[Klug-general] iptables (firewall), usermode linux, digital camera
Athon Solo
athon at athon.me.uk
Fri Aug 19 00:19:36 BST 2005
Hi all,
Just thought I'd post what I've been doing recently with Gentoo.
Primarily I've been securing my PC and laptop ready for uni. This mostly
involves learning iptables, which is pretty easy once you've learnt the
commands.
My current rules-save file with comments (I edit this by hand so I can
add comments - the syntax is basically the same as the commandline commands)
# Generated by iptables-save v1.2.11 on Wed Aug 10 19:27:09 2005
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Wed Aug 10 19:27:09 2005
# Generated by iptables-save v1.2.11 on Wed Aug 10 19:27:09 2005
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# 2005-08-17 Masquerading for UML
[0:0] -A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Wed Aug 10 19:27:09 2005
# Generated by iptables-save v1.2.11 on Wed Aug 10 19:27:09 2005
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Wed Aug 10 19:27:09 2005
# Generated by iptables-save v1.2.11 on Wed Aug 10 19:27:09 2005
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
[0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# 2005-08-10 Disable explicit allowing of anything from local machines
# I want to be able to tell whether the other rules are working or not
# [0:0] -A INPUT -s 192.168.1.7 -j ACCEPT
# [0:0] -A INPUT -s 192.168.1.3 -j ACCEPT
[0:0] -A INPUT -i lo -j ACCEPT
# 2005-08-10 Allow incoming SSH connections
[0:0] -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -s
192.168.0.0/16 -j ACCEPT
[0:0] -A INPUT -p udp -m state --state NEW -m udp --dport 22 -s
192.168.0.0/16 -j ACCEPT
# 2005-08-10 Allow incoming NFS connections
# Ref: http://gentoo-wiki.com/HOWTO_Share_Directories_via_NFS
[0:0] -A INPUT -p tcp -m state --state NEW -m tcp --dport 111 -s
192.168.0.0/16 -j ACCEPT
[0:0] -A INPUT -p udp -m state --state NEW -m udp --dport 111 -s
192.168.0.0/16 -j ACCEPT
[0:0] -A INPUT -p tcp -m state --state NEW -m tcp --dport 2049 -s
192.168.0.0/16 -j ACCEPT
[0:0] -A INPUT -p udp -m state --state NEW -m udp --dport 2049 -s
192.168.0.0/16 -j ACCEPT
[0:0] -A INPUT -p tcp -m state --state NEW -m tcp --dport 4001 -s
192.168.0.0/16 -j ACCEPT
[0:0] -A INPUT -p udp -m state --state NEW -m udp --dport 4001 -s
192.168.0.0/16 -j ACCEPT
[0:0] -A INPUT -p tcp -m state --state NEW -m tcp --dport 32764:32767 -s
192.168.0.0/16 -j ACCEPT
[0:0] -A INPUT -p udp -m state --state NEW -m udp --dport 32764:32767 -s
192.168.0.0/16 -j ACCEPT
# 2005-08-10 Allow bittorrent to work correctly
[0:0] -A INPUT -p tcp -m state --state NEW -m tcp --dport 6881:6889 -j
ACCEPT
[0:0] -A INPUT -p udp -m state --state NEW -m udp --dport 6881:6889 -j
ACCEPT
# 2005-08-11 Allow incoming VNC connections
[0:0] -A INPUT -p tcp -m state --state NEW -m tcp --dport 5900:5901 -s
192.168.0.0/16 -j ACCEPT
[0:0] -A INPUT -p udp -m state --state NEW -m udp --dport 5900:5901 -s
192.168.0.0/16 -j ACCEPT
# 2005-08-11 Allow incoming connections to our CUPS printer
[0:0] -A INPUT -p tcp -m state --state NEW -m tcp --dport 631 -s
192.168.0.0/16 -j ACCEPT
[0:0] -A INPUT -p udp -m state --state NEW -m udp --dport 631 -s
192.168.0.0/16 -j ACCEPT
# 2005-08-17 Allow incoming UDP connection to 137 (used by Windows file
& print servers)
[0:0] -A INPUT -p udp -m state --state NEW -m udp --sport 137 -s
192.168.0.0/16 -j ACCEPT
# 2005-08-17 Allow TUNTAP connections (used by UML)
[0:0] -A INPUT -p tcp -m state --state NEW -m tcp -i tap0 -j ACCEPT
[0:0] -A INPUT -p udp -m state --state NEW -m udp -i tap0 -j ACCEPT
[0:0] -A INPUT -p icmp -m state --state NEW -m icmp -i tap0 -j ACCEPT
# 2005-08-17 LOG packets
#[0:0] -A INPUT -j LOG
## Forwarding Rules
# 2005-08-17 Forwarding for UML - basically let it handle itself
[0:0] -A FORWARD -i tap0 -j ACCEPT
[0:0] -A FORWARD -o tap0 -j ACCEPT
#[0:0] -A FORWARD -j LOG
COMMIT
# Completed on Wed Aug 10 19:27:09 2005
It's a bit messy as when I started I added both udp and tcp entries for
everything. I'll go through and clean these up sometime.
When you want to see what port something is trying to use, uncomment the
2 "-j LOG" lines and restart iptables, then use "tail -f
/var/log/everything/current" (file may be /var/log/messages for others -
I use metalog)
I've also been looking at running Usermode Linux. For the uninitiated,
this is simply where you can run linux on top of linux. This can be used
for a wide range of things, from learning about security (set up a UML
then you can attempt to hack it like any other box), testing
installations (one of the things I intend to test is upgrading my Qmail
Rocks installation), etc.
Because the 'partitions' that a UML instance uses can be files, you can
easily back it up before you start, and if you mess up, start over from
scratch as quickly as it takes you to bring down the UML, copy your
backup and restart the UML with the backed-up copy.
You can see my notes on Usermode linux at:
http://gentoo-wiki.com/Talk:HOWTO_User_Mode_Linux
Basically I have had a fully working (as far as I can tell) UML running,
but the AMD64 memory bug I've mentioned in the notes means that it
doesn't run for long.
I've tried compiling on an x86 (32-bit) machine I have, but so far
haven't been able to create a running UML guest kernel on it (despite
using the same .config as I used to create the successful guest kernel
on my amd64 box.
On other tid-bits, I got myself a Canon Powershot A400, which worked
immediately using Digikam (which users gphoto2) using the "USB PTP Class
Camera" model. Unfortunately it doesn't pretend to be a USB Mass Storage
device, so I haven't found a way to access its filesystem directly
without using gphoto2 / digikam. I also haven't tried downloading videos
recorded using the camera yet.
I have also got a new mp3 player (my old Creative DAP was having battery
life problems, and is a biit bulky by todays standards) -
http://www.aria.co.uk/ProductInfoComm.asp?ID=17250 - which supports the
same SD cards that my camera uses. This does pretend to be a USB Mass
Storage device, so I can always access my videos using that if I can't
via my camera.
My HP nx9105 laptop has a built-in multi-format (SD/MMC/SM/MS/Pro) card
reader. I briefly tried to get this running by enabling things which
looked related in the kernel, and following a tip that I found that it
might, like a USB mass storage device, pretend to be a SCSI drive
(/dev/sd*), but I didn't have any success (the LED next to the card
reader never switched on - which may indicate the need for a driver of
some type. I've also just had a thought to check that it isn't switched
off in my BIOS).
In case someone wants to know what the cardreader might be, here's my
lspci output:
0000:00:00.0 Host bridge: nVidia Corporation nForce3 Host Bridge (rev a4)
0000:00:01.0 ISA bridge: nVidia Corporation nForce3 LPC Bridge (rev a6)
0000:00:01.1 SMBus: nVidia Corporation nForce3 SMBus (rev a4)
0000:00:02.0 USB Controller: nVidia Corporation nForce3 USB 1.1 (rev a5)
0000:00:02.1 USB Controller: nVidia Corporation nForce3 USB 1.1 (rev a5)
0000:00:02.2 USB Controller: nVidia Corporation nForce3 USB 2.0 (rev a2)
0000:00:06.0 Multimedia audio controller: nVidia Corporation nForce3
Audio (rev a2)
0000:00:06.1 Modem: nVidia Corporation: Unknown device 00d9 (rev a2)
0000:00:08.0 IDE interface: nVidia Corporation nForce3 IDE (rev a5)
0000:00:0a.0 PCI bridge: nVidia Corporation nForce3 PCI Bridge (rev a2)
0000:00:0b.0 PCI bridge: nVidia Corporation nForce3 AGP Bridge (rev a4)
0000:00:18.0 Host bridge: Advanced Micro Devices [AMD] K8
[Athlon64/Opteron] HyperTransport Technology Configuration
0000:00:18.1 Host bridge: Advanced Micro Devices [AMD] K8
[Athlon64/Opteron] Address Map
0000:00:18.2 Host bridge: Advanced Micro Devices [AMD] K8
[Athlon64/Opteron] DRAM Controller
0000:00:18.3 Host bridge: Advanced Micro Devices [AMD] K8
[Athlon64/Opteron] Miscellaneous Control
0000:01:00.0 VGA compatible controller: nVidia Corporation NV17
[GeForce4 440 Go 64M] (rev a3)
0000:02:00.0 FireWire (IEEE 1394): Texas Instruments TSB43AB21
IEEE-1394a-2000 Controller (PHY/Link)
0000:02:01.0 Ethernet controller: Realtek Semiconductor Co., Ltd.
RTL-8139/8139C/8139C+ (rev 10)
0000:02:02.0 Network controller: Broadcom Corporation BCM4306 802.11b/g
Wireless LAN Controller (rev 03)
0000:02:04.0 CardBus bridge: Texas Instruments PCI1620 PC Card
Controller (rev 01)
0000:02:04.1 CardBus bridge: Texas Instruments PCI1620 PC Card
Controller (rev 01)
0000:02:04.2 System peripheral: Texas Instruments PCI1620 Firmware
Loading Function (rev 01)vvvvvvvv
I believe the card reader is either going to be the CardBus Bridge (the
PCMCIA slot is directly below) or the SMBus (since I have no clue what
else the SMBus might be).
That's another item I need to check - whether I've enabled and installed
PCMCIA related items (I have a PCMCIA network card I should be able to
test this with).
On my TODO list this coming week is getting SSMTP up and running on my
webserver, since University of Kent at Canterbury, where I'll
(hopefully) be for the majority of 3 of the next 4 years (studying
Computer Science with a year in industry) don't allow standard SMTP through.
Which reminds me, if anyones looking for a method of securing SSH or a
similar service so that an IP is automatically banned after a given
number of login attempts, I've been pointed to http://fail2ban.sf.net/
(please note that I haven't tried it myself yet), which basically
monitors log files for failed login attempts and can automatically add
entries to iptables after a configurable number of failures.
I also want to get my wireless LAN configured on my laptop at some
point, but without any wireless at home to test it, and no networks
being picked up in Windows (darn those neighbours for not running a
wireless network so I can test mine), I guess it'll have to wait until
I'm actually at uni.
Regards
Allen
More information about the Kent
mailing list