Gone Paranoid: private IP to public IP!!

Iain Stevenson yellowdog-general@lists.terrasoftsolutions.com
Sun Jun 30 13:12:01 2002 

--On Sunday, June 30, 2002 1:24 am -0400 Juan Manuel Palacios 
<jmpalacios@mac.com> wrote:

>>
>> - go through /etc/xinetd.conf and disable anything you don't need
>
> 	That sounds easy enough, I'll get right to it. Disabling the services I
> don't need ensures that the IP ports they bind to will be properly closed?
>

Generally, yes.  For any daemon that runs exclusively via xinetd this will 
close the port.  Some daemons (eg cyrus imap, postfix, ssh) run outside of 
xinetd - you need to use tcpwrappers or a firewall script to deal with them.

>> - make sure tcpwrappers is correctly installed and that
>> /etc/hosts.allow and /etc/hosts.deny are configured correctly
>
> 	My knowledge about tcpwrappers is completely null. I don't know what it
> is (service, binary, protocol... ?), where in the filesystem it is or
> even what it is for. Any words that might enlighten me on this one
> please... ?

tcpwappers is a venerable piece of code that sits between many daemons and 
the external network.  Most daemons are built with tcpwrappers support so 
that they can take advantage of the protection that it gives.

I once had a problem with an old copy of tcpwrappers so grab the latest YDL 
rpm and install it.

Make sure /etc/hosts.deny contains this:

  ALL: ALL

This basically denies all TCP/IP accesses that aren't explicitly enabled by 
/etc/hosts.allow

Check if /etc/hosts.allow contains this:

  ALL: LOCAL

That allows access to all the TCP/IP services running on the Linux system 
from local machines only.  Read man hosts.allow for some more examples.

>> - install gShield or some other iptables based firewall script - this
>> can block high port access amongst other things
>
> 	gShield works over iptables, with its commands and syntax? I really want
> to give iptables a good shot.
>

Yes - gShield is just a clever script for setting up iptables rules - you 
don't really want to get into working iptables out for yourself.  Just grab 
the script from here:

  ftp://muse.linuxmafia.org/pub/gShield/v2/gShield-2.8.tgz

Assuming you downloaded the script to /home/somewhere, install the script 
(as root):

  cd /etc
  tar xvfz /home/somewhere/gShield-2.8.tgz
  mv gShield-2.8 firewall
  cd firewall

Then edit gShield.conf to suit your needs.  I start the script from 
/etc/rc.local by including this line:

  /etc/firewall/gShield.rc

That's it.

  Iain