I'm feeling paranoid - with good reason.

Basil Fowler bjfowler at chanzy.eclipse.co.uk
Thu Feb 2 15:28:58 GMT 2006 

If this can help.

I use a Speedtouch 510  router, and previously a 530 (this blew up after a 
thunderstorm!)

I am highly suspicious of any commercial firewalls - one never knows if they 
are leaky by intent or design.  So I set up a simple secondary firewall using 
iptables.  Put this file in /etc/sysconfig/iptables. The rules stop anything 
coming in: 

  *nat
[0:0] -A POSTROUTING -o ppp0 -j MASQUERADE
[0:0] -A POSTROUTING -o eth0 -j MASQUERADE
COMMIT

*mangle
COMMIT

*filter
:OUTPUT ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]

[0:0] -A INPUT -j DROP -m state --state NEW,INVALID -i ppp0
[0:0] -A INPUT -j LOG -m state --state NEW,INVALID -i eth0
[0:0] -A INPUT -j DROP -m state --state NEW,INVALID -i eth0
# *[0:0] -A INPUT -p icmp -j DROP

[0:0] -A FORWARD -j DROP -m state --state NEW,INVALID -i ppp0
[0:0] -A FORWARD -j LOG -m state --state NEW,INVALID -i eth0
[0:0] -A FORWARD -j DROP -m state --state NEW,INVALID -i eth0
# *[0:0] -A FORWARD -p icmp -j DROP

COMMIT
 
Note: You will notice that all connection attempts that have got through the 
firewall are logged. You do not have to separate out legitimate traffic.

The section "Masquerade" is used because the computer is also the gateway to 
the home network. 

ppp0 is a dial-up link for use why my ADSL line is down for any reason.

To identify the sources of connection attempts, I use this script - it is too 
much like hard work to program a graphical interface - and much too much like 
Windows - inflexible.

#!/bin/bash

# lists domain names of hosts trying to make contact with bluebottle

# allow other files than default /var/log/messages
if [ "x$1" = "x" ]
then
        MESSAGES="messages"
        COMMAND="cat"
else
        MESSAGES="$1"
        echo "${MESSAGES}" | grep 'gz' > /dev/null
        if [ $? -eq 0 ]
        then
                COMMAND="zcat"
        else
                COMMAND="cat"
        fi
fi

# define functions

# Collect ip nos of attackers from log file
ip_nos(){ ${COMMAND} /var/log/${MESSAGES} | grep ' SRC=' | awk '{print $9}' \
          | sed 's/SRC=//' | sort | uniq ; }

# Tidy up output from nslookup
tidy_up(){ sed '-e /^$/d' -e '/SpeedTouch/d' -e '/10.0.0.138/d' ; }

# do the work
for ip_no in $(ip_nos)
do
        nslookup -silent $ip_no | tidy_up
        echo
done

Using this I have discovered that the BBC's RealPlay servers try to create a 
back channel - naughty.

Perhaps other users of the list would like to suggest improvements.

I hope that you do not connect to the internet as root!

Basil Fowler


On Wednesday 01 Feb 2006 22:48, John wrote:
> Hi
> That zoom adsl router I mentioned a while ago seems to have been
> reprogrammed by some one over the net. It behaved oddly even after a
> firmware update so I've just fitted another type. Seems that lot's of these
> units have a simple route into port 254 and maybe 255 too.
> I need to see if there is anything resident on my machine. Anyway is there
> anything available that will show and maybe log traffic through my eth0
> connection. A graphical interface would be much preferred ideally
> identifying the transmission source, ascii data translations etc.
>
> Regards
> John
___________________________________________________
This message is from the kde mailing list.
Account management:  https://mail.kde.org/mailman/listinfo/kde.
Archives: http://lists.kde.org/.
More info: http://www.kde.org/faq.html.

More information about the kde mailing list