HostedDB - Dedicated UNIX Servers
Securing-Optimizing-RH-Linux-1_2_132
Comments and suggestions concerning this book should be mailed to gmourani@videotron.ca © Copyright 1999-2000 Gerhard Mourani and Open Network Architecture ® 132 IPADDR="208.164.186.1" LOCALNET_1="192.168.1.0/24"              # whatever private range you use IPSECSG="208.164.186.2" # Space separated list of remote VPN gateways  FREESWANVI="ipsec0" # Space separated list of virtual interfaces ANYWHERE="any/0" NAMESERVER_1="208.164.186.1" NAMESERVER_2="208.164.186.2" POP_SERVER="pop.videotron.ca"       # Your pop external server NEWS_SERVER="news.videotron.ca" # Your news external server SYSLOG_SERVER="mail.openarch.com"   # Your syslog internal server LOOPBACK="127.0.0.0/8" CLASS_A="10.0.0.0/8" CLASS_B="172.16.0.0/12" CLASS_C="192.168.0.0/16" CLASS_D_MULTICAST="224.0.0.0/4" CLASS_E_RESERVED_NET="240.0.0.0/5" BROADCAST_SRC="0.0.0.0" BROADCAST_DEST="255.255.255.255" PRIVPORTS="0:1023" UNPRIVPORTS="1024:65535" # ---------------------------------------------------------------------------- # SSH starts at 1023 and works down to 513 for # each additional simultaneous incoming connection. SSH_PORTS="1022:1023"                     # range for SSH privileged ports # traceroute usually uses -S 32769:65535 -D 33434:33523 TRACEROUTE_SRC_PORTS="32769:65535" TRACEROUTE_DEST_PORTS="33434:33523" # ---------------------------------------------------------------------------- # Default policy is DENY # Explicitly accept desired INCOMING & OUTGOING connections     # Remove all existing rules belonging to this filter     ipchains -F     # Set the default policy of the filter to deny.     ipchains -P input  DENY     ipchains -P output REJECT     ipchains -P forward REJECT     # set masquerade timeout to 10 hours for tcp connections      ipchains -M -S 36000 0 0     # Don't forward fragments. Assemble before forwarding.     ipchains -A output -f -i $LOCAL_INTERFACE_1 -j DENY # ----------------------------------------------------------------------------     # Enable TCP SYN Cookie Protection     echo 1 >/proc/sys/net/ipv4/tcp_syncookies     # Enable IP spoofing protection     # turn on Source Address Verification     for f in /proc/sys/net/ipv4/conf/*/rp_filter; do         echo 1 > $f     done