Hi I have slightely modified the iptable boot script for XEN However I''m totally unsure if it''s secure. The "#NEW" Lines are the modifications of LFS'' recommended boot script. Do they mean, that every single packet which is forwarded through peth0 to eth0 is accepted. I liked the configuration that only answers to established connections are let through. Thanks for your help Olivier #!/bin/sh # Begin $rc_base/rc.iptables # Insert connection-tracking modules # (not needed if built into the kernel) modprobe ip_tables modprobe iptable_filter modprobe ip_conntrack modprobe ip_conntrack_ftp modprobe ipt_state modprobe ipt_LOG #NEW modprobe ipt_physdev # Enable broadcast echo Protection echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Disable Source Routed Packets echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route # Enable TCP SYN Cookie Protection echo 1 > /proc/sys/net/ipv4/tcp_syncookies # Disable ICMP Redirect Acceptance echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects # Don¹t send Redirect Messages echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects # Drop Spoofed Packets coming in on an interface, where responses # would result in the reply going out a different interface. echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter # Log packets with impossible addresses. echo 1 > /proc/sys/net/ipv4/conf/all/log_martians # be verbose on dynamic ip-addresses (not needed in case of static IP) echo 2 > /proc/sys/net/ipv4/ip_dynaddr # disable Explicit Congestion Notification # too many routers are still ignorant echo 0 > /proc/sys/net/ipv4/tcp_ecn # Set a known state iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP # These lines are here in case rules are already in place and the # script is ever rerun on the fly. We want to remove all rules and # pre-existing user defined chains before we implement new rules. iptables -F iptables -X iptables -Z iptables -t nat -F #NEW (following 2 lines) iptables -A FORWARD -m physdev --physdev-in peth0 --physdev-out ''!'' peth0 -j ACCEPT iptables -A FORWARD -m physdev --physdev-out peth0 --physdev-in ''!'' peth0 -j ACCEPT # Allow local-only connections iptables -A INPUT -i lo -j ACCEPT #NEW iptables -A INPUT -i eth0 -j ACCEPT # Free output on any interface to any ip for any service # (equal to -P ACCEPT) iptables -A OUTPUT -j ACCEPT # Permit answers on already established connections # and permit new connections related to established ones # (e.g. port mode ftp) iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Log everything else. What''s Windows'' latest exploitable vulnerability? iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT " # End $rc_base/rc.iptables --------------------------------- Was Sie schon immer wissen wollten aber nie zu Fragen trauten? Yahoo! Clever hilft Ihnen. --0-1381180310-1171216347=:24897 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Hi<br><br>I have slightely modified the iptable boot script for XEN<br>However I''m totally unsure if it''s secure.<br><br>The "#NEW" Lines are the modifications of LFS'' recommended <br>boot script.<br><br>Do they mean, that every single packet which is forwarded through peth0<br>to eth0 is accepted.<br>I liked the configuration that only answers to established connections<br>are let through.<br><br>Thanks for your help<br><br>Olivier<br><br><br>#!/bin/sh<br><br># Begin $rc_base/rc.iptables<br><br># Insert connection-tracking modules<br># (not needed if built into the kernel)<br>modprobe ip_tables<br>modprobe iptable_filter<br>modprobe ip_conntrack<br>modprobe ip_conntrack_ftp<br>modprobe ipt_state<br>modprobe ipt_LOG<br>#NEW<br>modprobe ipt_physdev<br><br># Enable broadcast echo Protection<br>echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts<br><br># Disable Source Routed Packets<br>echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route<br><br># Enable TCP SYN Cookie Protection<br>echo 1 > /proc/sys/net/ipv4/tcp_syncookies<br><br># Disable ICMP Redirect Acceptance<br>echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects<br><br># Don¹t send Redirect Messages<br>echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects<br><br># Drop Spoofed Packets coming in on an interface, where responses<br># would result in the reply going out a different interface.<br>echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter<br><br># Log packets with impossible addresses.<br>echo 1 > /proc/sys/net/ipv4/conf/all/log_martians<br><br># be verbose on dynamic ip-addresses (not needed in case of static IP)<br>echo 2 > /proc/sys/net/ipv4/ip_dynaddr<br><br># disable Explicit Congestion Notification<br># too many routers are still ignorant<br>echo 0 > /proc/sys/net/ipv4/tcp_ecn<br><br># Set a known state<br>iptables -P INPUT DROP<br>iptables -P FORWARD DROP<br>iptables -P OUTPUT DROP<br><br># These lines are here in case rules are already in place and the<br># script is ever rerun on the fly. We want to remove all rules and<br># pre-existing user defined chains before we implement new rules.<br>iptables -F<br>iptables -X<br>iptables -Z<br><br>iptables -t nat -F<br><br>#NEW (following 2 lines)<br>iptables -A FORWARD -m physdev --physdev-in peth0 --physdev-out ''!'' peth0 -j ACCEPT<br>iptables -A FORWARD -m physdev --physdev-out peth0 --physdev-in ''!'' peth0 -j ACCEPT<br><br># Allow local-only connections<br>iptables -A INPUT -i lo -j ACCEPT<br>#NEW<br>iptables -A INPUT -i eth0 -j ACCEPT<br><br># Free output on any interface to any ip for any service<br># (equal to -P ACCEPT)<br>iptables -A OUTPUT -j ACCEPT<br><br># Permit answers on already established connections<br># and permit new connections related to established ones<br># (e.g. port mode ftp)<br>iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT<br><br># Log everything else. What''s Windows'' latest exploitable vulnerability?<br>iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "<br><br># End $rc_base/rc.iptables<br><br><p>  <hr size=1>Was Sie schon immer wissen wollten aber nie zu Fragen trauten? <a href=http://de.rd.yahoo.com/xx/searchpromo/i/tagline/cleverfp/*http://de.answers.yahoo.com>Yahoo! Clever</a> hilft Ihnen. --0-1381180310-1171216347=:24897-- --===============0170574641=Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users --===============0170574641==--