HostedDB - Dedicated UNIX Servers
Securing-Optimizing-RH-Linux-1_2_133
Comments and suggestions concerning this book should be mailed to gmourani@videotron.ca © Copyright 1999-2000 Gerhard Mourani and Open Network Architecture ® 133     # Disable ICMP Redirect Acceptance     for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do         echo 0 > $f     done     # Disable Source Routed Packets      for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do         echo 0 > $f     done     # These modules are necessary to masquerade their respective services.     /sbin/modprobe ip_masq_ftp.o      /sbin/modprobe ip_masq_raudio.o ports=554,7070,7071,6970,6971     /sbin/modprobe ip_masq_irc.o      #/sbin/modprobe/ip_masq_vdolive.o      #/sbin/modprobe/ip_masq_cuseeme.o      #/sbin/modprobe/ip_masq_quake.o  # ---------------------------------------------------------------------------- # LOOPBACK     # Unlimited traffic on the loopback interface.     ipchains -A input  -i $LOOPBACK_INTERFACE -j ACCEPT       ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT   # ---------------------------------------------------------------------------- # Network Ghouls  # Deny access to jerks      # /etc/rc.d/rc.firewall.blocked contains a list of     # ipchains -A input  -i $EXTERNAL_INTERFACE -s address -j DENY     # rules to block from any access.     # Refuse any connection from problem sites      #if [ -f /etc/rc.d/rc.firewall.blocked ]; then     #    . /etc/rc.d/rc.firewall.blocked     #fi # ---------------------------------------------------------------------------- # SPOOFING & BAD ADDRESSES # Refuse spoofed packets. # Ignore blatantly illegal source addresses. # Protect yourself from sending to bad addresses.     # Refuse spoofed packets pretending to be from the external address.     ipchains -A input  -i $EXTERNAL_INTERFACE -s $IPADDR -j DENY -l     # Refuse packets claiming to be to or from a Class A private network     ipchains -A input  -i $EXTERNAL_INTERFACE -s $CLASS_A -j DENY -l     ipchains -A input  -i $EXTERNAL_INTERFACE -d $CLASS_A -j DENY -l     ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_A -j REJECT -l     ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_A -j REJECT -l     # Refuse packets claiming to be to or from a Class B private network     ipchains -A input  -i $EXTERNAL_INTERFACE -s $CLASS_B -j DENY -l     ipchains -A input  -i $EXTERNAL_INTERFACE -d $CLASS_B -j DENY -l     ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_B -j REJECT -l     ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_B -j REJECT -l     # Refuse packets claiming to be to or from a Class C private network     ipchains -A input  -i $EXTERNAL_INTERFACE -s $CLASS_C -j DENY -l     ipchains -A input  -i $EXTERNAL_INTERFACE -d $CLASS_C -j DENY -l