iptables problem

iptables problem

Postby AmunRa » Tue Feb 12, 2008 10:22 pm

Hey guys-- I hope shmoocon went well. I have been hard at work here on a few projects of mine, and was wondering if anyone could give me some insight as to why this configuration file was not working correctly.

Code: Select all

#! /bin/bash
# iptables configuration file for projectobvious.com

# Enable stateful filtering allowing connections initiated on host be allowed.
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

# Allow Incoming SSH on port 22
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

# Prevent brute-forcing of SSH connections.
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP

# Allow Everything from the local host
iptables -A INPUT -s 127.0.0.1 -j ACCEPT

# Block Outgoing SSH connections to prevent connection bouncing
iptables -A OUTPUT -p tcp -m tcp --dport 22 -j DROP

# Block Everything else
iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP



Any insight would be appreciated.
-AR
Please be offended by my post.
"Well, someone scraped the bottom of the gene pool when they made her."
"Don't you usually vacuum that kinda stuff up?"
User avatar
AmunRa
Mini Stumbler
 
Posts: 72
Joined: Tue Apr 03, 2007 12:33 pm
Location: Annapolis, MD

Postby streaker69 » Wed Feb 13, 2008 4:06 am

Shmoocon is this weekend, I thought you were going to make it.
Treat your gun like your genitals, only whip it out when it's absolutely necessary.
User avatar
streaker69
 
Posts: 11867
Joined: Thu Jul 08, 2004 10:09 am
Location: Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA

Postby AmunRa » Wed Feb 13, 2008 8:58 am

Hey Streaker--

I meant to say "goes well." I actually cannot make it, as the Navy has me doing a few other things this coming weekend.

I also figured out my iptables problem, but thanks anyway.

# Block Outgoing SSH connections to prevent connection bouncing
iptables -A OUTPUT -p tcp -m tcp --dport 22 -j DROP


should have read

# Block Outgoing SSH connections to prevent connection bouncing
iptables -A FORWARD -p tcp -m tcp --dport 22 -j DROP
-AR
Please be offended by my post.
"Well, someone scraped the bottom of the gene pool when they made her."
"Don't you usually vacuum that kinda stuff up?"
User avatar
AmunRa
Mini Stumbler
 
Posts: 72
Joined: Tue Apr 03, 2007 12:33 pm
Location: Annapolis, MD

Postby streaker69 » Wed Feb 13, 2008 9:50 am

I think you need to get your priorities straight. what's more important? Your career with the navy or coming out and having some beer with a bunch of nutcases you only know from the inturweb?
Treat your gun like your genitals, only whip it out when it's absolutely necessary.
User avatar
streaker69
 
Posts: 11867
Joined: Thu Jul 08, 2004 10:09 am
Location: Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA

Postby ccie4526 » Wed Feb 13, 2008 11:19 am

streaker69 wrote:I think you need to get your priorities straight. what's more important? Your career with the navy or coming out and having some beer with a bunch of nutcases you only know from the inturweb?


Heh, he's not the only one. I obviously have my priorities incorrectly arranged as well. :(

Just found out that when I get finished in Denver, I'm going to Johnson City, TN. Bleh.
---
<#include std.disclaimer.h>
AltarThug of Wired and Unwired, The Church of WiFi
http://www.churchofwifi.org
http://www.linuxisforbitches.com
http://www.wigle.net
http://www.kismetwireless.net
User avatar
ccie4526
 
Posts: 399
Joined: Sun Jun 02, 2002 3:44 pm
Location: West BFE, Texas

Postby DaKahuna » Wed Feb 13, 2008 6:19 pm

streaker69 wrote:I think you need to get your priorities straight. what's more important? Your career with the navy or coming out and having some beer with a bunch of nutcases you only know from the inturweb?


Well you need to check the age of Naval Academy attendee's. He's not 21 so drinking is not something he can legally do, quite yet.

In any case, he's going to be doing a RED TEAM this weekend so he may end up having more fun than us.
User avatar
DaKahuna
 
Posts: 478
Joined: Wed Jan 18, 2006 11:55 am
Location: If you find out, let me know!

Postby brwrdrvr » Thu Feb 14, 2008 1:46 pm

DaKahuna wrote:Well you need to check the age of Naval Academy attendee's. He's not 21 so drinking is not something he can legally do, quite yet.

In any case, he's going to be doing a RED TEAM this weekend so he may end up having more fun than us.


If RED TEAM in the Navy is anything like OP-FOR in the Army, I would have to say he will have more fun. I loved it when I got to be on an OP-FOR team pitted against the troops that had to do things by the rules. and we could reek havoc on everyone and everything. :D
Real Linux users write the zeros and ones directly to the hard drive using a refrigerator magnet. ~ bobfunland
User avatar
brwrdrvr
 
Posts: 3381
Joined: Fri Feb 18, 2005 9:26 pm
Location: Capitol City, Louisiana

Postby AmunRa » Fri Feb 15, 2008 4:01 pm

DaKahuna wrote:Well you need to check the age of Naval Academy attendee's. He's not 21 so drinking is not something he can legally do, quite yet.

In any case, he's going to be doing a RED TEAM this weekend so he may end up having more fun than us.


Never know. I've been doing some work with iptables in an effort to keep people off my machines, as well as getting my hands on a lot of source code for some exploits.

I'll definitely be at next year's though!
-AR
Please be offended by my post.
"Well, someone scraped the bottom of the gene pool when they made her."
"Don't you usually vacuum that kinda stuff up?"
User avatar
AmunRa
Mini Stumbler
 
Posts: 72
Joined: Tue Apr 03, 2007 12:33 pm
Location: Annapolis, MD


Return to Unix/Linux

Who is online

Users browsing this forum: No registered users and 3 guests

cron