Re: Securing a Debian 3.0 r0 system, and a few other quick questions . . .

To: madmac@covad.net, debian-user@lists.debian.org
Subject: Re: Securing a Debian 3.0 r0 system, and a few other quick questions . . .
From: "R. Bradley Tilley" <rtilley@vt.edu>
Date: Sat, 3 Aug 2002 14:57:33 -0400
Message-id: <[🔎] 200208031457.33952.rtilley@vt.edu>
Reply-to: rtilley@vt.edu
In-reply-to: <[🔎] 200208031808.OAA08581@smtp7.covad.net>
References: <[🔎] 200208031808.OAA08581@smtp7.covad.net>

On Saturday 03 August 2002 02:02 pm, Doug MacFarlane wrote:

> 2b.  What is the current thinking on securing port-level access to a host?
>  Wietse Venenma's tcpwrapper was king in my day, is it still de rigeur?
> Or do people use iptable or ipchains or ipmasquerading to secure a host
> (NOT a LAN - it's not a firewall (yet) )?

kernel 2.4.x has iptables built in. I run iptables on all my deb30 servers. 
The servers have very specific functions (file servering to a lan or web 
servering on the net) so they are easy to lock down. If you are using a 2.2.x 
kernel, you can use ipchains; the firewall logic just before iptables. 
Ipchains work just as well for most situations, but have a slightly different 
syntax.

Here's a sample from one of my iptables firewall scripts:

#################################
# FLUSH FIREWALL RULES AND SET DEFAULT POLICIES
#################################

iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

#################################
# ACCEPT WEB SERVER CONNECTIONS FROM ANYWHERE
#################################

iptables -A INPUT -j ACCEPT -p tcp -d 128.173.201.236 -s 0.0.0.0/0 --dport 80

#################################
# ACCEPT SECURE WEB SERVER CONNECTIONS FROM ANYWHERE
#################################

iptables -A INPUT -j ACCEPT -p tcp -d 128.173.201.236 -s 0.0.0.0/0 --dport 443

#################################
# ACCEPT UDP PACKETS FROM VT DNS SERVERS
#################################

iptables -A INPUT -j ACCEPT -p udp -d 128.173.201.236 -s 198.82.247.98
iptables -A INPUT -j ACCEPT -p udp -d 128.173.201.236 -s 198.82.247.66
iptables -A INPUT -j ACCEPT -p udp -d 128.173.201.236 -s 198.82.247.34

#################################
# ACCEPT UDP PACKETS FROM VT NTP SERVERS
#################################

iptables -A INPUT -j ACCEPT -p udp -d 128.173.201.236 -s ntp-1.vt.edu
iptables -A INPUT -j ACCEPT -p udp -d 128.173.201.236 -s ntp-2.vt.edu

#################################
# ACCEPT LOCALHOST TO LOCALHOST
#################################

iptables -A INPUT -j ACCEPT -d 127.0.0.1 -s 127.0.0.1

By the way, tcpwrappers still work for the inetd daemon.

-- 

Richard B. Tilley (Brad), System Administrator & Web Developer
University of Virginia Tech, Office of the University Bursar
Phone: 540.231.6277
Fax: 540.231.3238
Web: http://bursar.vt.edu

Reply to:

References:
- Securing a Debian 3.0 r0 system, and a few other quick questions . . .
  - From: "Doug MacFarlane" <madmac@covad.net>

Prev by Date: Portsentry tcpd and iptables question
Next by Date: Re: [solved] Difficult to move /tmp
Previous by thread: Re: Securing a Debian 3.0 r0 system, and a few other quick questions . . .
Next by thread: Re: Securing a Debian 3.0 r0 system, and a few other quick questions . . .
Index(es):
- Date
- Thread