Securing system (was gibraltar, apache and samba at the same machine)

To: debian-user@lists.debian.org
Subject: Securing system (was gibraltar, apache and samba at the same machine)
From: Willem-Jan Meijer <meyer3@chello.nl>
Date: Thu, 20 Feb 2003 21:40:57 +0100
Message-id: <[🔎] 200302202140.57658.meyer3@chello.nl>
In-reply-to: <200302202139.06320.meyer3@chello.nl>
References: <004401c2d91d$9b8e2be0$0c00a8c0@willemjan> <200302202139.06320.meyer3@chello.nl>

 --> Install the "ipmasq" package. <--

 I already installed that one... I'll put the firewall below

 echo -n "IPTables Firewall."
 IPTABLES="/sbin/iptables"

 #FLUSH
 echo -n " Flush all tables."
 $IPTABLES --flush                                                # Flush
 all the rules in filter and nat tables
 echo -n "."
 $IPTABLES --table nat --flush
 echo -n "."
 $IPTABLES --delete-chain                                         # Delete
 all chains that are not in default filter and nat table
 echo -n "."
 $IPTABLES --table nat --delete-chain
 echo ". done"

 echo -n " Setting up masquerading rules."
 # Set up IP FORWARDing and Masquerading
 $IPTABLES --table nat --append POSTROUTING --out-interface eth0 -j
 MASQUERADE echo -n "."
 $IPTABLES --append FORWARD --in-interface eth1 -j ACCEPT         # Assuming
 one NIC to local LAN
 echo ". done"

 echo -n " Setting rules for loopback device."
 # Allow loopback access. This rule must come before the rules denying port
 access!!
 $IPTABLES -A INPUT -i lo -p all -j ACCEPT # This rule is essential if you
 want your own computer to be able to access itself throught the loopback
 interface echo -n "."
 $IPTABLES -A OUTPUT -o lo -p all -j ACCEPT
 echo ". done"

 echo -n " Setting rules for eth0 device."
 # Accept established connections
 $IPTABLES -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
 echo -n "."
 #$IPTABLES -A INPUT -p tcp --tcp-option ! 2 -j REJECT --reject-with
 tcp-reset #echo -n "."
 # Open ftp port
 $IPTABLES -A INPUT -p tcp -i eth0 --dport 21 -j ACCEPT
 echo -n "."
 $IPTABLES -A INPUT -p udp -i eth0 --dport 21 -j ACCEPT
 echo -n "."
 # Open secure shell port
 $IPTABLES -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT
 echo -n "."
 $IPTABLES -A INPUT -p udp -i eth0 --dport 22 -j ACCEPT
 echo -n "."
 # Open HTTP port
 $IPTABLES -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT
 echo -n "."
 $IPTABLES -A INPUT -p udp -i eth0 --dport 80 -j ACCEPT
 echo -n "."
 $IPTABLES -A INPUT -p icmp -i eth0 -j ACCEPT
 echo -n "."

 echo ". done"

 echo -n " Setting rules for eth0 device."
 # Accept all incomming connections
 $IPTABLES -A INPUT -i eth1 -p all -j ACCEPT
 echo ". done"

 echo -n " Drop all other connection attempts."
 # Drop all other connection attempts. Only connections defined above are
 allowed.
 $IPTABLES -P INPUT DROP
 echo ". done"

 This is the only thing I did to secure my system, I went mad from M$ IIS so
 wanted to install apache w/o knowing anything from Linux. This went fine
 but my system isn't very secure. It's getting better ( I run KDE3.1), but I
 still don't know very much. So if there are any suggestions, I appreciate
 it very much.

 HTH,
 Willem-Jan Meijer

Reply to:

Prev by Date: Re: gtk fonts too big
Next by Date: sniffing SSL (was OT: mod_ssl (apache) log entries -- wtf?)
Previous by thread: Re: Perfered idle kicker?
Next by thread: DHCP/DNS assistance
Index(es):
- Date
- Thread