Fedora Security :: Iptables To Deny All Except Localhost?
May 15, 2011
i was hoping that someone in here could possibly help me out with my iptables rule set. First here is what i would like iptables to do, i want iptables to deny all packets or traffic from the outside coming in and for output allow the things i need like web and irc etc... Also, i would like iptables to deny access to all services like sendmail and ssh except i would like localhost to have access to everything. What i mean by localhost is that when i run my iptables script it loads fine except when i try ssh from localhost i get this output:ssh -l user localhostssh_exchange_identification: Connection closed by remote hostI know what most of you are thinking, why do i need to ssh into localhost from localhost just open another terminal, well i am getting myself familiar with iptables i want all services logged and blocked but not from localhost. I cant seem to figure out this problem and i have tried several different things. Here is my iptables script, I am hoping that someone out there can tell me what i am doing wrong...
#!/bin/bash
iptables -v -F;
iptables -v -A INPUT -i lo -j ACCEPT;
[code]....
View 5 Replies
ADVERTISEMENT
Mar 8, 2011
I am a newbie in Linux. I have Fedora 13 OS 32 bits. I am working with PowerDNs and Poweradmin. How can I configure this with PowerDNS?
1. Allow localhost recursion but deny recursion to external clients. Is there a tutorial for that?
2. Set up cache nameserver for localhost (like caching-nameserver in Bind).
Is there a tutorial for that?
3. My Master Server with PowerDNS is working well from localhost but external clients cannot access it.
I have iptables with these rules:
[Code]....
View 1 Replies
View Related
May 9, 2011
I just want to allow only some udp ports and deny all tcp access as my script below:
Code:
# Generated by iptables-save v1.3.5 on Sun May 8 17:33:16 2011
*filter
[code]....
View 3 Replies
View Related
Dec 7, 2010
I would like to know if it is possible to deny the access to a file for root? Would ACL's be a possibility? I have "googled" around but haven't found anything interesting (except SELinux). I should secure a password file to an important database.
View 6 Replies
View Related
Sep 7, 2010
I just downloaded the DenyHosts2.6python2.5.rpm for deny.hosts from sourceforge and would like to set it up. I normally use fish://, smb:// and ftp:// on the boxes on my lan. I already have files called hosts.allow and hosts.deny in the /etc folder. Will the rpm configure hosts.deny when first run?
View 1 Replies
View Related
Oct 30, 2010
I have an Asterisk on an externally hosted vServer with Lenny. In order to further protect the SSH access I intended to change the Port number 22 to something like 55555. For this I changed the /etc/ssh/sshd_config file and restarted ssh. This caused unfortunately the following problems:
(1) The first login works but DenyHost writes now the IP in its list so that the second login with the same IP is blocked.
(2) With RESET_ON_SUCCESS = yes several logins were possible with the same IP, but later it also was blocked for some still unknown reasons.
(3) Files can be uploaded for being edited, but they can't always be saved. When they can't be saved the next login with this IP is blocked. It thus looks like the blocking can occur while being connected. When the files can't be saved it is however still possible to copy files from the computer to the vServer.
I add below the entries in the auth.log from a logout and a login. It shows further how suddenly the attempts to save files were blocked. After this session the IP used for it was blocked. I don't know where the message "Unable to open env file: /etc/default/locale" comes from. If I remember right I had these messages already before. I don't know how much that is really important.
[Code]....
View 4 Replies
View Related
Jan 18, 2010
I'm having troubles trying to understand this problem:my homeserver until yesterday had a public IP, staying on network, with sshd running and all was fine;this evening I changed the IP, giving it a local lan address, and what happened if I tried to connect to it by ssh?I got an error about "Connection closed by remote host". Google helped me finding that was regarded to hosts.deny file, that was actually containing a lineALL:ALLthat I commented, and all was fine.My question is: why the hosts.deny (that has never changed) was observed only with the local IP?I tried to switch back to the public IP and leaving ALL:ALL, and it did connect without any problem
View 1 Replies
View Related
Feb 23, 2010
If I allow, my server's IP is:
11.11.11.11
If I allow 11.11.11.11, and block 22.22.22.22
22.22.22.22 can't access the server
But if I allow 11.11.11.0/24, and block 22.22.22.22
22.22.22.22 can still access the server!!
Does anyone know why that is?
View 4 Replies
View Related
Nov 15, 2010
How to deny download some file types on squid ?
I tried below in my squid.conf
acl blockfiles urlpath_regex -i "/etc/squid/src/blockfiles"
http_access allow localnet freesites !blockfiles
and in my /etc/squid/src/blockfiles
.[Ee][Xx][Ee]$
.[Aa][Vv][Ii]$
.[Mm][Pp][Gg]$
.[Mm][Pp][Ee][Gg]$
.[Mm][Pp]3$
.[Rr][Aa][Rr]$
I still able to download
View 2 Replies
View Related
Oct 21, 2010
I could not find any where the documentation the only best which I got was [URL]
My question is the following blog says to remove an IP from /etc/hosts.deny which denyhost has blocked
[URL] you need to have a directory /usr/share/denyhosts/data I do not find any such directory
Also when I tried to check tcp wrapper configuration as given here
[URL]
tcpdchk -v Cannot find your inetd.conf or tlid.conf file. Please specify its location.
what does the above output mean? How do I make sure denyhosts is doing its job?
View 2 Replies
View Related
Feb 1, 2009
I have been struggling with this for a very long time now. I have installed Fedora Core 9 on my computer. I have set it up as a caching-nameserver and this is working.
Then I wanted to secure my server with iptables, and I have so far made this script:
# Load the connection tracker kernel module
modprobe ip_conntrack
iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
[Code]....
I can reach the dns server with ping. When trying Nslookup it says that it got SERVFAIL from 127.0.0.1 trying next server, and then it times out.
My resolv.conf file lists:
nameserver 127.0.0.1
nameserver DNS-server
View 13 Replies
View Related
Dec 14, 2009
Im pulling my hair out trying to get ftp to work through iptables.Im using vsftpd
Table: filter
Chain INPUT (policy DROP)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
[code].....
View 3 Replies
View Related
Mar 22, 2010
I am trying to do something outlandish with iptables (or so I think!).I have a source sending udp packets to a destination (say dst11). Using port mirroring I am able to get all these packets to a different machine (say dst22). I am able to see these packets on dst22 interface using tcpdump.I want to analyze the packets on dst22. So what I do is put dst22 interface in promiscuous mode (using ifconfig eth0 promisc). This in theory should get the packet through the MAC layer. Now using iptables I am trying to DNAT the packets in nat prerouting to change the packets destination IP to dst22's interface and change the destination port.
View 2 Replies
View Related
Mar 17, 2009
What i wanted to do was block everything from getting in my pc but still be able to surf the web and still use instant messenger.
View 2 Replies
View Related
Dec 19, 2010
I made a Desktop User account. When I went on that account, it allowed me to execute sudo as if I was an administrator. I don't know what might be causing this. I do have ufw set up and blocking incoming connections. Do you guys know what might be at the root of this?Also, when I used sudo from the user account (which I shouldn't have been able to do), I provided the password for my admin account.
View 9 Replies
View Related
May 16, 2011
I just set up denyhosts and it worked properly the first time adding lots of ips to the hosts.deny.I then set it to run every 12 hours noon and midnight.I wanted to see if ran properly and I got all this.Does it look like its working?
Code:
May 15 12:00:01 hyrule CRON[14286]: (root) CMD (python /usr/share/denyhosts/denyhosts_ctl.py -c /usr/share/denyhosts/denyhosts.cfg )
[code]...
View 4 Replies
View Related
May 5, 2010
I have a question, on my firewall at work I am seeing a constant flow of denies from many different source IP addresses, of tcp/udp destination port 53372 & 53375.What in the world is that, and why these two ports over and over
View 1 Replies
View Related
May 3, 2009
When I use system-config-firewall, it asks what interfaces to trust. Where does it store that information for iptables (or whatever uses that info)? How iptables knows at what interfaces to use the rules?There is not that kind of information in /etc/sysconf/iptables and iptables-config.
View 2 Replies
View Related
Dec 8, 2009
i've got a few questions about iptables. i know how to set up ip tables to only allow from an ip address or a subnetting ip addresses. question is how do i allow from 2 different networks? would i need to create 2 lines of entry in iptables to the same port? e: allow 10.168.1.1 and 196.168.1.1 on port 22 is there a way to put all that in 1 line or would i need to create to rules for the port? i know i can use the ssh allow or deny but i'd like to stop access even before it gets to the ssh. stop it at the source kinda thing.
View 4 Replies
View Related
Dec 19, 2009
Wondering if anyone knows what the range specification is meant to do for the colonHAIN at the top of the iptables file? e.g. what is the 1:76 range mean for :OUTPUT ACCEPT [1:76] ?
# Generated by iptables-save v1.4.1.1 on Sat Dec 19 12:28:00 2009
*filter
:INPUT ACCEPT [0:0]
[code]...
View 2 Replies
View Related
Jan 28, 2010
I found a behavior of iptables on FC12 to be different and suspect it's broken somehow. Here is what I did
# iptables -F
# iptables -A INPUT -s 127.0.0.1 -p tcp --dport 22 -j ACCEPT
I don't have a shell on FC12 with me to show the output of iptables -L -n but it looks good after above 2 commands. However, after issuing the following third command iptables -L -n gives "wrong" result
# iptables -R INPUT 1 -s 127.0.0.1 -p tcp --dport 22 -j ACCEPT
Namely iptables -L -n gives extra "/0" after 127.0.0.1 in the output I have checked on Ubuntu 9.10 and centos 5.4 and they don't give extra "/0"; iptables is not supposed to do that. Of course, I didn't invent these examples but they are abstracted from actual real life scenerio of trying to build rules on our servers.
View 3 Replies
View Related
Oct 28, 2010
I am using denyhosts on a server so in a config file/etc/denyhosts.confthe following value is setQuote:DENY_THRESHOLD_INVALID = 3which as per their configuration file saysQuote:
DENY_THRESHOLD_INVALID: block each host after the number of failed login
# attempts has exceeded this value. This value applies to invalid
# user login attempts (eg. non-existent user accounts)
[code]...
View 1 Replies
View Related
Feb 10, 2010
i am learning security and firewalling. i want to know . where a linux firewall is sufficeint and where it is not sufficeint? if you can explain why or give a reference i will be glad. is that security or traffic handling problem? when i should select a cisco product? in tarms of traffic and sceutiry. do you have any good alternative recomendation to Cisco
View 1 Replies
View Related
Mar 4, 2011
I am using squid on my fedora box as a proxy server.By default the iptables (Firewall) service is on.To allow web pages to my client machines i stop the iptable service.
#service iptables stop
By doing it client computers start browsing.kindly how can I add a rule so that without stoping firewall client compter work fine.my perver IP address is 10.1.80.10
View 3 Replies
View Related
Dec 13, 2009
I've got two routers, 10.0.0.0/23 and 192.168.2.0/24, which are joined by a Linux box with interfaces eth0 (10.0.0.2) and ra0 (192.168.2.2). I've got masquerading for ra0, and a route to 192.168.2.0/24 on 10.0.0.0's router. I CAN ping hosts on 192.168.2.0 from 10.0.0.0 just fine, but I CANNOT access web pages.Strangely, If I enable masquerading on eth0, and add a route to 192.168.2.0s router to 10.0.0.0, I can ping AND access web pages from 192.168.2.0Here is my current iptables
Code:
*filter
:INPUT ACCEPT [0:0]
[code]...
View 14 Replies
View Related
Nov 25, 2010
I use iptables firewall (v1.4.1) installed on FC8. I'm trying to limit the inflow traffic for the port 1723 to certain MAC addresses. To experiment with the mac option, I've written the following iptables rule:
Quote:
iptables -A INPUT -m -mac --mac-source 10:08:08:08:08:10 -j ACCEPT
It didn't work. It gave me this error message:
Quote:
iptables v1.4.1: Couldn't load match `-mac':/usr/local/libexec/xtables/libipt_-mac.so: cannot open shared object file: No such file or directory
Try `iptables -h' or 'iptables --help' for more information. Does that mean the mac module wasn't installed/enabled?
View 4 Replies
View Related
Jul 16, 2009
How come FC11 is set by default to reset the IPTables firewall to ACCEPT across the board each restart?
View 4 Replies
View Related
May 15, 2010
I am getting a warning from /etc/hosts.deny
Code:
ALL: 192.168.1.3
ALL: 172.68.11.204
[code]...
View 14 Replies
View Related
Feb 16, 2011
Let's say you have a host with some kind of locally installed root kit detector/scanner.
If someone managed to get root access to that box. Wouldn't the first thing to do, before installing a root kit, be to remove any kind root kit detector?
View 3 Replies
View Related
Jun 29, 2011
While investigating my localhost access logs during an investigation to resolve locking myself out of my own server(!) I noticed this recent access attempt from a proxy referrer. I wouldn't expect this on a local server - currently set to listen on 127.0.01. The request was 403 forbidden, but surely the request should not have even reached this far? Is this an example of an unauthorised access attempt? I don't think it is me because all of my usual access requests are in moz 5 and im logged in to linux currently.
Note please do not click this link as I do not know where it leads ^^^^! (and i dont know how to disable it on this forum)
View 8 Replies
View Related
