I'm feeling paranoid - with good reason.

John john_82 at tiscali.co.uk
Thu Feb 2 17:58:07 GMT 2006


Thanks but I will need to find out where this should go on my machine - there 
isn't an iptables other than an executable. Looking through that it seems to 
have a help section so I'll take a look and also find out where it is called.
I only ever run specific programs or the console as root. I'm running an open 
source adsl router so it hopefully won't have any leaks.
Looking around the machine there is a lot of suse stuff associated with the 
firewall - it's a paid for distro. Things like suse2 firewall. Does this mean 
I'm not running the linux firewall?
I've also installed guarddog and used it to block all but ftp,email and web. 
As far as I can tell it is doing that even though it warns that it might not. 
I think that it's protocol block interface is an excellent idea - nice, 
direct and simple. It's a shame that the project seems to have stalled. Maybe 
the kde boys would like to take on the 3 associated programs. There must be 
lot's of people about that find this area of linux to be something of a black 
art. The whole area must be a time/knowledge issue for many. I'm going to try 
the other 2 progs on the off chance that they work.

My main worry now is that the internet activity light blinks   every few 
seconds and there seems to be some machine side and net activity after boot. 
Maybe the internet side is just scans but I would like to log the activity 
after boot.
Regards
John
PS Any improvements on Basil's scripts would still be appreciated.

On Thursday 02 February 2006 15:28, Basil Fowler wrote:
> If this can help.
>
> I use a Speedtouch 510  router, and previously a 530 (this blew up after a
> thunderstorm!)
>
> I am highly suspicious of any commercial firewalls - one never knows if
> they are leaky by intent or design.  So I set up a simple secondary
> firewall using iptables.  Put this file in /etc/sysconfig/iptables. The
> rules stop anything coming in:
>
>   *nat
> [0:0] -A POSTROUTING -o ppp0 -j MASQUERADE
> [0:0] -A POSTROUTING -o eth0 -j MASQUERADE
> COMMIT
>
> *mangle
> COMMIT
>
> *filter
>
> :OUTPUT ACCEPT [0:0]
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
>
> [0:0] -A INPUT -j DROP -m state --state NEW,INVALID -i ppp0
> [0:0] -A INPUT -j LOG -m state --state NEW,INVALID -i eth0
> [0:0] -A INPUT -j DROP -m state --state NEW,INVALID -i eth0
> # *[0:0] -A INPUT -p icmp -j DROP
>
> [0:0] -A FORWARD -j DROP -m state --state NEW,INVALID -i ppp0
> [0:0] -A FORWARD -j LOG -m state --state NEW,INVALID -i eth0
> [0:0] -A FORWARD -j DROP -m state --state NEW,INVALID -i eth0
> # *[0:0] -A FORWARD -p icmp -j DROP
>
> COMMIT
>
> Note: You will notice that all connection attempts that have got through
> the firewall are logged. You do not have to separate out legitimate
> traffic.
>
> The section "Masquerade" is used because the computer is also the gateway
> to the home network.
>
> ppp0 is a dial-up link for use why my ADSL line is down for any reason.
>
> To identify the sources of connection attempts, I use this script - it is
> too much like hard work to program a graphical interface - and much too
> much like Windows - inflexible.
>
> #!/bin/bash
>
> # lists domain names of hosts trying to make contact with bluebottle
>
> # allow other files than default /var/log/messages
> if [ "x$1" = "x" ]
> then
>         MESSAGES="messages"
>         COMMAND="cat"
> else
>         MESSAGES="$1"
>         echo "${MESSAGES}" | grep 'gz' > /dev/null
>         if [ $? -eq 0 ]
>         then
>                 COMMAND="zcat"
>         else
>                 COMMAND="cat"
>         fi
> fi
>
> # define functions
>
> # Collect ip nos of attackers from log file
> ip_nos(){ ${COMMAND} /var/log/${MESSAGES} | grep ' SRC=' | awk '{print $9}'
> \
>
>           | sed 's/SRC=//' | sort | uniq ; }
>
> # Tidy up output from nslookup
> tidy_up(){ sed '-e /^$/d' -e '/SpeedTouch/d' -e '/10.0.0.138/d' ; }
>
> # do the work
> for ip_no in $(ip_nos)
> do
>         nslookup -silent $ip_no | tidy_up
>         echo
> done
>
> Using this I have discovered that the BBC's RealPlay servers try to create
> a back channel - naughty.
>
> Perhaps other users of the list would like to suggest improvements.
>
> I hope that you do not connect to the internet as root!
>
> Basil Fowler
>
> On Wednesday 01 Feb 2006 22:48, John wrote:
> > Hi
> > That zoom adsl router I mentioned a while ago seems to have been
> > reprogrammed by some one over the net. It behaved oddly even after a
> > firmware update so I've just fitted another type. Seems that lot's of
> > these units have a simple route into port 254 and maybe 255 too.
> > I need to see if there is anything resident on my machine. Anyway is
> > there anything available that will show and maybe log traffic through my
> > eth0 connection. A graphical interface would be much preferred ideally
> > identifying the transmission source, ascii data translations etc.
> >
> > Regards
> > John
>
> ___________________________________________________
> This message is from the kde mailing list.
> Account management:  https://mail.kde.org/mailman/listinfo/kde.
> Archives: http://lists.kde.org/.
> More info: http://www.kde.org/faq.html.

-- 
Suse 10.0
KDE 3.4.2 B
___________________________________________________
This message is from the kde mailing list.
Account management:  https://mail.kde.org/mailman/listinfo/kde.
Archives: http://lists.kde.org/.
More info: http://www.kde.org/faq.html.




More information about the kde mailing list