WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-users

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Xen-users] are these iptables modification secure

from [Olivier Seubert] [Permanent Link][Original]
To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-users] are these iptables modification secure
From: Olivier Seubert <oli4_seubert@xxxxxxxx>
Date: Sun, 11 Feb 2007 18:52:27 +0100 (CET)
Delivery-date: Mon, 12 Feb 2007 02:42:31 -0800
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.de; h=Message-ID:X-YMail-OSG:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=ZZ6qNheQMLHzU4lkMiDZkeIpUYcWixac9WIxUuPvVpLZ+u0jZjJbW76JKywhhdDdeE5TUnsSQ61+muSMgrLCD/6GCHC2JlK49H1OU92dej6p+Sik/IXZwIl6b/+zPzqEu9D7VLFXNLIkUJzMcV9entIw2z7UnaTSCjtRhlWJ8Ew= ;
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
Hi

I have slightely modified the iptable boot script for XEN
However I'm totally unsure if it's secure.

The "#NEW" Lines are the modifications of LFS' recommended
boot script.

Do they mean, that every single packet which is forwarded through peth0
to eth0 is accepted.
I liked the configuration that only answers to established connections
are let through.

Thanks for your help

Olivier


#!/bin/sh

# Begin $rc_base/rc.iptables

# Insert connection-tracking modules
# (not needed if built into the kernel)
modprobe ip_tables
modprobe iptable_filter
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ipt_state
modprobe ipt_LOG
#NEW
modprobe ipt_physdev

# Enable broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Disable Source Routed Packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

# Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Disable ICMP Redirect Acceptance
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

# Don¹t send Redirect Messages
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects

# Drop Spoofed Packets coming in on an interface, where responses
# would result in the reply going out a different interface.
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

# Log packets with impossible addresses.
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

# be verbose on dynamic ip-addresses  (not needed in case of static IP)
echo 2 > /proc/sys/net/ipv4/ip_dynaddr

# disable Explicit Congestion Notification
# too many routers are still ignorant
echo 0 > /proc/sys/net/ipv4/tcp_ecn

# Set a known state
iptables -P INPUT   DROP
iptables -P FORWARD DROP
iptables -P OUTPUT  DROP

# These lines are here in case rules are already in place and the
# script is ever rerun on the fly. We want to remove all rules and
# pre-existing user defined chains before we implement new rules.
iptables -F
iptables -X
iptables -Z

iptables -t nat -F

#NEW (following 2 lines)
iptables -A FORWARD -m physdev --physdev-in peth0 --physdev-out '!' peth0  -j ACCEPT
iptables -A FORWARD -m physdev --physdev-out peth0 --physdev-in '!' peth0  -j ACCEPT

# Allow local-only connections
iptables -A INPUT  -i lo -j ACCEPT
#NEW
iptables -A INPUT  -i eth0 -j ACCEPT

# Free output on any interface to any ip for any service
# (equal to -P ACCEPT)
iptables -A OUTPUT -j ACCEPT

# Permit answers on already established connections
# and permit new connections related to established ones
# (e.g. port mode ftp)
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Log everything else. What's Windows' latest exploitable vulnerability?
iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "

# End $rc_base/rc.iptables

Was Sie schon immer wissen wollten aber nie zu Fragen trauten? Yahoo! Clever hilft Ihnen.
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-users] are these iptables modification secure, Olivier Seubert <=
Previous by Date:  [Xen-users] Guest won't boot after successful installation, Tom Leasure
Next by Date:  Re: [Xen-users] windows in paravirtualized environment, rahul gundecha
Previous by Thread:  [Xen-users] Guest won't boot after successful installation, Tom Leasure
Next by Thread:  [Xen-users] yet another newbie tutorial, Rakotomandimby (R12y) Mihamina
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy