Page 1 of 1

ViciBox White List

PostPosted: Sun Nov 18, 2012 7:51 am
by kamirie
Good Day,

How can i integrate this whitelist to vicibox?
Code: Select all
# Generated by iptables-save v1.3.8 on Thu Mar 17 11:54:04 2011
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [3:120]
:forward_ext - [0:0]
:forward_int - [0:0]
:input_ext - [0:0]
:input_int - [0:0]
:reject_func - [0:0]
-A INPUT -s xxx.xxx.xxx.xxx/32 -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx/32 -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx/32 -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx/32 -j ACCEPT
-A INPUT -s xxx.xxx.xxx.xxx/32 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m state --state RELATED -j ACCEPT
-A INPUT -i eth0 -j input_int
-A INPUT -i eth1 -j input_ext
-A INPUT -j input_ext
-A INPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options
-A INPUT -j DROP
-A FORWARD -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-OUT-ERROR " --log-tcp-options --log-ip-options
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -m recent --rcheck --name GOOD --rsource -j ACCEPT
-A input_ext -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A input_ext -p tcp -m tcp --dport 113 -m state --state NEW -j reject_func
-A input_ext -m pkttype --pkt-type multicast -j DROP
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p udp -m limit --limit 3/min -m state --state NEW -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -j DROP
-A input_int -j ACCEPT
-A reject_func -p tcp -j REJECT --reject-with tcp-reset
-A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject_func -j REJECT --reject-with icmp-proto-unreachable
-A input_ext -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A input_ext -p tcp -m tcp --dport 113 -m state --state NEW -j reject_func
COMMIT
# Completed on Thu Mar 17 11:54:04 2011
# Generated by iptables-save v1.3.8 on Thu Mar 17 11:54:04 2011
*raw
:PREROUTING ACCEPT [25890911:4913156736]
:OUTPUT ACCEPT [25089250:4484603070]
-A PREROUTING -i lo -j NOTRACK
-A OUTPUT -o lo -j NOTRACK
COMMIT
# Completed on Thu Mar 17 11:54:04 2011


I was able to install vicibox in VMware and now trying to add this whitelist. I turned off the firewall in "yast firewall"
but there is no /etc/sysconfig/iptables like in goautodial . I read somewhere else that i can edit /ets/sysconfig/SuSEfirewall2 , but i want to implement the whitelist for more security and also make the rules permanent.

Re: ViciBox White List

PostPosted: Sun Nov 18, 2012 1:29 pm
by williamconley
with vicibox, you do not turn off the firewall. this whitelist system was extracted from a running vicibox system.

if you google this topic, you will find instructions for a lockdown of Vicibox.

Instead of modifying a single file that has been inserted, you will use "yast firewall" for most of the changes and modify a couple configuration files to turn off things like ping. The yast firewall system checks many locations to "construct" the iptables file during start of the firewall. more complex, but quite robust when you get used to it.

Re: ViciBox White List

PostPosted: Sun Nov 18, 2012 7:50 pm
by kamirie
williamconley wrote:with vicibox, you do not turn off the firewall. this whitelist system was extracted from a running vicibox system.

if you google this topic, you will find instructions for a lockdown of Vicibox.

Instead of modifying a single file that has been inserted, you will use "yast firewall" for most of the changes and modify a couple configuration files to turn off things like ping. The yast firewall system checks many locations to "construct" the iptables file during start of the firewall. more complex, but quite robust when you get used to it.


ok william , will do thanks