Too scared....

Too scared....

[Kjetil Kjernsmo]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi there! 

I hope someone can take my paw and help me through the iptables setup, 
because I'm a bit scared of the possibility of locking myself out of my 
box... 

I'm configuring my first box (Debian Woody with a 2.4.17 kernel), and 
I've read the "Networking Concepts HOWTO" (Hey, Rusty, that's very well 
written for beginners!), and the "Packet Filtering HOWTO", and I think 
I've understood the concepts, and at this point I would usually just go 
about trying to see what works, but this time, it feels so much more 
risky, because I'm admining my box remotely, and I really don't want to 
lock myself out of the box. OTOH, not configuring a firewall is a lot 
more scary. 

I've got iptables compiled in, and the iptables tool installed, so I 
should have taken care of that part. I've seen a few scripts, but they 
are all so different.... What I'm trying to do is really simple, I 
think: I have only one interface (in addition to the loopback), eth0, 
and I've got my services running on ports 22, 25, 80 and 110, so they 
have to be open, but other than, I can drop all INPUTs. I *guess* I can 
drop all OUTPUTs on other ports too, except for 21, perhaps, since I'm 
installing stuff using FTP. I think I'm confused when it comes to 
source vs. destination ports in this context. Also, I'm a bit scared 
given the general advice "lock up everything, then open", but what 
happens if I lock up and can't get in to open....? 

Well, I'm a bear of little brains, and I'm boldly trying to get a box 
online and get some nice stuff on it, and help is very much 
appreciated. 

Friendly Tiddely-pom,

Kjetil
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE9BQb8lE/Gp2pqC7wRAlaHAJ9X3Vo5AeibTVyLMJRPkSFqLSrATQCeLa9/
1oQ9SLDnon3X/Yi6rZpPyF0=
=FaLO
-----END PGP SIGNATURE-----

Re: Too scared....

[Tom Marshall]

Try this ...

Make a script which pings some known address.  If the ping replies stop
coming back, restore the firewall to a known state from a backup copy of
your firewall script.

When you are changing your firewall rules, open up another terminal window
to the machine and run this script.

On Mon, Jun 10, 2002 at 10:07:08PM +0200, Kjetil Kjernsmo wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi there! 
> 
> I hope someone can take my paw and help me through the iptables setup, 
> because I'm a bit scared of the possibility of locking myself out of my 
> box... 
> 
> I'm configuring my first box (Debian Woody with a 2.4.17 kernel), and 
> I've read the "Networking Concepts HOWTO" (Hey, Rusty, that's very well 
> written for beginners!), and the "Packet Filtering HOWTO", and I think 
> I've understood the concepts, and at this point I would usually just go 
> about trying to see what works, but this time, it feels so much more 
> risky, because I'm admining my box remotely, and I really don't want to 
> lock myself out of the box. OTOH, not configuring a firewall is a lot 
> more scary. 
> 
> I've got iptables compiled in, and the iptables tool installed, so I 
> should have taken care of that part. I've seen a few scripts, but they 
> are all so different.... What I'm trying to do is really simple, I 
> think: I have only one interface (in addition to the loopback), eth0, 
> and I've got my services running on ports 22, 25, 80 and 110, so they 
> have to be open, but other than, I can drop all INPUTs. I *guess* I can 
> drop all OUTPUTs on other ports too, except for 21, perhaps, since I'm 
> installing stuff using FTP. I think I'm confused when it comes to 
> source vs. destination ports in this context. Also, I'm a bit scared 
> given the general advice "lock up everything, then open", but what 
> happens if I lock up and can't get in to open....? 
> 
> Well, I'm a bear of little brains, and I'm boldly trying to get a box 
> online and get some nice stuff on it, and help is very much 
> appreciated. 
> 
> Friendly Tiddely-pom,
> 
> Kjetil
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.7 (GNU/Linux)
> 
> iD8DBQE9BQb8lE/Gp2pqC7wRAlaHAJ9X3Vo5AeibTVyLMJRPkSFqLSrATQCeLa9/
> 1oQ9SLDnon3X/Yi6rZpPyF0=
> =FaLO
> -----END PGP SIGNATURE-----
> 

Re: Too scared....

[Ralf Hemmann]

Hy

> I hope someone can take my paw and help me through the iptables setup,
> because I'm a bit scared of the possibility of locking myself out of my
> box...

I know what you mean and be shure - if you do not use a "roll back system"
you WILL lock you out of your server ;-))


Try to make your Firewall script like this:


!/bin/bash


#  Deadmans Switch
# like in german railways.
# The driver has to press a
# button when its buzzing.
# If the driver dont push the button the
# Train stops


case "$1" in

start)


   # your rules her
   # iptables -t nat bla


# At the verry end of start put something like this:

echo "Are you dead ?

answer with Ctrl C

"

sleep 4
echo "2 more"
sleep 4
echo "1 to go"
sleep 4

echo "OK open firewall"

iptables -P INPUT ACCPET 
iptables -P OUTPUT ACCPET
iptables -P FORWARD ACCPET

iptables -F
iptables -F -t nat

;;

stop )

# bla bla

;;


*)

echo "usage $0 Start | Stop "

esac

Re: Too scared....

[Tony Earnshaw]

[-- Attachment #1: Type: text/plain, Size: 1673 bytes --]

man, 2002-06-10 kl. 22:07 skrev Kjetil Kjernsmo:

> I hope someone can take my paw and help me through the iptables setup, 
> because I'm a bit scared of the possibility of locking myself out of my 
> box... 

Den som intet våger, intet vinner :c)

Do it. 

1: Make sure that you have a cron/at job running that kills and restarts
your firewall scripts at intervals known to you. If you only have a
minimum of services, they are patched up to the last version and all is
more or less safe, then a ten-minute gap now and then can't hurt until
your routine is established;

2: If you're using ssh (which you are) to get to the machine, and since
no-one can see what you're doing, cut out ftp and use scp - which also
goes to port 22 and is *much* safer and better;

3: In your firewall script, build in a rule that only lets in your IP
number - or, even better, if your admin machine uses Ethernet for the
connection, your MAC number.

I've done all this out of Utrecht in Holland to a slave DNS name server
in Dortmund, Germany, including weekly scp backups and goodness knows
what else. I had no possibility of getting to that machine, once it was
placed, and everything worked perfectly for months - never ever went
wrong.

Just leave yourself a back door, if you need it, until you've gained the
confidence you need.

Best,

Tonni

Sogning

-- 

Tony Earnshaw

e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl
gpg public key:	http://www.billy.demon.nl/tonni.armor

Telefoon:	(+31) (0)172 530428
Mobiel:		(+31) (0)6 51153356

GPG Fingerprint = 3924 6BF8 A755 DE1A 4AD6 FA2B F7D7 6051 3BE7 B981
3BE7B981



[-- Attachment #2: Dette er en digitalt signert meldingsdel --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

RES: Too scared....

[Roberto Campos]

Hi,

What i do is to place, at the bottom of my firewall script, few more
lines like this:

----------- (start of script)
...
... (various commands)

echo "Finished"

sleep 120

shutdown -r now

------------ (end of script)

Once I see the finished echoed I kill (ctrl-C) the ongoing program.

---> For the gurus out there:

Is there a problem on doing that? 

It has never let me down so far.

Hope it helps.

Rgds,

Roberto Campos
_______________________________________________________________
Meu  Provedor Tecnologias e Informatica ltda.
Rua Camerino, 128 Gr. 302 - Centro
Rio de Janeiro - RJ - CEP 20080-010
Tel.: 21 - 25181011     Fax: 21 - 25181911

-----Mensagem original-----
De: netfilter-admin@lists.samba.org
[mailto:netfilter-admin@lists.samba.org] Em nome de Tony Earnshaw
Enviada em: terça-feira, 11 de junho de 2002 06:40
Para: Kjetil Kjernsmo
Cc: netfilter@lists.samba.org
Assunto: Re: Too scared....

man, 2002-06-10 kl. 22:07 skrev Kjetil Kjernsmo:

> I hope someone can take my paw and help me through the iptables setup,

> because I'm a bit scared of the possibility of locking myself out of
my 
> box... 

Den som intet våger, intet vinner :c)

Do it. 

1: Make sure that you have a cron/at job running that kills and restarts
your firewall scripts at intervals known to you. If you only have a
minimum of services, they are patched up to the last version and all is
more or less safe, then a ten-minute gap now and then can't hurt until
your routine is established;

2: If you're using ssh (which you are) to get to the machine, and since
no-one can see what you're doing, cut out ftp and use scp - which also
goes to port 22 and is *much* safer and better;

3: In your firewall script, build in a rule that only lets in your IP
number - or, even better, if your admin machine uses Ethernet for the
connection, your MAC number.

I've done all this out of Utrecht in Holland to a slave DNS name server
in Dortmund, Germany, including weekly scp backups and goodness knows
what else. I had no possibility of getting to that machine, once it was
placed, and everything worked perfectly for months - never ever went
wrong.

Just leave yourself a back door, if you need it, until you've gained the
confidence you need.

Best,

Tonni

Sogning

-- 

Tony Earnshaw

e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl
gpg public key:	http://www.billy.demon.nl/tonni.armor

Telefoon:	(+31) (0)172 530428
Mobiel:		(+31) (0)6 51153356

GPG Fingerprint = 3924 6BF8 A755 DE1A 4AD6 FA2B F7D7 6051 3BE7 B981
3BE7B981

Re: RES: Too scared....

[Frank Nijenhuis]

we cat the date upon starting the firewall script to a file .buttsave :)
A cronjob runs every minute which checks for the .buttsave file, if it's 
present, it will flush the firewall.
So, directly after running the firewall script we have to rm the .buttsave 
file.
The cron is called savemybutt.sh ofcourse :)

Frank

At 08:25 AM 6/11/2002 -0300, you wrote:
>Hi,
>
>What i do is to place, at the bottom of my firewall script, few more
>lines like this:
>
>----------- (start of script)
>...
>... (various commands)
>
>echo "Finished"
>
>sleep 120
>
>shutdown -r now
>
>------------ (end of script)
>
>Once I see the finished echoed I kill (ctrl-C) the ongoing program.
>
>---> For the gurus out there:
>
>Is there a problem on doing that?
>
>It has never let me down so far.
>
>Hope it helps.
>
>Rgds,
>
>Roberto Campos
>_______________________________________________________________
>Meu  Provedor Tecnologias e Informatica ltda.
>Rua Camerino, 128 Gr. 302 - Centro
>Rio de Janeiro - RJ - CEP 20080-010
>Tel.: 21 - 25181011     Fax: 21 - 25181911
>
>-----Mensagem original-----
>De: netfilter-admin@lists.samba.org
>[mailto:netfilter-admin@lists.samba.org] Em nome de Tony Earnshaw
>Enviada em: terça-feira, 11 de junho de 2002 06:40
>Para: Kjetil Kjernsmo
>Cc: netfilter@lists.samba.org
>Assunto: Re: Too scared....
>
>man, 2002-06-10 kl. 22:07 skrev Kjetil Kjernsmo:
>
> > I hope someone can take my paw and help me through the iptables setup,
>
> > because I'm a bit scared of the possibility of locking myself out of
>my
> > box...
>
>Den som intet våger, intet vinner :c)
>
>Do it.
>
>1: Make sure that you have a cron/at job running that kills and restarts
>your firewall scripts at intervals known to you. If you only have a
>minimum of services, they are patched up to the last version and all is
>more or less safe, then a ten-minute gap now and then can't hurt until
>your routine is established;
>
>2: If you're using ssh (which you are) to get to the machine, and since
>no-one can see what you're doing, cut out ftp and use scp - which also
>goes to port 22 and is *much* safer and better;
>
>3: In your firewall script, build in a rule that only lets in your IP
>number - or, even better, if your admin machine uses Ethernet for the
>connection, your MAC number.
>
>I've done all this out of Utrecht in Holland to a slave DNS name server
>in Dortmund, Germany, including weekly scp backups and goodness knows
>what else. I had no possibility of getting to that machine, once it was
>placed, and everything worked perfectly for months - never ever went
>wrong.
>
>Just leave yourself a back door, if you need it, until you've gained the
>confidence you need.
>
>Best,
>
>Tonni
>
>Sogning
>
>--
>
>Tony Earnshaw
>
>e-post:         tonni@billy.demon.nl
>www:            http://www.billy.demon.nl
>gpg public key: http://www.billy.demon.nl/tonni.armor
>
>Telefoon:       (+31) (0)172 530428
>Mobiel:         (+31) (0)6 51153356
>
>GPG Fingerprint = 3924 6BF8 A755 DE1A 4AD6 FA2B F7D7 6051 3BE7 B981
>3BE7B981

IP address to MAC address

[Sundaram Ramasamy]

Hi,

I have IP address of the machine, I want to get the MAC address of that
machine thru. my program.

Is there  sample program with accepts the IP address and return's the MAC
address of the  machine.


Thanks
Sundaram

Re: IP address to MAC address

[Antony Stone]

On Tuesday 11 June 2002 1:39 pm, Sundaram Ramasamy wrote:

> Hi,
>
> I have IP address of the machine, I want to get the MAC address of that
> machine thru. my program.
>
> Is there  sample program with accepts the IP address and return's the MAC
> address of the  machine.

You could try this:

ping $IP -c1 >/dev/null 2>&1
grep $IP /proc/net/arp | tr -s ' ' | cut -d' ' -f4

(There's a single space in between each of those pairs of ' ', in case it's 
not obvious.)
 

Antony.

Re: IP address to MAC address

[Tony Earnshaw]

[-- Attachment #1: Type: text/plain, Size: 560 bytes --]

tir, 2002-06-11 kl. 14:53 skrev Antony Stone:

> ping $IP -c1 >/dev/null 2>&1
> grep $IP /proc/net/arp | tr -s ' ' | cut -d' ' -f4

> (There's a single space in between each of those pairs of ' ', in case it's 
> not obvious.)

Did you say 'arp -a'?

Tony

-- 

Tony Earnshaw

e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl
gpg public key:	http://www.billy.demon.nl/tonni.armor

Telefoon:	(+31) (0)172 530428
Mobiel:		(+31) (0)6 51153356

GPG Fingerprint = 3924 6BF8 A755 DE1A 4AD6 FA2B F7D7 6051 3BE7 B981
3BE7B981



[-- Attachment #2: Dette er en digitalt signert meldingsdel --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: IP address to MAC address

[Antony Stone]

On Tuesday 11 June 2002 9:38 pm, Tony Earnshaw wrote:

> tir, 2002-06-11 kl. 14:53 skrev Antony Stone:

> > ping $IP -c1 >/dev/null 2>&1
> > grep $IP /proc/net/arp | tr -s ' ' | cut -d' ' -f4
> >
> > (There's a single space in between each of those pairs of ' ', in case
> > it's not obvious.)
>
> Did you say 'arp -a'?

I would have done, if I knew I was root, but the commands I suggested work 
for an unprivileged user too :-)

 

Antony

Re: IP address to MAC address

[Ramin Alidousti]

On Tue, Jun 11, 2002 at 09:40:53PM +0100, Antony Stone wrote:

> On Tuesday 11 June 2002 9:38 pm, Tony Earnshaw wrote:
> 
> > tir, 2002-06-11 kl. 14:53 skrev Antony Stone:
> 
> > > ping $IP -c1 >/dev/null 2>&1
> > > grep $IP /proc/net/arp | tr -s ' ' | cut -d' ' -f4
> > >
> > > (There's a single space in between each of those pairs of ' ', in case
> > > it's not obvious.)
> >
> > Did you say 'arp -a'?
> 
> I would have done, if I knew I was root, but the commands I suggested work 
> for an unprivileged user too :-)

If that information can be read by anybody then the wrapper program like arp
can be run by anybody as well ;-)

Ramin

> Antony

Re: IP address to MAC address

[Antony Stone]

On Tuesday 11 June 2002 9:55 pm, Ramin Alidousti wrote:

> On Tue, Jun 11, 2002 at 09:40:53PM +0100, Antony Stone wrote:
> > On Tuesday 11 June 2002 9:38 pm, Tony Earnshaw wrote:
> > > tir, 2002-06-11 kl. 14:53 skrev Antony Stone:
> > > > ping $IP -c1 >/dev/null 2>&1
> > > > grep $IP /proc/net/arp | tr -s ' ' | cut -d' ' -f4
> > > >
> > > > (There's a single space in between each of those pairs of ' ', in
> > > > case it's not obvious.)
> > >
> > > Did you say 'arp -a'?
> >
> > I would have done, if I knew I was root, but the commands I suggested
> > work for an unprivileged user too :-)
>
> If that information can be read by anybody then the wrapper program like
> arp can be run by anybody as well ;-)

Well, on my system at least (Slackware 8.0), /proc/net/arp has permissions 
-r--r--r-- so anyone can read it.   The arp program is in /sbin, so it can 
only be run by root.

 

Antony.

Re: IP address to MAC address

[Tom Eastep]

On Tue, 11 Jun 2002, Antony Stone wrote:

> 
> Well, on my system at least (Slackware 8.0), /proc/net/arp has permissions 
> -r--r--r-- so anyone can read it.   The arp program is in /sbin, so it can 
> only be run by root.
> 

Are you saying that Slack secures /sbin against access by non-root users 
or the files there from being executed by non-root users? Not so on 
RedHat:


[teastep@wookie Shorewall]$ /sbin/arp -na
? (192.168.1.5) at 00:A0:CC:DB:31:C4 [ether] on eth0
? (192.168.1.254) at 02:00:08:E3:4C:48 [ether] on eth0
[teastep@wookie Shorewall]$

Note that /sbin isn't in non-root's PATH so by default an absolute path
name must be used. But:

[teastep@wookie Shorewall]$ PATH=$PATH:/sbin
[teastep@wookie Shorewall]$ arp -na
? (192.168.1.5) at 00:A0:CC:DB:31:C4 [ether] on eth0
? (192.168.1.254) at 02:00:08:E3:4C:48 [ether] on eth0
[teastep@wookie Shorewall]$


-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

Re: IP address to MAC address

[Antony Stone]

On Tuesday 11 June 2002 10:27 pm, Tom Eastep wrote:

> On Tue, 11 Jun 2002, Antony Stone wrote:

> > Well, on my system at least (Slackware 8.0), /proc/net/arp has
> > permissions -r--r--r-- so anyone can read it.   The arp program is in
> > /sbin, so it can only be run by root.
>
> Are you saying that Slack secures /sbin against access by non-root users
> or the files there from being executed by non-root users? Not so on
> RedHat:
>
> Note that /sbin isn't in non-root's PATH so by default an absolute path
> name must be used. But:

Okay - turns out I'm telling you Slackware's the same - I just naively 
assumed that when someone decided not to include /sbin on non-root user PATH, 
then they would have given it permissions dr-xr-x--- to stop non-root users 
getting at the juicy commands inside.

Just shows you something you think is security is just obscurity :-)

 

Antony.

Re: IP address to MAC address

[Adam D. Barratt]

Antony Stone wrote:

> On Tuesday 11 June 2002 9:55 pm, Ramin Alidousti wrote:
>
> > On Tue, Jun 11, 2002 at 09:40:53PM +0100, Antony Stone wrote:
> > > On Tuesday 11 June 2002 9:38 pm, Tony Earnshaw wrote:
[chomp]
> > > > Did you say 'arp -a'?
> > >
> > > I would have done, if I knew I was root, but the commands I
suggested
> > > work for an unprivileged user too :-)
> >
> > If that information can be read by anybody then the wrapper
program like
> > arp can be run by anybody as well ;-)
>
> Well, on my system at least (Slackware 8.0), /proc/net/arp has
permissions
> -r--r--r-- so anyone can read it.   The arp program is in /sbin, so
it can
> only be run by root.

Non sequiter. /sbin contains, by convention, binaries connected with
system administration. That is *not* the same as "binaries that may
only be executed by root".

/sbin is not on non-root users' paths, by default, but that doesn't
necessarily mean they can't execute stuff that lives there. Certainly,
on my Debian Woody and Sid boxes here, the contents of /sbin
are -rwxr-xr-x ;- the main thing stopping non-root users using some of
them is a lack of privileges, not a lack of execute rights to the
files.

Specifically, arp lives in /usr/sbin on my boxen, and whilst that's
not on my normal user's path, and the files are owned by root.root, I
can quite happily:

  /usr/sbin/arp -a

as any user. Similarly, a non-privileged user has no problems running
/sbin/route.

hth

Adam

Re: IP address to MAC address

[rpjday]

On Tue, 11 Jun 2002, Adam D. Barratt wrote:

> Non sequiter. /sbin contains, by convention, binaries connected with
> system administration. That is *not* the same as "binaries that may
> only be executed by root".
> 
> /sbin is not on non-root users' paths, by default, but that doesn't
> necessarily mean they can't execute stuff that lives there. Certainly,
> on my Debian Woody and Sid boxes here, the contents of /sbin
> are -rwxr-xr-x ;- the main thing stopping non-root users using some of
> them is a lack of privileges, not a lack of execute rights to the
> files.
> 
> Specifically, arp lives in /usr/sbin on my boxen, and whilst that's
> not on my normal user's path, and the files are owned by root.root, I
> can quite happily:
> 
>   /usr/sbin/arp -a
> 
> as any user. Similarly, a non-privileged user has no problems running
> /sbin/route.

i would go one step further and suggest that regular users might
consider adding /sbin and /usr/sbin to their search paths.  there's
nothing wrong with that, and it allows users to run the same commands
they would be allowed to run if they typed out the names in full:
"route" instead of "/sbin/route", for instance.

rday

Re: IP address to MAC address

[Ramin Alidousti]

On Tue, Jun 11, 2002 at 05:45:56PM -0400, rpjday wrote:

> On Tue, 11 Jun 2002, Adam D. Barratt wrote:
> 
> > Non sequiter. /sbin contains, by convention, binaries connected with
> > system administration. That is *not* the same as "binaries that may
> > only be executed by root".
> > 
> > /sbin is not on non-root users' paths, by default, but that doesn't
> > necessarily mean they can't execute stuff that lives there. Certainly,
> > on my Debian Woody and Sid boxes here, the contents of /sbin
> > are -rwxr-xr-x ;- the main thing stopping non-root users using some of
> > them is a lack of privileges, not a lack of execute rights to the
> > files.
> > 
> > Specifically, arp lives in /usr/sbin on my boxen, and whilst that's
> > not on my normal user's path, and the files are owned by root.root, I
> > can quite happily:
> > 
> >   /usr/sbin/arp -a
> > 
> > as any user. Similarly, a non-privileged user has no problems running
> > /sbin/route.
> 
> i would go one step further and suggest that regular users might
> consider adding /sbin and /usr/sbin to their search paths.  there's
> nothing wrong with that, and it allows users to run the same commands
> they would be allowed to run if they typed out the names in full:
> "route" instead of "/sbin/route", for instance.

The users who know what they're doing have done that already ;-) And
there is no reason to include this path for the users that don't have
a clue ;-)

Ramin

> rday

Re: IP address to MAC address

[Antony Stone]

On Tuesday 11 June 2002 9:55 pm, Ramin Alidousti wrote:

> If that information can be read by anybody then the wrapper program like
> arp can be run by anybody as well ;-)

What is going on with this list these days ?

This message from Tuesday (which I received as a cc: on Tuesday) has just 
popped up in my mailbox....

Headers show it got stuck on a machine calling itself 21cn.com, with 
addresses 10.2.1.6, 10.2.0.2 and 61.140.60.248

It's not as though the poster was using a non-subscribed address, either.

 

Antony.

Re: Too scared....

[Jason Pappas]

There's really nothing wrong with this, however....  You could end up
locking yourself out of your firewall with this too.  Instead of doing a
shutdown on the system... Why don't you flush your ruleset...  You don't
take down the entire system because one rule got messed up.  Just from my
personal preference, I don't like to reboot systems unless I have to.  It
seems too microsoftish.

Example

#!/bin/sh
# Start of script

# Various commands

# End of firewall commands

sleep 60
iptables -F <your chains here>
----- Original Message -----
From: "Roberto Campos" <roberto@meuprovedor.com.br>
To: "'Tony Earnshaw'" <tonni@billy.demon.nl>
Cc: <netfilter@lists.samba.org>
Sent: Tuesday, June 11, 2002 7:25 AM
Subject: RES: Too scared....


> Hi,
>
> What i do is to place, at the bottom of my firewall script, few more
> lines like this:
>
> ----------- (start of script)
> ...
> ... (various commands)
>
> echo "Finished"
>
> sleep 120
>
> shutdown -r now
>
> ------------ (end of script)
>
> Once I see the finished echoed I kill (ctrl-C) the ongoing program.
>
> ---> For the gurus out there:
>
> Is there a problem on doing that?
>
> It has never let me down so far.
>
> Hope it helps.
>
> Rgds,
>
> Roberto Campos
> _______________________________________________________________
> Meu  Provedor Tecnologias e Informatica ltda.
> Rua Camerino, 128 Gr. 302 - Centro
> Rio de Janeiro - RJ - CEP 20080-010
> Tel.: 21 - 25181011     Fax: 21 - 25181911
>
> -----Mensagem original-----
> De: netfilter-admin@lists.samba.org
> [mailto:netfilter-admin@lists.samba.org] Em nome de Tony Earnshaw
> Enviada em: terça-feira, 11 de junho de 2002 06:40
> Para: Kjetil Kjernsmo
> Cc: netfilter@lists.samba.org
> Assunto: Re: Too scared....
>
> man, 2002-06-10 kl. 22:07 skrev Kjetil Kjernsmo:
>
> > I hope someone can take my paw and help me through the iptables setup,
>
> > because I'm a bit scared of the possibility of locking myself out of
> my
> > box...
>
> Den som intet våger, intet vinner :c)
>
> Do it.
>
> 1: Make sure that you have a cron/at job running that kills and restarts
> your firewall scripts at intervals known to you. If you only have a
> minimum of services, they are patched up to the last version and all is
> more or less safe, then a ten-minute gap now and then can't hurt until
> your routine is established;
>
> 2: If you're using ssh (which you are) to get to the machine, and since
> no-one can see what you're doing, cut out ftp and use scp - which also
> goes to port 22 and is *much* safer and better;
>
> 3: In your firewall script, build in a rule that only lets in your IP
> number - or, even better, if your admin machine uses Ethernet for the
> connection, your MAC number.
>
> I've done all this out of Utrecht in Holland to a slave DNS name server
> in Dortmund, Germany, including weekly scp backups and goodness knows
> what else. I had no possibility of getting to that machine, once it was
> placed, and everything worked perfectly for months - never ever went
> wrong.
>
> Just leave yourself a back door, if you need it, until you've gained the
> confidence you need.
>
> Best,
>
> Tonni
>
> Sogning
>
> --
>
> Tony Earnshaw
>
> e-post: tonni@billy.demon.nl
> www: http://www.billy.demon.nl
> gpg public key: http://www.billy.demon.nl/tonni.armor
>
> Telefoon: (+31) (0)172 530428
> Mobiel: (+31) (0)6 51153356
>
> GPG Fingerprint = 3924 6BF8 A755 DE1A 4AD6 FA2B F7D7 6051 3BE7 B981
> 3BE7B981
>
>
>
>
>
>

Re: Too scared....

[Kjetil Kjernsmo]

On Tuesday 11 June 2002 11:39, you wrote:
> man, 2002-06-10 kl. 22:07 skrev Kjetil Kjernsmo:
> > I hope someone can take my paw and help me through the iptables
> > setup, because I'm a bit scared of the possibility of locking
> > myself out of my box...
>
> Den som intet våger, intet vinner :c)

Helt sant!

Thanks to everybody!

I've been trying to get it to work, and thanks to Mike Benson, who gave 
me a snippet of code that flushes the rules after a delay, I'm not that 
anxious anymore. Though my first test failed miserably, I was locked 
out and those two minutes _was_ scary... :-)

I've done some cut'n'pasting from various sources, trying things I 
think I understand. But apparently, it doesn't do quite what I thought 
it would, so...

I start my script with 
 #! /bin/sh 
IPTABLES="/sbin/iptables"
$IPTABLES -F         
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
This should flush and then drop everything. For simplicity, I then have:
$IPTABLES -P OUTPUT ACCEPT
I guess drop output makes life harder for someone who may have gained 
access to a user account, but... Then, I grabbed most of my stuff from
 http://www.linuxhelp.net/guides/davion/iptables-script
To start with:
$IPTABLES -A INPUT -i lo -j ACCEPT
They also list this as working for ssh:
$IPTABLES -A INPUT -i eth0 -d 0/0 -p tcp --dport 22 -j ACCEPT 
Apparently it does. So, I just copied it for the rest of my ports...:
$IPTABLES -A INPUT -i eth0 -d 0/0 -p tcp --dport 21 -j ACCEPT 
$IPTABLES -A INPUT -i eth0 -d 0/0 -p tcp --dport 80 -j ACCEPT 
$IPTABLES -A INPUT -i eth0 -d 0/0 -p tcp --dport 110 -j ACCEPT 
$IPTABLES -A INPUT -i eth0 -d 0/0 -p tcp --dport 25 -j ACCEPT 
$IPTABLES -A INPUT -i eth0 -d 0/0 -p tcp --sport 25 -j ACCEPT 
It seems to work too.... 

Then, there's DNS. I've inserted
$IPTABLES -A INPUT -p udp --sport 53 -j ACCEPT -s 217.77.32.0/24
I guess I could restrict the IP range more. The point is, however, that 
my workstation is outside of this range, so I thought it would mean 
that it would be closed for my workstation...? However, if I do
owl:~# nmap -g 53 -p 53 -sU pooh

Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )
Interesting ports on pooh.kjernsmo.net (217.77.32.186):
Port       State       Service
53/udp     open        domain

So, it looks like I didn't understand this stuff.... 

Finally, I have
$IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j 
ACCEPT
It responds to ping... :-)

I've tried quite a few other things than this too. So, the question is: 
Have I done something silly? How do I close off DNS for everything 
except the subnet my box is in?

Thanks again for your help!

Best,

Kjetil
-- 
Kjetil Kjernsmo
Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer
kjetil@kjernsmo.net  webmaster@skepsis.no  editor@learn-orienteering.org
Homepage: http://www.kjetil.kjernsmo.net/

Re: Too scared....

[Ralf Hemmann]

Hy

> I hope someone can take my paw and help me through the iptables setup,
> because I'm a bit scared of the possibility of locking myself out of my
> box...

I know what you mean and be shure - if you do not use a "roll back system"
you WILL lock you out of your server ;-))


Try to make your Firewall script like this:


!/bin/bash


#  Deadmans Switch
# like in german railways.
# The driver has to press a
# button when its buzzing.
# If the driver dont push the button the
# Train stops


case "$1" in

start)


   # your rules her
   # iptables -t nat bla


# At the verry end of start put something like this:

echo "Are you dead ?

answer with Ctrl C

"

sleep 4
echo "2 more"
sleep 4
echo "1 to go"
sleep 4

echo "OK open firewall"

iptables -P INPUT ACCPET 
iptables -P OUTPUT ACCPET
iptables -P FORWARD ACCPET

iptables -F
iptables -F -t nat

;;

stop )

# bla bla

;;


*)

echo "usage $0 Start | Stop "

esac

Update: Too scared.... Script

[Ralf Hemmann]

Hy a litttle update:

I forgot to mention the DEBUG parameter, otherwise the script would not
work unattended:
If your 100% shure your firewall rules are well done, change DEBUG to 0

!/bin/bash

DEBUG="1"  # 0 for normal use

[the scipt as posted]

if [ $DEBUG="1" ]; then

echo "Are you dead ?

answer with Ctrl C

[..as posted ]

fi


Ralf

Update: Too scared.... Script

[Ralf Hemmann]

Hy a litttle update:

I forgot to mention the DEBUG parameter, otherwise the script would not
work unattended:
If your 100% shure your firewall rules are well done, change DEBUG to 0

!/bin/bash

DEBUG="1"  # 0 for normal use

[the scipt as posted]

if [ $DEBUG="1" ]; then

echo "Are you dead ?

answer with Ctrl C

[..as posted ]

fi


Ralf