[LAD] [ot] - NEED some security advise PLEASE! + new question

Luis Garrido luisgarrido at users.sourceforge.net
Sun Feb 15 13:03:26 UTC 2009

Previous message: [LAD] [ot] - NEED some security advise PLEASE! + new question
Next message: [LAD] [LAU] [ANN] Das_Watchdog V0.9.0
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> /sbin/rmmod ipchains
> /sbin/modprobe iptable_nat
> /sbin/modprobe ip_conntrack_ftp
> /sbin/modprobe ip_nat_ftp
> /sbin/iptables -F -t filter
> /sbin/iptables -Z -t filter
> /sbin/iptables -X -t filter
> /sbin/iptables -F -t nat
> /sbin/iptables -Z -t nat
> /sbin/iptables -X -t nat
> /sbin/iptables -P INPUT ACCEPT

^ Here you give permission to anyone to connect to any listening port
in your router box. Not the safest thing in the world.

> /sbin/iptables -P FORWARD ACCEPT
> /sbin/iptables -P OUTPUT ACCEPT
> /sbin/iptables -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP

^ So you trust your internal network completely, nice place!

> /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>
> # enable forwarding
> echo 1 > /proc/sys/net/ipv4/ip_forward
> # drop spoof packets
> echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
>

ACCEPT default policies are too permissive and it is easy to miss a
gap. If you are really concerned about security a better start is to
slam shut everything with a DROP policy in every chain and then open
up a few select holes.

L

Previous message: [LAD] [ot] - NEED some security advise PLEASE! + new question
Next message: [LAD] [LAU] [ANN] Das_Watchdog V0.9.0
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Linux-audio-dev mailing list