Security :: Creating Custom SSH Iptable Rules For Use With UFW?
Feb 22, 2011
I'm trying to set up a firewall at the moment that allows access to my custom SSH port from only my friend's url (they have a static url but dynamic IP). I find iptables a bit of a nightmare and was hoping to use UFW for most of my day to day firewall maintenance and just make a few extra iptable rules to cover exceptional circumstances like this. Fortunately it seems UFW allows this with /etc/ufw/before.rules and /etc/ufw/after.rules. So at the moment I'm just trying to get the basic iptables rules right. As I say I'm not very good with iptables, does this look right?
Code:
## Drop Default SSH port access With Logging
iptables -N SSH_DEFAULT
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_DEFAULT
[code].....
View 14 Replies
ADVERTISEMENT
Jan 27, 2011
I have a caching dns and SNMP ( MRTG ) both on the same server how can I permit dns and snmp traffic in INPUT chain?? I have tried the following:
iptables -A INPUT -p udp --sport 1024:65535 --dport 53 -j ACCEPT
iptables -A INPUT -p udp --sport 53 --dport 1024:65535 -j ACCEPT
iptables -A INPUT -p udp --sport 1024:65535 --dport 161:162 -j ACCEPT
iptables -A INPUT -p udp --sport 161:162 --dport 1024:65535 -j ACCEPT
View 1 Replies
View Related
Jul 16, 2011
I don't know if FC15 has the iptable rules like the ones shown below by default or not but I wanted a second opinion about the safety they provide. Why is icmp accepted (INPUT rule 1) from/to all ip? and is it better to remove this rule? When the protocol is all (INPUT rule 2), does it mean from ip layer and above?? and is it required/safe to have this rule? The 3rd rule is to allow tcp-port 22 connections (ssh) to/from all ip. I think this is correctly set and required. The 4th rule in INPUT table rejects pings with the icmp-host-prohibited message; which I don't think is the best solution. Instead it can be set to silently drop icmp packets. Then, the FORWARD table uses reject instead of silent drop for forwarding icmp ping packets.
Code:
what do you think about the new rules and their order?
View 5 Replies
View Related
Sep 12, 2010
I've configured iptables to act as a stateful firewall, but instead of simply rejecting packets I'd like to waste a potenial hackers time by droping any packet that would otherwise be returned. Are my rules sufficient or have I somehow opened myself up to an attacker by trying to write these rules myself?
View 3 Replies
View Related
Jun 22, 2011
I recently set up a ftp server in my house running a dyndns service so I can get to it from the outside. I called my isp to get some help in setting up the router to forward port 21 from the outside to that box, and in short we had some problems. Long story short, they ended up bypassing the router itself, and now the line running to the box is its own fixed external ip. Naturally I want a pretty darn good iptables setup for this. The box runs proftpd and so far my iptables only accepts local loopback and port-21. (I left port 80 closed as its only purpose is to be a standalone ftp server) But I know there must be a safer rule for port 21, as right now its just wide open. Anyone have any ideas on how to make this a bit safer? Also would that command be fine for any of the linux machines im connecting to it from the outside too?
View 3 Replies
View Related
Feb 9, 2011
Explain the following iptable rules for me?
I understand 1 and 2, 1 creates the new syn_flood chain and 2 redirects all SYN requests to the new syn_flood chain.
I'm having trouble understanding 3 and 4. can someone explain to me in laymen terms the --limit 1/s and --limit-burst 3?
View 2 Replies
View Related
Aug 6, 2010
How would you remove all iptable rules and chains?
View 2 Replies
View Related
Apr 17, 2010
I am having a Xen server xend daemon is taking care of giving interface names like vif1.0 or vif0.2 to the connected guest operating systems on it.I can not save the current IPTABLE rules since upon reboot the xend daemon gives different names to virtual ethernet interfaces i.e. vif1.0 or vif3.0 or vif9.0 like that.I have some rules that I want to be active upon subsequent reboots and not all.Say for example an SSH to external server at port 8000 should forward the request to a machine on LAN.Which I have done by port forwarding from IPTABLES.So I need to save some rules.I was thinking to make a script which on reboot activates those rules.
I am not clear on where to do that.I came across internet and found /etc/network/if-up.d/I am not clear with this directory my question is if I make a scrip which has IPTABLE rules as I want and save it in above folder will it work. I am not clear with what is /etc/network/if-up.dfor.Suppose my logic is wrong then how should I go for it.Also I want to know does a protocol uses two port to make a connection.I have forgotten that thing,i.e if I run an SMTP or ssh then do they use port 22 and 23 both in case of ssh or 25 and 26 both for SMTP like that or just specifying the rules for one port will be enough.I tested these rules in a secure environment where i had disabled firewall and ssh forwarding on router worked well
View 4 Replies
View Related
Oct 14, 2010
Is there a way to check older iptable rules that were loaded? I accidentally overwrote my iptables and that has killed internet access to all computers in the intranet. I must have accidentally deleted some line in the iptable rules and cannot figure how to get it back to how it was. I am using Debian 5.05 by the way.
View 1 Replies
View Related
Mar 30, 2010
wrote a network emulator program in c programming. It can run for ubuntu terminal with good performance.But i have to make it for web-based user configuration. So i had setup apache web server and write this program in cgi script and try to execute this program from web page.This program must be run in root privilege($sudo -s) and add the iptables rules such as (#iptables -A OUTPUT -j QUEUE). So my question is how to add iptables rules in my cgi scripts? How to set the superuser(root privilege) permission to access my program through web server?
View 2 Replies
View Related
Mar 20, 2011
I'm trying to write udev rules to make it easier to recognize the network cards in my server. After a reboot it doesn't seem to take place, what am I doing wrong? I'm running Debian Squeeze stable.
Code:
$ uname -a
Linux debian 2.6.32-5-amd64 #1 SMP Wed Jan 12 03:40:32 UTC 2011 x86_64 GNU/Linux
Code:
# ls -l /etc/udev/rules.d/
total 4
[Code]...
View 3 Replies
View Related
Apr 12, 2010
I have a Linux server that runs the Sybase DB. Sybase suggests using character devices to access raw devices rather than O_DIRECT to block devices, or cooked FS's. So, I went ahead and configured /etc/sysconfig/rawdevices as such:
/dev/raw/raw1 /dev/vg01/tempdb
/dev/raw/raw2 /dev/vg01/testdb
/dev/raw/raw3 /dev/vg01/fakedb ...
This works fine. I set 'chkconfig rawdevices on' and all is well. I read that this method is deprecated and went about trying to accomplish the same via Udev rules. I already use udev rules in /etc/udev/rules.d/60-raw.rules to set permissions on these devices, i.e.
ACTION=="add", KERNEL=="raw*", OWNER=="sybase", GROUP=="sybase", MODE=="0660"
That works fine. I even set symbolic links:
KERNEL=="raw1", SYMLINK+="vg01/rtempdb"
KERNEL=="raw2", SYMLINK+="vg01/rtestdb1"
KERNEL=="raw3", SYMLINK+="vg01/rfakedb2"
But I cannot seem to get the actual device creation piece to work within udev (it only works using rawdevices). I've tried:
ACTION=="add", KERNEL=="vg01/tempdb", RUN+="/bin/raw /dev/raw/raw1 %N"
No errors, but nothing happens. The device just doesn't create. I've also tried doing it by passing major and minor numbers. Is it possible to get all of this into udev rules or am I stuck with rawdevices? I'm also utterly confused as to the future of rawdevices... the raw man page said it was deprecated, and now at v5.5 it has that piece taken out. Also RHEL 5.3 dropped support for rawdevices in initscripts only to add itback in 5.4. I'm an admin, not a DBA, so I cannot say if this is a bad or good way, only that it is the way the vendor supports and recommends, so it is the way that I must go... just trying to make it work as "un-deprecated" and cleanly as possible.
View 1 Replies
View Related
Feb 23, 2011
Is it possible to block a subdomain or a one lower level directory URL access from other hosts or network ? I have a site running on my server and i want to block the particular directory under the domain, with the exception of loopback access? I mean the directory must be accessible from loopback/localhost.
[url] on port 10016(expect loopback)
[url] on port 10016 (expect loopback)
Code:
View 1 Replies
View Related
May 12, 2011
I need assistance with my Snort Installation. I used Bodhi Zazen's Network Intrusion Detection System post and found it easier than the previous time I had done it. I am currently running Ubuntu 10.04 server and Snort 2.8.6.1 with BASE 1.4.5. I followed Bodhi Zazen's instructions and when I tested snort it ended with a Fatal Error due to ERROR: /etc/snort/rules/exploit.rules(264) => 'fast_pattern' does not take an argument
Fatal Error, Quitting.. Here is the entire output once I ran the test command: snort -c /etc/snort/snort.con -T Running in Test mode
[Code]...
View 2 Replies
View Related
Sep 1, 2011
I need help creating an iptable rule. The iptables are installed on my router. My router also connects to a "hide my a**" vpn account
at 79.142.65.5:443 The goal is to somehow force the traffic to go through the vpn, because what sometimes happens is, the vpn connection drops (for what ever reason) and my real ip becomes exposed. Basically, I want to block "myself" from accessing the Internet when not connected to the vpn because of privacy concerns.
Below is my iptables. It has the 3 default chains and it also has many custom user chains. I need to know what kind of a rule to add, What interface to apply it to (lo,tun0,br-lan,eth1) and the correct chain to insert into.For example, you could tell me something like:
Quote:
FORWARD chain, change rule 1 to
iptables -R FORWARD 1 -j zone_wan_MSSFIX -p tcp --destination-port 443 -i eth1
Obviously, That was just a guess, I need someone that knows iptables to help me.
Code:
Chain INPUT (Policy: ACCEPT)
Rule # Traffic Target Prot In Out Source Destination Options
Rule 1 72.95 KB DROP all * * 0.0.0.0/0 0.0.0.0/0 state INVALID
Rule 2 1.11 GB ACCEPT all * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
[code].....
View 3 Replies
View Related
Nov 8, 2010
I have a server that is on a high port number, and people want it on port 80. For root exploit issues people say the server can not run as root. So to solve things I want to redirect port 80 to a high port number, say 12345 on the machine. This has been discussed all over the web, so I find I need to do this:
/sbin/iptables -t nat -A PREROUTING -p tcp -d 123.45.67.89 --dport 80 -j REDIRECT --to-ports 12345
/sbin/iptables-save > /etc/sysconfig/iptables
And I do this, an voila things work for the whole world. All machines in the world can see the server on port 80 on the machine.Except, on the machine itself. On the machine 123.45.67.89, I try to get to the server on 123.45.67.89:80, I get a can't connect error. On the machine if I try 123.45.67.89:12345 I can connect.What am I doing wrong here? I don't want localhost network really, I want the ip address and port, but I want the forwarding to work on the local machine. But it doesn't...
View 8 Replies
View Related
Feb 4, 2011
I see on my webserver some logs as follows Quote:
203.252.157.98 - :25:02 "GET //phpmyadmin/ HTTP/1.1" 404 393 "-" "Made by ZmEu @ WhiteHat Team - www.whitehat.ro"
203.252.157.98 - :25:03 "GET //phpMyAdmin/ HTTP/1.1" 404 394 "-" "Made by ZmEu @
[code]....
View 2 Replies
View Related
May 27, 2010
Quote:
-A RH-Firewall-1-INPUT -s 10.12.0.0/16 -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
Ex- 10.12.0.0/16, 172.150.0.0/16, 192.168.20.0/24
How can we add multiple sources network address in the above INPUT chain?
View 1 Replies
View Related
Mar 6, 2010
I am in the tasks section of the following tutorial [URL] I did the list package thing to see what packages there are. However now I cannot leave the list in order to run the purge command. How can I get back to the previous section so I can remove packages from the custom live cd. I want to make sure I am editing the live cd and not the current install. I am going to make two images. One cd that will still have a gui but I plan to build as a recovery tool. The other one is a dvd and will be for installing everything I want on any machine. I am doing the tutorial with Karmic. Also I have cursors, themes and icons I installed from gnome look. I then went to customize and created my own personal mix I like. I would like to make this a standalone theme and come as the default theme on the live cd and dvd. I have no clue what I am doing, however wish to learn to build my own custom live cd. Also I would like to know how to ad repositories to the live cd and how to add programs pre installed that are not usually included.
View 2 Replies
View Related
Feb 24, 2016
I'd like to create my own custom Debian live CD — the idea being to have my own rescue CD with my favorite Debian tools installed. I read about bootcd and was going to give that a try, after creating the ideal system in a qemu virtual machine.
How much exactly can you install on a system so that bootcd can still fit it on a CD? I'm presuming there is some kind of compression involved. When I tried to create my VM, I coudln't get Jessie + LXDE to install onto a 2GB virtual drive (net install) so naturally I'm wondering what I'm going to be able to put on a 700MB CD.
View 7 Replies
View Related
Jun 7, 2011
I have a workstation running Fedora 15 with custom software and settings. I want to make an image of this machine for fast and easy deployment around the office (preferably a DVD, but could also use an external USB drive for install).How would you go about doing this from an existing install?
View 6 Replies
View Related
Jan 22, 2010
There have been some posts on this forum about custom keyboard layouts, but the latest one was more than three years ago, and is outdated. I found the following code for a custom dvorak international keyboard layout here, but it directs me to copy this code into the folder /etc/X11/xkb/symbols/pc, a folder which does not seem to exist in 9.10 or 9.04.
Code:
As this is the only thing I felt Windows did better than Ubuntu (custom keyboard layouts), I would love to be able to change the layout and finally seal the deal with Ubuntu.
View 9 Replies
View Related
Jul 14, 2010
I've been following this guide [URL].... on creating a custom boot menu for Grub2 and I've run up against a wall. I made it all the way to the section on testing the custom menu but when I do, the new menu refuses to load. When I get to the boot screen I see the standard menu plus an extra entry at the bottom that will show what my custom menu will look like. When I select it though, it won't load. The screen blinks and remains on the main menu. I don't have the correct 'set' and 'search' lines in the 40_custom entry and I don't know how to correct them.
View 6 Replies
View Related
Feb 27, 2011
I'd like to open a directory with the F12 key. I haven't any problem getting Keyboard Shortcuts to run programs, but cannot figure out how to have it open a directory.I tried making a link to the directory and using that, but still no go. Edit: The directory I want opens when I use its link Can't find anything on the net for this. Most just mention that we can create custom keyboard shortcuts. I tried using /home/directory/directorydesired, but no go.
Edit: The directory I want opens when I use the link
View 3 Replies
View Related
Apr 1, 2010
I have installed Centos 5.4 and then on top of that i have been installing many softwares over the time ( like pbx system , web console , billing etc.) and now it has come to a quite stable stage. the problem is i have to move this installation to another machine with different config etc. even have to install it on multiple systems. the idea is to create a bootable linux iso of the current machine with all the softwares so i can simply put it in a different machine and make it install and run without much fuss. is creating a linux appliance the only solution ? or is there any way to backup the current machine in an iso format and then install it on another machine? also i would like to make this completely hardware independent.
View 9 Replies
View Related
Apr 25, 2011
I am using Fedora 14. I want to create custom live cd in Fedora 14. I saw this fedora site. [URL]. But its only used command line tool. Any GUI tools are available to create custom live cd in Fedora.
View 1 Replies
View Related
Nov 7, 2010
creating your own notification icon for Gnome? Like the Power, Network, and Sound ones. I found something called Zenity but it doesn't seem to be able to create a drop-down menu and I can't see how I'd update the information in the icon once it is created. I have a script set up to check something and want to report the results back via a persistent notification icon, with the ability to change the icon and its properties (mouseover/tooltip text) and drown-down menu text as appropriate.
View 8 Replies
View Related
Apr 30, 2011
Having spent weeks perfecting my Ubuntu the way I like it, I was wondering if there is a way of preserving it as a either a liveCD or USB flash drive, with a view of using it on other PC's activated upon start up?
Possibly (under the USB option) with the option of launching from the flash drive itself, or installing onto a PC's hard drive.So, in essence, it would be a liveCD but custom made to reflect the way my Ubuntu looks and feels now? Is there any easy-to-use software available to perform such a task?
View 1 Replies
View Related
Jul 1, 2011
How to create and install a custom keyboard layout?
View 1 Replies
View Related
Sep 20, 2010
I had a problem with viewing webcams on Skype, and after searching I found out that running Skype through the terminal with this command "export XLIB_SKIP_ARGB_VISUALS=1 && skype" makes the webcams work perfectly. What I wanted to do was to integrate this command into the main menu so that I won't have to type it into the terminal (and thus keep the terminal open all the session) every time I want to use Skype. So I edited the command of the Skype button in the Applications menu and put that line instead of "skype", but it gives me "Failed to execute child process "export" (No such file or directory)". I tried editing .bashrc and added the following line:
alias skp='export XLIB_SKIP_ARGB_VISUALS=1 && skype'
Now the command 'skp' works through the terminal, but it gives me the same error message when I put it into the command line of the applications menu.
View 6 Replies
View Related
