FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian Kernel

 
 
LinkBack Thread Tools
 
Old 08-23-2012, 07:38 AM
"asronchetti@libero.it"
 
Default Bug#683807: #684807 , iptables config, sysctl.conf, rc.local

Hi,
just to be more precise, i include here my iptable config, sysctl.conf, and i
list the rc.local stuff.
Is it possible that i did some mess in some of these files and that caused the
crashes that follow me in many systems (wheezy, stable).


Iptables firewall config:

#!/bin/sh

sysctl net.netfilter.nf_conntrack_acct=1

# Variables

IPTABLES=/sbin/iptables

WAN_IFACE="ath0 eth0"

if [ "$1" = "start" ]; then
echo "Starting Firewall"

# Flush Current Rules
$IPTABLES -F
$IPTABLES -X # delete all user-defined chains

echo 1 > /proc/sys/net/ipv4/tcp_syncookies # DoS Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Disable responding
to ping broadcasts
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter # disable spoofing on all
interfaces


# Set Default Rules for Chains

$IPTABLES -P INPUT DROP # Drop every packet from the outside
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow
requested INPUTS

# Accept local requests
$IPTABLES -P OUTPUT ACCEPT

# Drop since NAT protocol is not required
$IPTABLES -P FORWARD DROP

#allow src==dst==lo
$IPTABLES -A INPUT -i lo -d 127.0.0.1 -j ACCEPT
$IPTABLES -A OUTPUT -o lo -s 127.0.0.1 -j ACCEPT

$IPTABLES -A INPUT -p tcp -m tcp --dport 6000 -j DROP
$IPTABLES -A OUTPUT -p tcp -m tcp --sport 6000 -j DROP



cat /root/stop6 |ip6tables-restore

# Section to open desired ports

# Open Ports for SSH and HTTP
#$IPTABLES -A INPUT -i $WAN_IFACE -p TCP --destination-port 22 -j ACCEPT

#$IPTABLES -A INPUT -i $WAN_IFACE -p TCP --destination-port 80 -j ACCEPT

elif [ "$1" = "stop" ]; then
echo "Firewall Halted"
$IPTABLES -F
$IPTABLES -X
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD DROP
$IPTABLES -A INPUT -p tcp -m tcp --dport 6000 -j DROP
$IPTABLES -A OUTPUT -p tcp -m tcp --sport 6000 -j DROP

elif [ "$1" = "status" ]; then
$IPTABLES -L -v -n

else
echo "usage: $0 start|stop|status"
fi
#iptables -A INPUT -p tcp -m tcp --dport 6000 -j DROP;iptables -A OUTPUT -p
tcp -m tcp --sport 6000 -j DROP

-----------------------------





/etc/sysctl.conf:

#
# /etc/sysctl.conf - Configuration file for setting system variables
# See /etc/sysctl.d/ for additonal system variables
# See sysctl.conf (5) for information.
#

#kernel.domainname = example.com

# Uncomment the following to stop low-level messages on console
#kernel.printk = 3 4 1 3

################################################## ############3
# Functions previously found in netbase
#

# Uncomment the next two lines to enable Spoof protection (reverse-path
filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
#net.ipv4.conf.default.rp_filter=1
#net.ipv4.conf.all.rp_filter=1

# Uncomment the next line to enable TCP/IP SYN cookies
# See http://lwn.net/Articles/277146/
# Note: This may impact IPv6 TCP sessions too
#net.ipv4.tcp_syncookies=1

# Uncomment the next line to enable packet forwarding for IPv4
#net.ipv4.ip_forward=1

# Uncomment the next line to enable packet forwarding for IPv6
# Enabling this option disables Stateless Address Autoconfiguration
# based on Router Advertisements for this host
#net.ipv6.conf.all.forwarding=1


################################################## #################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Do not accept ICMP redirects (prevent MITM attacks)
net.ipv4.conf.all.accept_redirects = 0
#net.ipv6.conf.all.accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# net.ipv4.conf.all.secure_redirects = 1
#
# Do not send ICMP redirects (we are not a router)
#net.ipv4.conf.all.send_redirects = 0
#
# Do not accept IP source route packets (we are not a router)
#net.ipv4.conf.all.accept_source_route = 0
#net.ipv6.conf.all.accept_source_route = 0
#
# Log Martian Packets
net.ipv4.conf.all.log_martians = 1
#




net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv4.ip_default_ttl = 128
net.ipv4.conf.eth0.accept_source_route = 0
net.ipv4.conf.wlan0.accept_source_route = 0
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv6.conf.eth0.disable_ipv6 = 1
net.ipv6.conf.wlan0.disable_ipv6 = 1

--------------------------



/etc/rc.config call some scripts to set the firewall, bring eth0 up, it
removes two modules (the cam and the joystik modules), remove the dhcp-fail
network (169.254.0.0/16), mount the ramdisk (1 GB) and then call ethtool to fix
the "UDP checksum fail" issue of my net card:

#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.


/root/./btfirewall.sh start
/root/./btfirewall.sh start

/root/./upnet

modprobe -r uvcvideo;modprobe -r joydev


route del -net 169.254.0.0/16

/root/./IL-RDISK-1G

ethtool -K eth0 rx off


exit 0
------------------


These files are the only cusomisation i did on this machine. I use these files
either in squeeze and wheezy.

I hope this can help to further investigate on this issue.


bye
Asdrubale


--
To UNSUBSCRIBE, email to debian-kernel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/21033708.7973131345707495723.JavaMail.defaultUser@ defaultHost
 

Thread Tools




All times are GMT. The time now is 10:37 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org