Re: Securing a Debian 3.0 r0 system, and a few other quick questions . . .
On Saturday 03 August 2002 02:02 pm, Doug MacFarlane wrote:
> 2b. What is the current thinking on securing port-level access to a host?
> Wietse Venenma's tcpwrapper was king in my day, is it still de rigeur?
> Or do people use iptable or ipchains or ipmasquerading to secure a host
> (NOT a LAN - it's not a firewall (yet) )?
kernel 2.4.x has iptables built in. I run iptables on all my deb30 servers.
The servers have very specific functions (file servering to a lan or web
servering on the net) so they are easy to lock down. If you are using a 2.2.x
kernel, you can use ipchains; the firewall logic just before iptables.
Ipchains work just as well for most situations, but have a slightly different
syntax.
Here's a sample from one of my iptables firewall scripts:
#################################
# FLUSH FIREWALL RULES AND SET DEFAULT POLICIES
#################################
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
#################################
# ACCEPT WEB SERVER CONNECTIONS FROM ANYWHERE
#################################
iptables -A INPUT -j ACCEPT -p tcp -d 128.173.201.236 -s 0.0.0.0/0 --dport 80
#################################
# ACCEPT SECURE WEB SERVER CONNECTIONS FROM ANYWHERE
#################################
iptables -A INPUT -j ACCEPT -p tcp -d 128.173.201.236 -s 0.0.0.0/0 --dport 443
#################################
# ACCEPT UDP PACKETS FROM VT DNS SERVERS
#################################
iptables -A INPUT -j ACCEPT -p udp -d 128.173.201.236 -s 198.82.247.98
iptables -A INPUT -j ACCEPT -p udp -d 128.173.201.236 -s 198.82.247.66
iptables -A INPUT -j ACCEPT -p udp -d 128.173.201.236 -s 198.82.247.34
#################################
# ACCEPT UDP PACKETS FROM VT NTP SERVERS
#################################
iptables -A INPUT -j ACCEPT -p udp -d 128.173.201.236 -s ntp-1.vt.edu
iptables -A INPUT -j ACCEPT -p udp -d 128.173.201.236 -s ntp-2.vt.edu
#################################
# ACCEPT LOCALHOST TO LOCALHOST
#################################
iptables -A INPUT -j ACCEPT -d 127.0.0.1 -s 127.0.0.1
By the way, tcpwrappers still work for the inetd daemon.
--
Richard B. Tilley (Brad), System Administrator & Web Developer
University of Virginia Tech, Office of the University Bursar
Phone: 540.231.6277
Fax: 540.231.3238
Web: http://bursar.vt.edu
Reply to: