Re: hardening checkpoints

To: debian-security@lists.debian.org
Subject: Re: hardening checkpoints
From: Bernd Zeimetz <zeimetz@rbg.informatik.tu-darmstadt.de>
Date: Sat, 17 Dec 2005 14:56:21 +0100
Message-id: <[🔎] 200512171456.21790.zeimetz@rbg.informatik.tu-darmstadt.de>
In-reply-to: <[🔎] 20051217041545.GA5401@spybotics.blaafladt.net>
References: <[🔎] dnrnel$dgg$1$8302bc10@news.demon.co.uk> <[🔎] 08854BA3-ED0B-43F7-8A40-AB9BA412D04E@turingstudio.com> <[🔎] 20051217041545.GA5401@spybotics.blaafladt.net>

Hi,

> > */3 *	* * *	root	iptables -A INPUT -i eth0 -p tcp -s
> > MY_WORKSTATION_IP --dport 22 -j ACCEPT && echo "issued iptables cmd"
> >
> > | mail -a "From: root@${HOSTNAME}" -s "[iptables-keepalive]"
> >
> > my@email_address.com
> >
> > That does 2 things:
> >
> > 1. guarantees my access to the machine no matter how stupid I am
> > configuring shorewall :)
>
> Actually, iptables -A INPUT will _append_ a rule to your INPUT chain
> (iptables(8)), and this won't help you if your connection is matched by
> an earlier blocking rule. To really make sure that you can reach the
> machine after a failed firewall-reconfiguration, replace -A with -I,
> which makes the rule inserted at the head of the chain, and hence, the
> first rule to be matched.

this also wont help you if you lock yourself out with a rule in the mangle or 
nat table.

I think
iptables -t mangle -I PREROUTING 1 -i eth0 -p tcp -s $MY_WORKSTATION_IP 
--dport 22 -j ACCEPT

should be the better way to do it your way.


Bernd

Reply to:

References:
- hardening checkpoints
  - From: kevin bailey <kbailey@freewayprojects.com>
- Re: hardening checkpoints
  - From: alex black <enigma@turingstudio.com>
- Re: hardening checkpoints
  - From: Andreas Blaafladt <andreas@blaafladt.no>

Prev by Date: Re: So many patches!
Next by Date: Re: hardening checkpoints
Previous by thread: Re: hardening checkpoints
Next by thread: Re: hardening checkpoints
Index(es):
- Date
- Thread