Re: easiest way to shut down all network services besides ssh?
Mart van de Wege a écrit :
> Reco <recoverym4n@gmail.com> writes:
>
>> The simplest *working* solution is to use iptables this way:
>>
>> iptables -F INPUT
>> iptables -A INPUT -i lo -j ACCEPT
>> iptables -A INPUT -p icmp -j ACCEPT
Too permissive. Allow only safe error types (i.e.
destination-unreachable, time-exceeded and parameter-problem but NOT
redirect or source-quench) in the RELATED state.
>> iptables -A INPUT -p tcp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Too restrictive. If you allow any protocol outbound, you must allow any
protocol reply inbound.
>> iptables -I INPUT -p tcp --dport 22 -m conntrack --ctstate NEW --j ACCEPT
>> iptables -P INPUT DROP
>> iptables -F OUTPUT
>> iptables -P OUTPUT ACCEPT
>>
>>
>> Your rules will block anything on the interface lo and outbound traffic,
>> which is just asking for all kinds of trouble. And blocking icmp is just
>> rude ;)
No. Blocking /valid/ ICMP /error/ packets is rude and may cause trouble.
You may happily and safely drop any other ICMP packets.
> Outbound traffic is not necessary, surely?
Of course it is. At least reply packets to incoming SSH packets.
> The
> RELATED,ESTABLISHED rule is only for stupid protocols like FTP, that
> like to open new outbound connections in response to inbound requests.
Wrong. ESTABLISHED is for all connection-oriented protocols like TCP and
SCTP, but also some UDP-based protocols such as DNS, and ICMP echo
(ping). RELATED is also for ICMP error messages. Useful to get the
replies from an outgoing traceroute.
> Then again, chain OUTPUT defaults to ACCEPT anyway.
>
> Mart
>
Reply to: