On 13/03/11 15:15, Michael Friendly wrote:
On 3/12/2011 5:55 AM, Tom H wrote:
On Sat, Mar 12, 2011 at 5:06 AM, Andrei Popescu
<andreimpope...@gmail.com> wrote:
On Vi, 11 mar 11, 14:56:42, Michael Friendly wrote:
- Do I have to install/enable the rules from iptables for ssh,
samba, etc within ufw?
First you need to find out exactly how the iptables rules are loaded.
Could be via /etc/rc.local a dedicated script in /etc/init.d/ or
something else (is package iptables-persistent also in Ubuntu?). Do not
try to use ufw until you know exactly how the current iptables rules are
loaded and you know for sure you can disable them!
Check "/etc/network/if-pre-up.d/" and "/etc/network/if-up.d/" too.
And, if you're using Network Manager, there *may* be other directories
to look into.
Please forgive me if you know this, but to me it appears that you may
not. Iptables effectively works by adding individual rules to the kernel
filtering tables using the 'iptables' command. This can be done at any
time, and there is no infrastructure to add a set of rules routinely at
start-up in Linux, so a number of ad-hoc methods exist to achieve that.
A list of 'iptables ...' commands contained in a shell script is a
common method, which seems to be how you are set up at the moment. The
commands 'iptables-save' and 'iptables-restore' can also be used to save
the existing kernel rule set to a file and restore it to active use.
Many firewall applications use this method. I use a pseudo-daemon, with
the usual start/stop/reload commands plus 'clear' to open the firewall,
and there are no doubt several other techniques in common use.
OK, I found /etc/network/interfaces contains the line
pre-up /etc/iptables
So if you comment this out, you have removed the current method of
adding iptables rules, and it should now be safe to use any other
technique. At any time, you can issue the command iptables -L which will
list the current state of the firewall. The listing is not in the same
format as the iptables rule commands, but it will show clearly when
rules have been added and when they haven't.
and /etc/iptables contains the rules. But I'm not sure what to do now,
either with iptables or ufw. If ufw works via iptables, can I just
enable ufw now without danger? How can I enable me to use use ssh from
home?
For example, there is currently one rule allowing me to ssh from a PC in
my office
iptables -A INPUT -s 130.xxx.xxx.xx/32 -p tcp --destination-port 22 -j
ACCEPT
I can mimic this for another PC (e.g., in my lab), but I'd like to be
able to use ssh from home, where I don't think I have a fixed IP address
from my service provider.
Only you can judge your security needs, but I would not have thought
that restricting ssh to individual IP addresses was necessary. You
should be using keys to access ssh rather than passwords (look up how to
do this if you aren't). If as recommended you are using different keys
from different client machines, then each private key should never leave
its client machine (where it is stored encrypted with restrictive
permissions), with at least the same resulting security as restricting
the IP address. The private key is never sent across the Net, even
encrypted, it is only used in the client machine.
If you must use IP addresses, you can do as Andrei suggests or you might
consider using tcpwrappers (/etc/hosts.allow, /etc/hosts.deny) to
control access rather than iptables (you would still need an iptables
acceptance rule, but without an IP address). While the man pages show
hostnames, IP addresses and blocks may be used. If you have no choice
but to list a dynamic address, you can check the ISP's CIDR block and
allow that. It's not as secure as a single address, but it's better than
letting the whole world in. You can of course also use IP address blocks
in iptables rules.
--
Joe
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/4d7d3ff6.8010...@jretrading.com
