Chris is still confused

Mike Kallies mgjk-cpI+UMyWUv9BDgjK7y7TUQ at public.gmane.org
Mon Dec 1 21:17:39 UTC 2003 

Kevin Cozens wrote:
> At 02:07 PM 12/01/2003 -0500, Teddy Mills wrote:
> 
>> All I want to is stop everything coming in, and allow ports 22,25,53,80.
>>
>> Can someone post a generic one? Amazingly, this is not easy to find.
>> My script is 95% there, but that last 5% will be difficult.
>> Might be easier to work with a new script.
> 
> [snip]
> 
>> I want to start by not allowing anything, and then allowing only
>> 22,25,53,80.
> 
> 
> You might want to check out the MonMotha script at:
>  http://monmotha.mplug.org/firewall/index.php
> 
> It is the script I am using on a couple of machines. It denies 
> everything except for what you tell it to allow. It is easily configured 
> by setting the contents of a few variables near the start of the script.


On the subject of allowing 53, something which has always bothered me 
about a lot of these scripts (from monmotha):

for server in ${DNS} ; do
	${IPTABLES} -t filter -A INETIN	-p udp -s ${server} --sport 53 -j UDPACCEPT
	echo -n "${server} "
done

Is it still possible these days to look up your victim's ISP's DNS 
servers, and send a source-port, source-ip spoofed UDP packet to any 
port on the machine?  Provided that the malicious person is using an ISP 
which would let out any source-spoofed traffic which obviously could not 
have legitimately originated from within their network?

Then you use that to attack a vulnerable service, to do something like 
an overflow attack to kill whatever was on a permitted port and open a 
shell on it.

They specify that this is "only for zone transfers", I guess regular DNS 
queries are covered by:

echo -n "Allowing established outbound connections back in..."
${IPTABLES} -t filter -A INETIN -m state --state ESTABLISHED,RELATED -j 
ACCEPT
echo "done"

I haven't hacked around with this stuff in a long time though :-(

Just be super careful with 'deny all' inbound source-port 53 firewall 
configurations.

-Mike

--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml

More information about the Legacy mailing list