maemo.org - Talk
Page 2 of 3 1 2 3
Show 40 post(s) from this thread on one page

maemo.org - Talk (https://talk.maemo.org/index.php)
-   Newbie (https://talk.maemo.org/forumdisplay.php?f=26)
-   -   tip: easy mini firewall (https://talk.maemo.org/showthread.php?t=6052)

Ricky-Lee 2008-12-11 00:34
Re: tip: easy mini firewall
 
Quote:
Originally Posted by brendan (Post 248467)
why not just
Code:
vi /etc/sysconfig/iptables
?
[1|root@minidemon|~]ls /etc/sysconfig/iptables
ls: /etc/sysconfig/iptables: No such file or directory

allnameswereout 2008-12-11 12:17
Re: tip: easy mini firewall
 
Quote:
Originally Posted by Ricky-Lee (Post 248606)
[1|root@minidemon|~]ls /etc/sysconfig/iptables
ls: /etc/sysconfig/iptables: No such file or directory
Forget about that. /etc/sysconfig is RedHat-specific. Might also be used on RedHat-based or RedHat-related OSes.

brendan 2008-12-11 12:50
Re: tip: easy mini firewall
 
right, i keep forgetting that debian doesnt follow the (same) standards that red-hat/fedora do.

what does this return:
Code:
ls -l `which iptables`

allnameswereout 2008-12-11 14:05
Re: tip: easy mini firewall
 
They're not standards ;)

/sbin/iptables on Maemo/Debian/Ubuntu.

grog 2008-12-11 16:11
Re: tip: easy mini firewall
 
Quote:
Originally Posted by gsagers (Post 46263)
Thanks, great tip! I'd offer the following change for those who want remote SSH access to their Nokia from anywhere - and if I typed something wrong, please correct me - I'm no iptables guru, but it seems to work here!

Code:
#!/bin/sh
iptables -F
iptables -A INPUT -p all -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --syn -j DROP
Quote:
Originally Posted by allnameswereout (Post 248478)
NOTE you should accept traffic to/from local loopback device instead of 127.0.0.1. You should deny traffic from 127.0.0.1 on network because this can only be spoofed traffic. However, I'm no IPT wizard; I prefer OpenBSD PF.
Just want to put it all together & try to figure out a problem. First off, is this modification correct based on the above?

Code:
#!/bin/sh
iptables -F
iptables -A INPUT -p all -s loopback -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --syn -j DROP
Secondly, why would either of the above forms kill this port forwarding I use to give the remote site access to my IT from behind a NAT router?
Code:
ssh -R 9999:localhost:22 -l remuser -p remport -N remote.site.com
As I understand, port 9999 is just the remote site's access port directed to port 22 on the IT. Unless the port 22 ACCEPT line in the rules is incorrect, but I have no other way to test right now. TX

brendan 2008-12-11 16:44
Re: tip: easy mini firewall
 
no, it should be
Code:
iptables -A INPUT -p all -s lo -j ACCEPT
since ifconfig uses the lo convention, not loopback for the name of that interface.

as far as the reverse port forwarding you do with ssh, i dont think that would be killed via iptables, because the traffic would be tunneled through ssh, not be a seperate connection. you would have to be listening for ssh on all interfaces too, not just the wlan0 interface.

you sshd_config should have the following directive:
Code:
ListenAddress 0.0.0.0

grog 2008-12-12 15:11
Re: tip: easy mini firewall
 
Quote:
Originally Posted by brendan (Post 248780)
no, it should be
Code:
iptables -A INPUT -p all -s lo -j ACCEPT
since ifconfig uses the lo convention, not loopback for the name of that interface.
Strange, 'cause even though ifconfig shows lo active (as it should be), iptables gives 'host/network `lo' not found'.

Quote:
as far as the reverse port forwarding you do with ssh, i dont think that would be killed via iptables, because the traffic would be tunneled through ssh, not be a seperate connection. you would have to be listening for ssh on all interfaces too, not just the wlan0 interface.

you sshd_config should have the following directive:
Code:
ListenAddress 0.0.0.0
The line is there but commented out. Funny thing is that it seems to be working now. Must've been something else that killed my connection before.

TX

brendan 2008-12-12 16:39
Re: tip: easy mini firewall
 
sorry, change the

-s lo

to

-i lo

because lo is an interface, not really a source.

brendan 2008-12-12 16:41
Re: tip: easy mini firewall
 
since the ListenAddress is commented out with 0.0.0.0 as a value, that means its the default, and therefore the daemon listens on all interfaces.

Code:
netstat -na |grep 22
should confirm

grog 2008-12-12 17:19
Re: tip: easy mini firewall
 
Quote:
Originally Posted by brendan (Post 249025)
since the ListenAddress is commented out with 0.0.0.0 as a value, that means its the default, and therefore the daemon listens on all interfaces.

Code:
netstat -na |grep 22
should confirm
That it does. Thanks

Code:
~/bin$ netstat -an | grep :22
tcp        0      0 0.0.0.0:22              0.0.0.0:*              LISTEN
tcp        0      0 127.0.0.1:61466        127.0.0.1:22            ESTABLISHED
tcp        0      0 127.0.0.1:22            127.0.0.1:61466        ESTABLISHED


All times are GMT. The time now is 03:18.
Page 2 of 3 1 2 3
Show 40 post(s) from this thread on one page

vBulletin® Version 3.8.8