCEPT >Accept everything from the adapter >> /usr/sbin/iptables -A INPUT -i eth0 -s $LOOPNET -j logdrop >Drop things from loopback network. Except you allready jumped to ACCEPT >for everything via 'lo', so this is never matched >> /usr/sbin/iptables -A INPUT -i eth0 -d $LOOPNET -j logdrop >Drop things to loopback network. Except you allready jumped to ACCEPT >for everything via 'lo', so this is never matched >> /usr/sbin/iptables -A INPUT -i eth0 -s $LOCALNET -j ACCEPT >Accept everything from the localnet network. Except you already accepted >things from eth0, so this is never matched >> >> echo "Redirect Web traffic through Dan's Guardian" >> /usr/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 81 -j REDIRECT >> --to-port 8080 >> #=================================== >> >> This works, but it lets the whole world in. Not good. >Indeed it does. > >Here's what I would do: > >OK_NET1="216.239.175.0/24" >OK_NET2="64.28.48.0/24" >OK_HOST1="64.112.226.198" > >#flush rules before setting policy >#also, set a default deny rule. Safer that way... >iptables -F INPUT >iptables -P INPUT DROP >iptables -F FORWARD >iptables -P FORWARD DROP >iptables -F OUTPUT >iptables -P OUTPUT ACCEPT >iptables -F -t nat >iptables -F sort >iptables -X sort > >iptables -N sort >#accept from the OK hosts and nets >iptables -A sort -s $OK_NET1 -j ACCEPT >iptables -A sort -s $OK_NET2 -j ACCEPT >iptables -A sort -s $OK_HOST1 -j ACCEPT >#everything else is logged and then dropped >iptables -A sort -j LOG --log-level info >iptables -A sort -j DROP > >#jump to the sorting rule from input and forward. >#output isn't really worth worrying about IMHO - the >#unwanted hosts don't get in, so why would there >#be anything going back to them >iptables -A INPUT -j sort >iptables -A FORWARD -j sort > >#Finally, we add the shim rule: >#Sends all inbound port 81 traffic over to 8080 >iptables -t nat -A PREROUTING -i eth0 -p tcp \ > --dport 81 -j REDIRECT --to-port 8080 > > >See how that works. Or maybe I missed the mark entirely. Lemme know. > >-Brad > >(PS - please forgive me if a dupe of this message is ever posted to the >list. I accidentally sent the original message from the wrong alias...) > >_______________________________________________ >EuG-LUG mailing list >[EMAIL PROTECTED] >http://mailman.efn.org/cgi-bin/listinfo/eug-lug > -- Bob Crandell Assured Computing When you need to be sure. [EMAIL PROTECTED] www.assuredcomp.com Voice - 541-689-9159 FAX - 541-463-1627 Eugene, Oregon _______________________________________________ EuG-LUG mailing list [EMAIL PROTECTED] http://mailman.efn.org/cgi-bin/listinfo/eug-lug
