Re: [PLUG] iptables and NAT

LeRoy Cressy on Fri, 7 Feb 2003 10:02:08 -0500

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] iptables and NAT

From: LeRoy Cressy <leroy@lrcressy.com>

To: plug@lists.phillylinux.org

Subject: Re: [PLUG] iptables and NAT

Date: Fri, 07 Feb 2003 09:59:33 -0500

Reply-to: plug@lists.phillylinux.org

Sender: plug-admin@lists.phillylinux.org

User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020623 Debian/1.0.0-0.woody.1

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

Hi Mike,

What you are saying is very true, but for some viruses that never go away and keep hitting your box like the Nimda virus which consistantly hits my system from all over the place. Thus I drop those packets before they get to the mail server.

I also drop all unauthorized ssh attempts. It seems that someone in Japan keeps trying to login and port scan my system. Also all telnet attempts are dropped no matter where they come from.

Also the original question was concerning port forwarding and masquerading. I went a little over board in my response to Scott's question.

Michael Leone wrote:
LeRoy Cressy said:

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

Ziegler, Scott wrote:

I am trying to setup a Linux workstation (Slackware 8 with 2.4.18 kernel) to tie a local network (192.168.x.x) of XP machines to our corporate network. The Linux machine has a hard coded IP address and it works on the network as far as telnet, ssh, browsing, etc. We need to have network connectivity from the XP (for all of those M$ updates) machines through the Linux machine.

How much do you want to protect your M$ boxes since they are the most vulnerable to attack. If you really are concerned about security then you might want to patch the kernel source with the IP tables source. For instance the string match can prevent email that has known viruses from getting to your windows boxes.

Definitely not the best way to protect email. Especially for new viruses, and things that don't match strings easily, or have many possible matches.

Run a virus scanner - there are many for Linux, some free - from your email server (investigate amavisd-new; great program for calling out virus and spam scanners from an email server). While you're at it, tag the SPAM, too, so your users can easily make rules to route it to a holding mailbox (never just dump tagged SPAM; it could be a mis-tag, and then you've lost real email. Let the users decide for themselves)

- -- Rev. LeRoy D. Cressy mailto:leroy@lrcressy.com /\_/\ http://lrcressy.com ( o.o ) Phone: 215-535-4037 > ^ <

gpg fingerprint: 62DE 6CAB CEE1 B1B3 359A 81D8 3FEF E6DA 8501 AFEA

Jesus saith unto him, I am the way, the truth, and the life: no man cometh unto the Father, but by me. (John 14:6) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Using GnuPG with Debian - http://enigmail.mozdev.org

iD8DBQE+Q8niP+/m2oUBr+oRAgAVAJ9ccaVwxYPso+q6KcQ57097epuijgCfW8eF Su4Je2oFZyNjfIqWzgiEeCw= =lnkp -----END PGP SIGNATURE-----

_________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.netisland.net/mailman/listinfo/plug-announce General Discussion -- http://lists.netisland.net/mailman/listinfo/plug

Follow-Ups:

Re: [PLUG] iptables and NAT
From: Mike Leone <turgon@mike-leone.com>

References:

[PLUG] iptables and NAT
From: "Ziegler, Scott" <scott_ziegler@merck.com>

Re: [PLUG] iptables and NAT
From: LeRoy Cressy <leroy@lrcressy.com>

Re: [PLUG] iptables and NAT
From: "Michael Leone" <turgon@mike-leone.com>

Prev by Date: Re: [PLUG] iptables and NAT

Next by Date: Re: [PLUG] Without OS X

Previous by thread: Re: [PLUG] iptables and NAT

Next by thread: Re: [PLUG] iptables and NAT

Index(es):

Date

Thread