Tuesday, November 9, 2010
Japan Groping In Train
Install Firewall deployment wizard "Arno-iptables-firewall" Don Mendoza
Source Adapted
centos, comes from the installation guide for Debian
# yum install arno-iptables-firewall
Reading task descriptions ... Done
Building tag database ... Done
Gawk 
following packages will be installed NEW:
arno-iptables-firewall gawk0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
need to download file 792kb. After unpacking 2511kB will be used. you want to continue? [Y / n /?]
and
writing extended state information ... Des
fact: 1 http://ftp.rediris.es etch / main gawk 1:3.1.5. Dfsg-4 [694kb]
Des: 2 http://ftp.rediris.es etch / main arno-iptables-firewall 1.8.8.c-1 [97.7 kB] Downloaded
792kb in 44s (17.8 kB / s).
2. Once installed, the following window will appear that asks if you want to configure the package with debconf.
ANSWER: yes
[ENTER]
3. In the next window we specify the network interface through which we access. As I connect through a modem / router and I have only one network card, the interface is "eth 0 ."
ANSWER: eth0
[ENTER]
4. Now we specify that we need to have TCP ports open on our firewall.
EXAMPLE:
- Amule: Open ports TCP 4661, UDP 4664 - SSH server: open port 22
NOTE:
our router's firewall must also open these ports.
A:
4661 22 [ENTER]
5. We ask that we want to open UDP ports:
6.
The following window should only set it in case we have multiple network cards (eth0, eth1 ...) and one of them is set to our local network to which we allow any connection to our team.
A:
dejar_en_blanco [ENTER]
ANSWER: yes
[ENTER]
configure packages ... Selecting
package arno-iptables-firewall previously selected.
(Reading database ...
88957 files and directories currently installed.) Unpacking
Arno's Iptables Firewall Script v1.8.8c
----------------------------------- --------------------------------------------
Passed Sanity checks ... OK
Configuring /proc/.... settings:
Enabling anti-spoof with rp_filter
Enabling SYN-flood protection via SYN-cookies
Disabling the logging of martians
Disabling the acception of ICMP-redirect messages
and
writing extended state information ... Des
fact: 1 http://ftp.rediris.es etch / main gawk 1:3.1.5. Dfsg-4 [694kb]
Des: 2 http://ftp.rediris.es etch / main arno-iptables-firewall 1.8.8.c-1 [97.7 kB] Downloaded
792kb in 44s (17.8 kB / s).
2. Once installed, the following window will appear that asks if you want to configure the package with debconf.
ANSWER: yes
[ENTER]
3. In the next window we specify the network interface through which we access. As I connect through a modem / router and I have only one network card, the interface is "eth 0 ."
ANSWER: eth0
[ENTER]
4. Now we specify that we need to have TCP ports open on our firewall.
EXAMPLE:
- Amule: Open ports TCP 4661, UDP 4664 - SSH server: open port 22
NOTE: our router's firewall must also open these ports.
A:
4661 22 [ENTER]
5. We ask that we want to open UDP ports:
A: 4664 [ENTER]
6.
The following window should only set it in case we have multiple network cards (eth0, eth1 ...) and one of them is set to our local network to which we allow any connection to our team.
A:
dejar_en_blanco [ENTER] 7.
Finally we started our firewall. 
ANSWER: yes [ENTER]
Writing extended state information ... Done
configure packages ... Selecting
package arno-iptables-firewall previously selected.
(Reading database ...
88957 files and directories currently installed.) Unpacking
arno-iptables-firewall (from .../arno-iptables-firewall_1.8.8.c-1_all . deb) ... Configuring
arno-iptables-firewall (1.8.8.c-1) ... Arno's Iptables Firewall Script v1.8.8c
----------------------------------- --------------------------------------------
Passed Sanity checks ... OK
Detected IPTABLES module ... Additional Loading IPTABLES modules: All
IPTABLES modules loaded!
IPTABLES modules loaded!
Configuring /proc/.... settings:
Enabling anti-spoof with rp_filter
Enabling SYN-flood protection via SYN-cookies
Disabling the logging of martians
Disabling the acception of ICMP-redirect messages
Setting the max. amount of simultaneous connections to 16384
Enabling protection against source routed packets
Setting default conntrack timeouts
Enabling reduction of the DoS'ing ability
Setting Default TTL=64
Disabling ECN (Explicit Congestion Notification)
Enabling support for dynamic IP's
Flushing route table
/proc/ setup done...
Flushing rules in the filter table
Setting default (secure) policies
Using loglevel "info" for syslogd
Setting up firewall rules:
-------------------------------------------------------------------------------
Accepting packets from the local loopback device
Enabling setting the maximum packet size via MSS
Enabling mangling TOS
Logging of stealth scans (nmap probes etc.) enabled
Logging of packets with bad TCP-flags enabled
Logging of INVALID packets disabled
Logging of fragmented packets enabled
Logging of access from reserved addresses enabled
Setting up anti-spoof rules
Reading custom IPTABLES rules from /etc/arno-iptables-firewall/custom-rules
Loading (user) plugins
Setting up INPUT policy for the external net (INET):
Enabling support for a DHCP assigned IP on external interface(s): eth0
Logging of explicitly blocked hosts enabled
Logging of denied local output connections enabled
Packets will NOT be checked for private source addresses
Allowing the whole world to connect to TCP port(s): 4661 22
Allowing the whole world to connect to UDP port(s): 4664
Denying the whole world to send ICMP-requests(ping)
Logging of dropped ICMP-request(ping) packets enabled
Logging of dropped other ICMP packets enabled
Logging of possible stealth scans enabled
Logging of (other) connection attempts to PRIVILEGED TCP ports enabled
Logging of (other) connection attempts to PRIVILEGED UDP ports enabled
Logging of (other) connection Attempts to TCP ports enabled UNPRIVILEGED
Logging of (other) connection Attempts to UNPRIVILEGED UDP ports enabled Logging of
Other IP protocols (non TCP / UDP / ICMP) connection Attempts
enabled Logging of ICMP flooding enabled
Applying INET policy to external (INET) interface: eth0 (without an external subnet Specified)
Security is ENFORCED for external interface (s) in the FORWARD chain
23:36:20
April 1902 Applied All firewall rules .
We'll have our firewall configured.
We re-run the firewall configuration to following command: #
dpkg-reconfigure arno-iptables-firewall
If we want to temporarily disable the firewall: # / etc / init.d / arno-iptables-firewall stop
To enable it again :
# / etc / init.d / arno-iptables-firewall start
With package # tar-zxvf arno-iptables-firewall_1.9.2m.tar.gz
# cd arno-iptables-firewall_1.9.2m # cd arno-iptables-firewall_1.9.2m # iptables-L-n
# / etc / init.d / arno-iptables-firewall start
Enabling protection against source routed packets
Setting default conntrack timeouts
Enabling reduction of the DoS'ing ability
Setting Default TTL=64
Disabling ECN (Explicit Congestion Notification)
Enabling support for dynamic IP's
Flushing route table
/proc/ setup done...
Flushing rules in the filter table
Setting default (secure) policies
Using loglevel "info" for syslogd
Setting up firewall rules:
-------------------------------------------------------------------------------
Accepting packets from the local loopback device
Enabling setting the maximum packet size via MSS
Enabling mangling TOS
Logging of stealth scans (nmap probes etc.) enabled
Logging of packets with bad TCP-flags enabled
Logging of INVALID packets disabled
Logging of fragmented packets enabled
Logging of access from reserved addresses enabled
Setting up anti-spoof rules
Reading custom IPTABLES rules from /etc/arno-iptables-firewall/custom-rules
Loading (user) plugins
Setting up INPUT policy for the external net (INET):
Enabling support for a DHCP assigned IP on external interface(s): eth0
Logging of explicitly blocked hosts enabled
Logging of denied local output connections enabled
Packets will NOT be checked for private source addresses
Allowing the whole world to connect to TCP port(s): 4661 22
Allowing the whole world to connect to UDP port(s): 4664
Denying the whole world to send ICMP-requests(ping)
Logging of dropped ICMP-request(ping) packets enabled
Logging of dropped other ICMP packets enabled
Logging of possible stealth scans enabled
Logging of (other) connection attempts to PRIVILEGED TCP ports enabled
Logging of (other) connection attempts to PRIVILEGED UDP ports enabled
Logging of (other) connection Attempts to TCP ports enabled UNPRIVILEGED
Logging of (other) connection Attempts to UNPRIVILEGED UDP ports enabled Logging of
Other IP protocols (non TCP / UDP / ICMP) connection Attempts
enabled Logging of ICMP flooding enabled
Applying INET policy to external (INET) interface: eth0 (without an external subnet Specified)
Security is ENFORCED for external interface (s) in the FORWARD chain
23:36:20
April 1902 Applied All firewall rules .
We'll have our firewall configured.
We re-run the firewall configuration to following command: #
dpkg-reconfigure arno-iptables-firewall
If we want to temporarily disable the firewall: # / etc / init.d / arno-iptables-firewall stop
To enable it again :
# / etc / init.d / arno-iptables-firewall start
With package # tar-zxvf arno-iptables-firewall_1.9.2m.tar.gz
# cd arno-iptables-firewall_1.9.2m # cd arno-iptables-firewall_1.9.2m # iptables-L-n
# / etc / init.d / arno-iptables-firewall start
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment