cheated with RH LOKKIT -

Ilya Palagin ilyapalagin-bJEeYj9oJeDQT0dZR+AlfA at public.gmane.org
Wed Mar 24 22:14:14 UTC 2004 

David Kreuter wrote:
> I am running RH 9 with 2 noetworks, 24.x.x.x and private 192.168.1.0/24.
> Want to protect the computer from bad guys.
> Studied Madison's paper, played around, some good results. Thanks!
> Used Lokkit and augmented with a few commands.
> Will the following table protect my linux computer from internet bad guys?
> I have opened SSH, FTP, and HTTP port. Would like to keep SSH and FTP open
> from the internet but for time being close HTTP from the internet but 
> still allow it from
> the 192.
> Any comments or suggestions on the following iptable?
> hope my goals are clear.
> David
> 
> 
> # Generated by iptables-save v1.2.7a on Wed Mar 24 21:05:04 2004
> *filter
> :INPUT ACCEPT [28:30356]
> :FORWARD ACCEPT [97:19923]
> :OUTPUT ACCEPT [13615:860396]
Change default policy to DENY. Currently no packets are filtered.

> :RH-Lokkit-0-50-INPUT - [0:0]
> -A INPUT -j RH-Lokkit-0-50-INPUT
> -A FORWARD -j RH-Lokkit-0-50-INPUT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK 
> SYN -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK 
> SYN -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 21 --tcp-flags SYN,RST,ACK 
> SYN -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -i eth0 -p udp -m udp --sport 67:68 --dport 
> 67:68 -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -i eth1 -p udp -m udp --sport 67:68 --dport 
> 67:68 -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -i eth0 -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -s 24.153.22.195 -p udp -m udp --sport 53 -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -s 24.153.22.67 -p udp -m udp --sport 53 -j ACCEPT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j 
> REJECT --reject-with icmp-port-unreachable
> -A RH-Lokkit-0-50-INPUT -p udp -m udp -j REJECT --reject-with 
> icmp-port-unreachable
> COMMIT
> 
> # Completed on Wed Mar 24 21:05:04 2004
> # Generated by iptables-save v1.2.7a on Wed Mar 24 21:05:04 2004
> *nat
> :PREROUTING ACCEPT [95:6907]
> :POSTROUTING ACCEPT [242:14512]
> :OUTPUT ACCEPT [241:14460]
> -A POSTROUTING -o eth1 -j MASQUERADE
> COMMIT
> # Completed on Wed Mar 24 21:05:04 2004
> 
> -- 
> The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
> TLUG requests: Linux topics, No HTML, wrap text below 80 columns
> How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml
> 

--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml

More information about the Legacy mailing list