PPTP Question

PPTP Question

[Rommy Taslim]

Hi Everyone,

Just a question, is it possible to have two box of linux OS (both
connected to internet with different IP addresses) to do VPN/PPTP
masquerading to one PPTP server (Windows 2000 box) inside the LAN ?

I only manage to get it to work with one of them (the one that the
Windows 2000 box have a default gateway to).

Thanks in advance !

Rommy

nmap

[antonio]

Hi Everyone,
 
Just a question:
I want to set up a firewall box with iptables in which I can use nmap.
Which ports/protocols can I set to ACCEPT and which to DROP?

Thanks in advance !
 
Antonio
 
 

Re: nmap

[Gaël Le Mignot]

Tue, 22 Oct 2002 17:42:45 +0200, tu as dit : 

 > Hi Everyone,
 > Just a question:
 > I want to set up a firewall box with iptables in which I can use nmap.
 > Which ports/protocols can I set to ACCEPT and which to DROP?

I advise you to set the policy at DROP, and to accept:
* RELATED, ESTABLISHED packets
* NEW packets on the ports you _need_ to open (80 if you host a web server,
  22 if you want to allow remote login using ssh and so on).
* ICMP echo-request packets

This is a basic and a simple firewall and should be a good start.

-- 
Gael Le Mignot "Kilobug" - kilobug@freesurf.fr - http://kilobug.free.fr
GSM         : 06.71.47.18.22 (in France)   ICQ UIN   : 7299959
Fingerprint : 1F2C 9804 7505 79DF 95E6 7323 B66B F67B 7103 C5DA

Member of HurdFr: http://hurdfr.org - The GNU Hurd: http://hurd.gnu.org

Re: nmap

[antonio]

Ok,but in order to set the policy at DROP,which port/protocols I have to set at ACCEPT to allow nmap from firewall box to anywhere nad from LAN to anywhere?





On Tue, 22 Oct 2002 20:25:11 +0200
kilobug@freesurf.fr (Gaël Le Mignot) wrote:

> 
> Tue, 22 Oct 2002 17:42:45 +0200, tu as dit : 
> 
>  > Hi Everyone,
>  > Just a question:
>  > I want to set up a firewall box with iptables in which I can use nmap.
>  > Which ports/protocols can I set to ACCEPT and which to DROP?
> 
> I advise you to set the policy at DROP, and to accept:
> * RELATED, ESTABLISHED packets
> * NEW packets on the ports you _need_ to open (80 if you host a web server,
>   22 if you want to allow remote login using ssh and so on).
> * ICMP echo-request packets
> 
> This is a basic and a simple firewall and should be a good start.
> 
> -- 
> Gael Le Mignot "Kilobug" - kilobug@freesurf.fr - http://kilobug.free.fr
> GSM         : 06.71.47.18.22 (in France)   ICQ UIN   : 7299959
> Fingerprint : 1F2C 9804 7505 79DF 95E6 7323 B66B F67B 7103 C5DA
> 
> Member of HurdFr: http://hurdfr.org - The GNU Hurd: http://hurd.gnu.org
> 

Re: nmap

[Gaël Le Mignot]

Tue, 22 Oct 2002 21:12:21 +0200, tu as dit : 

 > Ok,but in order to set the policy at DROP,which port/protocols I have to set at ACCEPT to allow nmap from firewall box to anywhere nad from LAN to anywhere?

If you don't block OUTPUT and allow ESTABLISHED and RELATED packets in INPUT,
you don't need to open extra ports. Maybe some extra icmp for "weird" scans,
that's all.

-- 
Gael Le Mignot "Kilobug" - kilobug@freesurf.fr - http://kilobug.free.fr
GSM         : 06.71.47.18.22 (in France)   ICQ UIN   : 7299959
Fingerprint : 1F2C 9804 7505 79DF 95E6 7323 B66B F67B 7103 C5DA

Member of HurdFr: http://hurdfr.org - The GNU Hurd: http://hurd.gnu.org

Re: nmap

[antonio]

OK but if I set the policy OUTPUT at DROP which ports/prot I have to set al ACCEPT?
This's my problem.


On Tue, 22 Oct 2002 23:05:39 +0200
kilobug@freesurf.fr (Gaël Le Mignot) wrote:

> 
> Tue, 22 Oct 2002 21:12:21 +0200, tu as dit : 
> 
>  > Ok,but in order to set the policy at DROP,which port/protocols I have to set at ACCEPT to allow nmap from firewall box to anywhere nad from LAN to anywhere?
> 
> If you don't block OUTPUT and allow ESTABLISHED and RELATED packets in INPUT,
> you don't need to open extra ports. Maybe some extra icmp for "weird" scans,
> that's all.
> 
> -- 
> Gael Le Mignot "Kilobug" - kilobug@freesurf.fr - http://kilobug.free.fr
> GSM         : 06.71.47.18.22 (in France)   ICQ UIN   : 7299959
> Fingerprint : 1F2C 9804 7505 79DF 95E6 7323 B66B F67B 7103 C5DA
> 
> Member of HurdFr: http://hurdfr.org - The GNU Hurd: http://hurd.gnu.org
> 

Re: nmap

[Gaël Le Mignot]

Wed, 23 Oct 2002 00:35:27 +0200, tu as dit : 

 > OK but if I set the policy OUTPUT at DROP which ports/prot I have to set 
 > al ACCEPT?
 > This's my problem.

every dport/protocol you want to allow to be scanned... You cannot filter
much OUTPUT if you want to allow nmap.

You can use the -m owner with --cmd-owner if it's avaible on your computer
to allow "mmap" initiated connections. 

But... what do you want to do by filtering OUTPUT ? Sure, you can drop INVALID
packets, filter floods, stop packets coming from root and so on, but if you
want to allow normal internet activity from the box, you have to allow NEW
connections on OUTPUT to any host/port...

-- 
Gael Le Mignot "Kilobug" - kilobug@freesurf.fr - http://kilobug.free.fr
GSM         : 06.71.47.18.22 (in France)   ICQ UIN   : 7299959
Fingerprint : 1F2C 9804 7505 79DF 95E6 7323 B66B F67B 7103 C5DA

Member of HurdFr: http://hurdfr.org - The GNU Hurd: http://hurd.gnu.org

Re: nmap

[Gavin]

> But... what do you want to do by filtering OUTPUT ? Sure, you can drop
INVALID
> packets, filter floods, stop packets coming from root and so on, but if
you
> want to allow normal internet activity from the box, you have to allow NEW
> connections on OUTPUT to any host/port...

There's always a (good) chance that someone will comprimise the machine and
use it to DDOS, scan, spam etc - filtering output to allow only what you
need for normal usage (dns, web, ping etc) makes it less useful as a hacked
box.

Gavin

Re: nmap

[Gaël Le Mignot]

Wed, 23 Oct 2002 12:06:49 +0300, tu as dit : 

 >> But... what do you want to do by filtering OUTPUT ? Sure, you can drop
 > INVALID
 >> packets, filter floods, stop packets coming from root and so on, but if
 > you
 >> want to allow normal internet activity from the box, you have to allow NEW
 >> connections on OUTPUT to any host/port...

 > There's always a (good) chance that someone will comprimise the machine and
 > use it to DDOS, scan, spam etc - filtering output to allow only what you
 > need for normal usage (dns, web, ping etc) makes it less useful as a hacked
 > box.

If you allow users to mail, you allow them to spm. If you allow users to send
requests on tcp 80, you allow them to participe in a DDOS, and so on.
There is no real way to sort  out "clean" and "bad" actions at the firewall
level... The only thing you can do is using the 'limit' macth to prevent
some kinds of DoS. And allowing only some ports can be very limitating
for users, since some web servers listenon other ports, they may want to use
cvs pserver (and you didn't think to allow 3128) and so on...

-- 
Gael Le Mignot "Kilobug" - kilobug@freesurf.fr - http://kilobug.free.fr
GSM         : 06.71.47.18.22 (in France)   ICQ UIN   : 7299959
Fingerprint : 1F2C 9804 7505 79DF 95E6 7323 B66B F67B 7103 C5DA

Member of HurdFr: http://hurdfr.org - The GNU Hurd: http://hurd.gnu.org

Re: nmap

[Gavin]

>  >> But... what do you want to do by filtering OUTPUT ? Sure, you can drop
>  > INVALID
>  >> packets, filter floods, stop packets coming from root and so on, but
if
>  > you
>  >> want to allow normal internet activity from the box, you have to allow
NEW
>  >> connections on OUTPUT to any host/port...
>
>  > There's always a (good) chance that someone will comprimise the machine
and
>  > use it to DDOS, scan, spam etc - filtering output to allow only what
you
>  > need for normal usage (dns, web, ping etc) makes it less useful as a
hacked
>  > box.
>
> If you allow users to mail, you allow them to spm. If you allow users to
send
> requests on tcp 80, you allow them to participe in a DDOS, and so on.
> There is no real way to sort  out "clean" and "bad" actions at the
firewall
> level... The only thing you can do is using the 'limit' macth to prevent
> some kinds of DoS. And allowing only some ports can be very limitating
> for users, since some web servers listenon other ports, they may want to
use
> cvs pserver (and you didn't think to allow 3128) and so on...


Would I be right in thinking that the OUTPUT chain only filters traffic
originating from the firewall box itself, and that any traffic coming from
your clients would fall into the FORWARD chain?  If that is the case, then
filtering OUTPUT would have no effect on your users' ability to surf, mail
etc, but only on the firewall box's ability to generate traffic.

Gavin


> Gael Le Mignot "Kilobug" - kilobug@freesurf.fr - http://kilobug.free.fr
> GSM         : 06.71.47.18.22 (in France)   ICQ UIN   : 7299959
> Fingerprint : 1F2C 9804 7505 79DF 95E6 7323 B66B F67B 7103 C5DA
>
> Member of HurdFr: http://hurdfr.org - The GNU Hurd: http://hurd.gnu.org
>
>

Re: nmap

[Antony Stone]

On Wednesday 23 October 2002 1:15 pm, Gavin wrote:

> Would I be right in thinking that the OUTPUT chain only filters traffic
> originating from the firewall box itself, and that any traffic coming from
> your clients would fall into the FORWARD chain?  If that is the case, then
> filtering OUTPUT would have no effect on your users' ability to surf, mail
> etc, but only on the firewall box's ability to generate traffic.

Yes, you are correct in this understanding of what the OUTPUT and FORWARD 
chains are for, however I believe this thread started by asking about setting 
up rules in the OUTPUT chain to enable nmap to be used *from the box which 
the netfilter rules are on*.

Therefore the packets being discussed are all locally generated anyway.

Antony.

-- 

All matter in the Universe can be placed into one of two categories:

1. things which need to be fixed
2. things which will need to be fixed once you've had a few minutes to play 
with them

Re: nmap

[Antony Stone]

On Tuesday 22 October 2002 4:42 pm, antonio wrote:

> Hi Everyone,
>
> Just a question:
> I want to set up a firewall box with iptables in which I can use nmap.
> Which ports/protocols can I set to ACCEPT and which to DROP?

Do you mean you want to run nmap on a box also running netfilter, to scan 
other machines ?

If so, set your OUTPUT policy to ACCEPT, set your INPUT policy to DROP with a 
single rule:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

and you'll be able to scan other machines and get the replies back, but 
anything new coming in to your machine will be blocked.

If I didn't understand correctly what you wanted to do please give more 
details.

Antony.

-- 

Which part of 'apt-get dist-upgrade' do you not understand ???

Re: nmap

[hellbreak]

Thank you Antony for your idea.
But...if I set my OUTPUT to DROP which ports and protocols can I set to ACCEPT to rum nmap to allow scan to other machines?

Thx 

On Tue, 22 Oct 2002 19:31:42 +0100
Antony Stone <Antony@Soft-Solutions.co.uk> wrote:

> On Tuesday 22 October 2002 4:42 pm, antonio wrote:
> 
> > Hi Everyone,
> >
> > Just a question:
> > I want to set up a firewall box with iptables in which I can use nmap.
> > Which ports/protocols can I set to ACCEPT and which to DROP?
> 
> Do you mean you want to run nmap on a box also running netfilter, to scan 
> other machines ?
> 
> If so, set your OUTPUT policy to ACCEPT, set your INPUT policy to DROP with a 
> single rule:
> 
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> and you'll be able to scan other machines and get the replies back, but 
> anything new coming in to your machine will be blocked.
> 
> If I didn't understand correctly what you wanted to do please give more 
> details.
> 
> Antony.
> 
> -- 
> 
> Which part of 'apt-get dist-upgrade' do you not understand ???
> 

Re: nmap

[Nick Drage]

On Tue, Oct 22, 2002 at 05:42:45PM +0200, antonio wrote:
> Hi Everyone,
>  
> Just a question:
> I want to set up a firewall box with iptables in which I can use nmap.

I would suggest that you don't run nmap from your firewall, that host should
just be a firewall and nothing else.

-- 
FunkyJesus System Administration Team