[TriLUG] iptables & FUD

Robert Dale robdale at gmail.com
Mon Apr 29 07:21:27 EDT 2013


netstat is legacy. ss is the successor - part of the iproute2 suite
[1]. There is a blog [2] that has a nice table of replacement commands
with options.

ss -plnu

1. http://en.wikipedia.org/wiki/Iproute2
2. http://dougvitale.wordpress.com/2011/12/21/deprecated-linux-networking-commands-and-their-replacements/



On Sun, Apr 28, 2013 at 6:07 PM, Alan Porter <porter at trilug.org> wrote:
>
>>> Don't do that!
>>>
>>> How long were you on the net without protection? It's possible your
>>> machine is now compromised.
>
>
> This is an over-reaction.
>
> It's important to know what iptables protects you from, and what it does
> not.
>
> If you have only two services listening, then those are the only two
> services that will accept network connections.  Whether you have iptables or
> not, incoming connections to other ports will not be answered.  If you are
> in doubt, do "netstat -plnt" to list the TCP ports and "netstat -plnu" to
> list the UDP ports that you're listening to.
>
> If you have two services running (sshd on 22 and dhcpd on 67), then you will
> NORMALLY have iptables configured to allow traffic in on those two ports and
> to disallow everything else.  In that case, it would not matter whether you
> had iptables on or off... a 0-day vulnerability on either of those two
> services would leave you exposed.  Iptables would not help you.  (Keeping
> your server updated WILL help you there -- so don't brag about your 365-day
> uptime, brag about keeping your system updated).
>
> SOMETIMES, a very paranoid admin will set up iptables so that it accepts SSH
> or DHCP traffic from a specific IP address only.  This is rare, but this IS
> a case where iptables rules will protect you. If you like this idea, check
> out a package called "knock", which uses iptables to support "port
> knocking".  It's very cool, and it goes well with your tinfoil hat.
>
> Where iptables REALLY SHINES is by building a belt-and-suspenders approach
> to guard against accidentally leaving a port open that you did not mean to.
>
> For example, I have a web server where I want to collect traffic graphs
> using MRTG.  MRTG uses SNMP to get network interface statistics so it can
> count the bytes coming in and out, then it generates nice graphs of the data
> that you can see from the web.  So I want SNMP turned on, but I don't want
> everyone on the internet to go poking around my SNMP interface.  I am not an
> SNMP expert, and so I am not 100% how to configure it to answer only to
> localhost requests.  So I do my best to configure SNMP, and then I make sure
> that my iptables rules disallow any SNMP (UDP 161) packets from the
> outside... only allow connections via the loopback interface on 127.0.0.1.
> So the belt (SNMP config) and the suspenders (iptables) work together to
> keep me safe.
>
> I have seen similar uses where you might enable VNC on a machine, but then
> disallow the VNC ports through iptables.  Then the only way you can connect
> to the VNC is by tunneling though SSH first ("vncviewer -via me at server.com
> localhost:0").  It's slick.
>
> Let's not spread fear about firewalls.  They do one job, and they do it
> well.  They tell which traffic to allow and which to block.  In MOST cases,
> the rules are as simple as a list of ports to allow. Occasionally the rules
> can be more complex.  But iptables is not a panacea.
>
> And... if you know that you only have a known set of services listening on a
> server, there in nothing wrong with running without iptables at all.
>
> Alan
>
>
>
> --
> This message was sent to: Robert Dale <robdale at gmail.com>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from that
> address.
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web  :
> http://www.trilug.org/mailman/options/trilug/robdale%40gmail.com
> TriLUG FAQ          : http://www.trilug.org/wiki/Frequently_Asked_Questions



-- 
Robert Dale



More information about the TriLUG mailing list