| |
| |
| |
|
Page: 1 2 3 4
Comments:
<0> trappist~ :)
<0> huh
<1> you don't want all those ports open
<0> if you portscan me there are stealth.
<0> trappist~ do you want to ?
<1> what makes you think that?
<0> the grc.com . also i scan my self
<1> ACCEPT doesn't make them stealth
<0> policy DROP
<1> but the policy only gets used if there's no matching rule, and you have rules to accept almost all ports!
<0> trappist~ can you make a portscan to me ?
<1> doing it now
<0> ok
<1> but if grc says you're stealth, and those are your rules, you must have a router between you and the internet
<0> trappist~ i use nmap -v -sT -P0 -p- localhost
<1> scanning localhost doesn't count
<1> you have to scan from the outside
<0> trappist~ no i havend.. i am behind a 56K modem
<0> :(
<1> most of your rules are for ppp0 and localhost doesn't go through ppp0
<0> trappist~ also insteed of localhost use the real ip of ppp0
<1> it really isn't a valid scan unless you do it from the outside
<0> ok.. you do it for me :)
<1> it's scanning now
<0> and i am glaf about that :)
<1> brb, smoke
<0> glad
<0> also do you know what i dont understand on the iptables-save that i paste to you ?
<0> the last rule of the input: "A INPUT -i ppp0 -j REJECT --reject-with icmp-port-unreachable"
<0> is there any reason for that ??
<0> trappist~ ?
<2> somebody said trappist~ was it correct ?
<0> trappist~ ?
<2> well, trappist~ is it correct ?
<0> huh.. bot
<1> yeah she's a bot
<0> trappist~ do you give a look at that rule ?
<1> ah I didn't see that. that one rule means ALL the other rules for ppp0 are ignored
<1> so, all your ports are listed as closed on my scan
<1> closed is not stealth :)
<1> wait...
<0> trappist~ what command do you used ?
<0> for the scan
<1> ok I misread that rule...
<1> I just said nmap yourip
<1> nothing special
<0> ok
<0> does that rule do anything ? cause i allready have policy DROP
<1> again, your policy only works on packets that don't match any rules. since that's a catch-all rule, your policy is never used.
<3> http://nothingmuch.woobling.org/bandwidth.html
<0> ok i got it
<0> something last..!
<0> from where the sules is read? from top to the buton or with reverse mode?
<0> bottom
<1> every time you say -A INPUT a rule is added to the end. if you use -I INPUT instead, the rule goes at the beginning. then the rules are read from top to bottom.
<0> cause when i add a rule with -A: ex: iptables -A INPUT -j MyNewChain
<0> the next rules to the MyNewChain dont work. if i do the same command with -I .. works.
<1> right.
<0> why this is happening ?
<1> what you want to do is put your rules into a script. the first thing the script should do is flush your rules, then it will rebuild them from scratch.
<1> because when you say -A, the rule goes at the end - so if a packet matches a rule BEFORE the new rule, which it will, it will use that rule and stop going through the rules.
<0> cool :)
<0> also.. if i dont want my computer to be able to send any packet to my brothers computer with 192.168.1.5 i can use that command ?
<0> iptables -I OUTPUT -d 192.168.1.5 -j REJECT
<1> yes
<0> and if i dont want to recive a packet from him . iptables -I INPUT -s 192.168.1.5 -j REJEC
<0> t
<1> yes
<0> ok.
<0> now what ports i must have open ?
<0> ex: web browsing? 1024:5999
<0> ?
<1> any ports you want to run servers on and be available from the internet
<1> no ports if you aren't running servers
<1> just do this:
<1> iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
<0> what will do exactly? i know but not exactly
<0> :(
<0> allow enstablised connection and related
<1> it will allow packets that belong to established or related connections, which means...
<1> when you make a connection to, say, a website, the packets that come back from that website will be allowed, because you started the connection. but if you don't open any ports, people can't start connections to you.
<0> i dont have that rule
<0> i have that one only for the eth0
<0> i must add that one ?
<1> 09:37 <0> -A FORWARD -i ppp0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
<1> you have it on your FORWARD chain, but you want it on the INPUT chain (with no -o option)
<0> i got it..
<0> oups trappist must go.. i'll be back in 15'
<0> you will be here?
<0> trappist~ thanks tanks thanks thanks tanks thanks thanks tanks thanks thanks tanks thanks for the help :) :) :)
<1> probably
<0> ill be back
<0> :)
<0> lo
<0> trappist~ ?
<2> trappist~ is, like, it correct
<1> hi
<1> brb
<0> continue the lesson ?
<1> what else do you need to know?
<0> do you have time ?
<1> I'm working, but I can peek at irc now and then
<0> ok: if i allow accept to ex: port 22 and dont have any server running there.. Is this i security essiu?
<1> not if you're *sure* you don't have a server running there, but basically it is. here's why...
<1> maybe your distro (like a lot of distros) automatically starts servers if you install them. maybe you install some package that depends on ssh so it gets installed automatically, so all of a sudden it's running and you don't even know it, and there's a hole in your firewall.
<1> so if you're not running ssh, don't open the port.
<0> so is that suggested: iptables -I INPUT -j REJECT ; iptables -I INPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
<0> if you dont run any server..!!
<1> use DROP for INPUT, REJECT for OUTPUT
<1> or don't filter OUTPUT at all - I don't
<1> otherwise, yes.
<0> ok.. what about the "-A INPUT -i ppp0 -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT"
<1> don't do that
<1> that will allow any valid packet
<0> reason ?
<0> so why to not add it ?
<1> you could say -I INPUT -i ppp0 -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP, and that would drop all invalid packets
<1> you don't want to allow all valid packets - only valid packets that should get through.
<0> when you say invalid packets ?
<0> or valid.. all the packes i think that is valid or invalid :)
<1> when I say invalid, I mean packets with invalid combinations of tcp flags. for example, no valid packet has both the SYN and ACK flags, or SYN and RST, or ACK and RST, etc.
<0> i get it :)
<1> but really, you don't need to worry about that
<1> because the only packets that will get through are ones ***ociated with connections that you started.
<1> if you're not running any servers and you're not acting as a router (like, for your brother's computer), you only need those first two rules
<0> and when i will need the tcp flags.. ?
<1> you don't have to worry about them
<0> add the rule or not ?
<1> you'll only get invalid packets like that if somebody is scanning you, and all those packets will be dropped anyway
<1> nope
<0> also add policy DROP
<1> yes
<1> actually you could get away with just one rule - the ESTABLISHED,RELATED one. then anything that doesn't get allowed by that will get DROPed by your policy.
<0> trappist~ also i have a script for firewall.. have you time to send it to you to giveit a look ? i found it very complex cause it have allot of chains
<0> :)
<1> make it simpler! you only need one, maybe two rules
<1> start it off like this: http://linuxkungfu.org/files/scripts/flush
<1> that was your rules will get flushed first
<0> trappist~ is says that have suport for DOS and thinks like that.. i don know them. :) dont want to DOS anyone! :)
<1> what does? your script?
<0> not mine..
<1> it probably means that it will help protect you against a DOS, but that's not really true
<0> wait to send it to you
<1> there's not much you can do about it
<0> can i ddc it to you ?
<1> my dcc doesn't work so well
<1> gr***hopper@linuxkungfu.org
<0> mail it ?
<1> sure
<0> ok done
<0> i am leaving.. trappist thanks for you help and time spending for help me :)
Return to
#iptables
or
Go to some related
logs:
#kde
gnome shoeseal
#perl
qemu change resolution
#linux
tslib+Segmentation fault
Mudlide shot
#linux
#gentoo
#fluxbox
|
|