What modules to load and what order ?

What modules to load and what order ?

[Rakotomandimby Mihamina]

Hi all,
I have a dedicated server running debian (initially woody, dist-upgraded 
to testing)

It runs iptables 1.2.9

I bassically know how to manage it when all the netfilter stuff is 
included into the kernel, but i dont know what to do when they're as 
modules.

I would be gratefull if you would help me to see what of these modules i 
should load, if my rules are what i show at the bottom of this letter.

I really thank any help, i'll be very scared till you answer me because 
my server is running without any FWall for the moment....

==========================================================================
[root@localhost]# find /lib/modules/2.4.26-grsec -name '*.o' | grep 
netfilter

/lib/modules/2.4.26-grsec/kernel/net/ipv4/netfilter/arpt_mangle.o
/lib/modules/2.4.26-grsec/kernel/net/ipv4/netfilter/arp_tables.o
/lib/modules/2.4.26-grsec/kernel/net/ipv4/netfilter/arptable_filter.o
/lib/modules/2.4.26-grsec/kernel/net/ipv4/netfilter/ip_tables.o
/lib/modules/2.4.26-grsec/kernel/net/ipv4/netfilter/ipt_DSCP.o
/lib/modules/2.4.26-grsec/kernel/net/ipv4/netfilter/ipt_ECN.o
/lib/modules/2.4.26-grsec/kernel/net/ipv4/netfilter/ipt_LOG.o
/lib/modules/2.4.26-grsec/kernel/net/ipv4/netfilter/ipt_MARK.o
/lib/modules/2.4.26-grsec/kernel/net/ipv4/netfilter/ipt_REJECT.o
/lib/modules/2.4.26-grsec/kernel/net/ipv4/netfilter/ipt_TCPMSS.o
/lib/modules/2.4.26-grsec/kernel/net/ipv4/netfilter/ipt_TOS.o
/lib/modules/2.4.26-grsec/kernel/net/ipv4/netfilter/ipt_ULOG.o
/lib/modules/2.4.26-grsec/kernel/net/ipv4/netfilter/ipt_ah.o
/lib/modules/2.4.26-grsec/kernel/net/ipv4/netfilter/ipt_dscp.o
/lib/modules/2.4.26-grsec/kernel/net/ipv4/netfilter/ipt_ecn.o
/lib/modules/2.4.26-grsec/kernel/net/ipv4/netfilter/ipt_esp.o
/lib/modules/2.4.26-grsec/kernel/net/ipv4/netfilter/ipt_length.o
/lib/modules/2.4.26-grsec/kernel/net/ipv4/netfilter/ipt_limit.o
/lib/modules/2.4.26-grsec/kernel/net/ipv4/netfilter/ipt_mac.o
/lib/modules/2.4.26-grsec/kernel/net/ipv4/netfilter/ipt_mark.o
/lib/modules/2.4.26-grsec/kernel/net/ipv4/netfilter/ipt_multiport.o
/lib/modules/2.4.26-grsec/kernel/net/ipv4/netfilter/ipt_pkttype.o
/lib/modules/2.4.26-grsec/kernel/net/ipv4/netfilter/ipt_recent.o
/lib/modules/2.4.26-grsec/kernel/net/ipv4/netfilter/ipt_stealth.o
/lib/modules/2.4.26-grsec/kernel/net/ipv4/netfilter/ipt_tcpmss.o
/lib/modules/2.4.26-grsec/kernel/net/ipv4/netfilter/ipt_tos.o
/lib/modules/2.4.26-grsec/kernel/net/ipv4/netfilter/ipt_ttl.o
/lib/modules/2.4.26-grsec/kernel/net/ipv4/netfilter/iptable_filter.o
/lib/modules/2.4.26-grsec/kernel/net/ipv4/netfilter/iptable_mangle.o
/lib/modules/2.4.26-grsec/kernel/net/ipv6/netfilter/ip6_tables.o

=====================================================================

These are my rules :

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -A INPUT -i ppp0 -m unclean -j LOG  --log-level debug 
--log-prefix 'unclean_: '
iptables -A INPUT -i ppp0 -m unclean -j DROP
iptables -A INPUT -p tcp --syn -m limit --limit 5/s -j ACCEPT
iptables -A INPUT -p tcp --syn -j LOG --log-level debug --log-prefix 
'syn-flood_: '
iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit 
--limit 5/s -j ACCEPT
iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j LOG 
--log-level debug --log-prefix 'p_scan_: '
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s 
-j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j LOG --log-level 
debug --log-prefix 'p_o_d: '
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 31 -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 25 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 21 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 2401 -j ACCEPT
iptables -A OUTPUT -p udp --dport 2401 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --syn --dport 113 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --syn --dport 113 -j ACCEPT
iptables -A INPUT -j LOG --log-level debug --log-prefix "droped_input_: "
iptables -A OUTPUT -j LOG --log-level debug --log-prefix "droped_output_: "
====================================================================

-- 
Rakotomandimby Mihamina Andrianifaharana
Tel : +33 2 38 76 43 65
http://www.rktmb.org/site_principal/Members/mihamina

Re: What modules to load and what order ?

[B. McAninch]

On Fri, 2004-06-25 at 02:35, Rakotomandimby Mihamina wrote:
> Hi all,
> I have a dedicated server running debian (initially woody, dist-upgraded 
> to testing)
> 
> It runs iptables 1.2.9
> 
> I bassically know how to manage it when all the netfilter stuff is 
> included into the kernel, but i dont know what to do when they're as 
> modules.
> 
> I would be gratefull if you would help me to see what of these modules i 
> should load, if my rules are what i show at the bottom of this letter.
> 
> I really thank any help, i'll be very scared till you answer me because 
> my server is running without any FWall for the moment....

<--- snip --->

These are my rules :
> 
> iptables -F
> iptables -X
> iptables -t nat -F
> iptables -t nat -X
> iptables -P INPUT DROP
> iptables -P OUTPUT DROP
> iptables -A INPUT -i ppp0 -m unclean -j LOG  --log-level debug 
> --log-prefix 'unclean_: '
> iptables -A INPUT -i ppp0 -m unclean -j DROP
> iptables -A INPUT -p tcp --syn -m limit --limit 5/s -j ACCEPT
> iptables -A INPUT -p tcp --syn -j LOG --log-level debug --log-prefix 
> 'syn-flood_: '
> iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit 
> --limit 5/s -j ACCEPT
> iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j LOG 
> --log-level debug --log-prefix 'p_scan_: '
> iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s 
> -j ACCEPT
> iptables -A INPUT -p icmp --icmp-type echo-request -j LOG --log-level 
> debug --log-prefix 'p_o_d: '
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A OUTPUT -o lo -j ACCEPT
> iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -A INPUT -p tcp --dport 21 -j ACCEPT
> iptables -A INPUT -p tcp --dport 31 -j ACCEPT
> iptables -A INPUT -p tcp --dport 25 -j ACCEPT
> iptables -A OUTPUT -p tcp --sport 25 -j ACCEPT
> iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT
> iptables -A INPUT -p tcp --dport 80 -j ACCEPT
> iptables -A INPUT -p tcp --dport 22 -j ACCEPT
> iptables -A INPUT -p icmp -j ACCEPT
> iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
> iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
> iptables -A OUTPUT -p tcp --dport 21 -j ACCEPT
> iptables -A OUTPUT -p tcp --dport 2401 -j ACCEPT
> iptables -A OUTPUT -p udp --dport 2401 -j ACCEPT
> iptables -A INPUT -p tcp -m tcp --syn --dport 113 -j ACCEPT
> iptables -A OUTPUT -p tcp -m tcp --syn --dport 113 -j ACCEPT
> iptables -A INPUT -j LOG --log-level debug --log-prefix "droped_input_: "
> iptables -A OUTPUT -j LOG --log-level debug --log-prefix "droped_output_: "
> ====================================================================

If this is a dedicated /firewall/, I would highly recommend disabling
loadable module support for enhanced security. 

Additionally, 'iptables -t nat -X' is a useless rule as user-defined
chains are defined in the filter table.

Cheers

-- 
Bryan McAninch

Network Security Engineer

Penson Financial Services, Inc.

214.765.1366