Secure and Manage Voyage Linux - Page 2

By Carla Schroder | Posted Sep 17, 2007
Page 2 of 2   |  Back to Page 1
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

If you're running any services, or just want more control, you'll need to write your own iptables script. This example does not open any ports for public services, but it allows SSH sessions from inside the LAN to the firewall box, sets up NAT and IP masquerading, turns on IP forwarding, blocks incoming requests for initiating connections, allows your LAN hosts to initiate outgoing connections for Web surfing, email, and so forth, and permits important ICMP messages. Some admins think that blocking all ICMP messages is good security, but actually it's a bad networking practice. You need at least the ones specified in the script for networking to work correctly.

Run this script the same way as nat.sh- store it in /usr/local/sbin/, and bring it up or down with the WAN interface. Remember to make it executable, and make it owned only by root, and non-writable for extra insurance. After you have written it, of course:

SSH Through the Firewall

Suppose you want to enable remote administration so you can log in from home, or other remote locations. SSH is the tool for the job, and there are a couple of ways you can get through your firewall. The simplest method is to write an iptables rule that allows remote SSH connections. You'll log into the firewall, and from there open a second SSH session to whatever internal host you want to get to.

You should create an unprivileged user on your Voyage router for this- never ever accept root logins over untrusted networks. Then add an iptables rule like this:

$ipt -A INPUT -p tcp -i $WAN_IFACE --dport 22 --sport 1024:65535 -m state --state NEW -j ACCEPT

Be sure to configure your SSH access controls in /etc/ssh/sshd_config (see Resources). You can use iptables to be even more restrictive by specifying a source IP address:

$ipt -A INPUT -p tcp -i $WAN_IFACE -s 34.56.78.90 --dport 22 --sport 1024:65535 -m state --state NEW -j ACCEPT

There are many ways to set up SSH for easy, secure remote logins. A nice option is to disable password logins entirely, and authenticate via encryption keys only. (See Resources to learn more.)

Warning!

Never ever perform any kind of sensitive logins from public computers, or untrusted PCs of any kind. The most secure protocols on Earth cannot foil keystroke loggers.

Resources

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter