FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo User

 
 
LinkBack Thread Tools
 
Old 12-11-2007, 02:39 PM
 
Default Hardening a laptop for travel

Harry wrote:

>> Wait... I'm pretty sure there are a few lines of IPTABLES code that
>> will do what you want.
>>
>> I remember using something with IPTABLES that made any connections
>> from internet only happen in response to requests from your localhost.
>> I don't remember the lines now but someone might post it.

Mick replied:

> The lines already posted will do just that. If you want to additionally stop
> any intruder spoofing a localhost address on your NIC and getting in you
> could add:
>
> iptables -A INPUT -i !eth0* -j ACCEPT

OOPs... I took your earlier comment (below) to be applied to what was posted
but I see now you were only referencing a single line:
iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

Andry F. wrote:

>>> iptables -P INPUT DROP
>>> iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>>> iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
>>> iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

Mick replied:

>>> iptables -P INPUT DROP
>>> iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
>>> iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

>> This line is only needed if you want to forward packets to another
>> iface/device (i.e. when your laptop is acting as a router and the input
>> interface is eth0).

[...]

Thanks for the <snipped> other pointers

--
gentoo-user@gentoo.org mailing list
 
Old 12-13-2007, 01:25 PM
Grant
 
Default Hardening a laptop for travel

> > I don't know, now that I've set up shorewall on my router it seems
> > like a simple matter to set it up on another machine. I should only
> > need to edit a few config files with very light additions.
> >
> > - Grant
>
> Understand - to be honest I have moved to shorewall on almost all my
> machines for uniformity, even though its rather more complex than
> needed.
>
>
> BillK

How does this /etc/shorewall/rules look for my router?

DNS/ACCEPT $FW net
Ping/REJECT net $FW
DNAT net loc:192.168.0.3 tcp 50000
DNAT net loc:192.168.0.3 udp 50000
ACCEPT $FW loc icmp
ACCEPT $FW net icmp

Does this reject ssh requests from the net zone or do I need to
specify that? It looks like maybe there is another set of basic
ACCEPT/REJECT configs that this is modifying. Does anyone know which
file that might reside in? If this looks good I'll set up something
similar on the laptop.

- Grant
--
gentoo-user@gentoo.org mailing list
 
Old 12-13-2007, 02:53 PM
Grant
 
Default Hardening a laptop for travel

> > > I don't know, now that I've set up shorewall on my router it seems
> > > like a simple matter to set it up on another machine. I should only
> > > need to edit a few config files with very light additions.
> > >
> > > - Grant
> >
> > Understand - to be honest I have moved to shorewall on almost all my
> > machines for uniformity, even though its rather more complex than
> > needed.
> >
> >
> > BillK
>
> How does this /etc/shorewall/rules look for my router?
>
> DNS/ACCEPT $FW net
> Ping/REJECT net $FW
> DNAT net loc:192.168.0.3 tcp 50000
> DNAT net loc:192.168.0.3 udp 50000
> ACCEPT $FW loc icmp
> ACCEPT $FW net icmp
>
> Does this reject ssh requests from the net zone or do I need to
> specify that? It looks like maybe there is another set of basic
> ACCEPT/REJECT configs that this is modifying. Does anyone know which
> file that might reside in? If this looks good I'll set up something
> similar on the laptop.
>
> - Grant

I was looking for the /etc/shorewall/policy file. Something weird
though. I have this in my policy file:

net $FW DROP
net loc DROP
net all DROP

And yet I'm able to ssh from a machine on the local network to the
router via the external IP address. Does the router still know I'm
coming from the inside and thus allow it or is something wrong here?

- Grant
--
gentoo-user@gentoo.org mailing list
 
Old 12-13-2007, 06:09 PM
Dan Farrell
 
Default Hardening a laptop for travel

On Sat, 8 Dec 2007 13:41:06 -0500
"Andrey Falko" <ma3oxuct@gmail.com> wrote:

> On Dec 8, 2007 8:35 AM, Grant <emailgrant@gmail.com> wrote:
>
> > I have shorewall set up on my router but I haven't set up anything
> > security-wise for my laptop which normally sits behind the router.
> > What should I be setting up on the laptop in preparation for
> > traveling and connecting via a foreign network or even directly to
> > the Internet? I don't run sshd on the laptop. I would think
> > shorewall, but am I forgetting anything?
> >
>
> At the very least I'd do the following with iptables:
>
> iptables -P INPUT DROP
> iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j
> ACCEPT iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j
> ACCEPT
>
> This will make sure that there are no incoming connects except those
> that you
> initiated.
>
>
> >
> > # rc-update -s
> > alsasound | boot
> > bootmisc | boot
> > checkfs | boot
> > checkroot | boot
> > clock | boot
> > consolefont | boot
> > hald | default
> > hostname | boot
> > keymaps | boot
> > local | default nonetwork
> > localmount | boot
> > metalog | default
> > modules | boot
> > net.eth0 | default
> > net.lo | boot
> > netmount | default
> > ntp-client | default
> > ntpd | default
> > rmnologin | boot
> > urandom | boot
> > vixie-cron | default
> > xdm | default
> > xfs | default
> >
> > - Grant
> > --
> > gentoo-user@gentoo.org mailing list
> >
> >

I don't run iptables on my laptops. Instead, I choose to run only a
few secure services and then proceed to not worry about it.

I see a lot of people asking this question around, mostly geeky friends
that I am trying my hardest to steer towards linux, if not gentoo. My
philosophy is that the box only accepts connections on open ports --
you don't open any ports, and there's no programs listening for any
external connections.

If course, a stateful firewall like this is a spiffy way to protect
yourself from spoofing and such. I think such a thing would be a great
way to make sure your laptop is as locked down as possible, but I
really wouldn't worry about it. As I said earlier, if you don't have
any exploitable software listening on a default port, you aren't going
to look like a very attractive target for Hackers.
--
gentoo-user@gentoo.org mailing list
 
Old 12-13-2007, 06:12 PM
Dan Farrell
 
Default Hardening a laptop for travel

On Tue, 11 Dec 2007 08:22:45 +0000
Mick <michaelkintzios@gmail.com> wrote:

> Given that systems like e.g. Ubuntu server do not even have a
> firewall running would make you think so. The fact that while on the
> road you only stay connected for short periods of time would improve
> your chances too. However, every time you start an internet
> connection to a server you have open ports at random which could be
> discovered and exploited. It only takes a few seconds over broadband
> with a well crafted script.

This is true; however, the actual "exploitability" of something like
this seems pretty low to me. The biggest problem that I see here is
MITM/Spoofing probably, and it's a problem that firewalls only help
treat, but certainly don't cure completely.
--
gentoo-user@gentoo.org mailing list
 
Old 12-13-2007, 06:17 PM
Dan Farrell
 
Default Hardening a laptop for travel

On Mon, 10 Dec 2007 15:58:02 -0800
Grant <emailgrant@gmail.com> wrote:

> I don't know, now that I've set up shorewall on my router it seems
> like a simple matter to set it up on another machine. I should only
> need to edit a few config files with very light additions.
>
> - Grant

Either way you go, I wouldn't think it would take very long for you to
get a firewall up and running. I personally use iptables manually
because I think it's easier than using shorewall to automatically
congfigure it. But more abstraction _should_ make it easier, although
things don't always work out like that.
--
gentoo-user@gentoo.org mailing list
 
Old 12-13-2007, 09:36 PM
William Kenworthy
 
Default Hardening a laptop for travel

On Thu, 2007-12-13 at 13:09 -0600, Dan Farrell wrote:
> On Sat, 8 Dec 2007 13:41:06 -0500

>
> I don't run iptables on my laptops. Instead, I choose to run only a
> few secure services and then proceed to not worry about it.
>
hmmm - another target.

Firewalls can be viewed as a waste of time on a perfect system - but
what system is ever perfect?

Can you guarantee that no services that are untrustworthy will EVER run
on the machine - think accidental installs? A couple of years back we
(local lug) had an incidence of a windows virus listening on a network
port of a linux machine - apparently something to do with running an
infected application under wine. Its what you dont know that will bite
you.

Can you guarantee that there is never a bug in your software that might
leave you exposed?

Can you guarantee that you have have NEVER mis-configured a service or
application?

Thought not ...

Think layered defences
BillK


--
gentoo-user@gentoo.org mailing list
 

Thread Tools




All times are GMT. The time now is 04:42 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org