[Coco] Re: Help - There that got your attention.
Gene Heskett
gene.heskett at verizon.net
Sun Aug 14 00:26:02 EDT 2005
On Saturday 13 August 2005 22:54, Dave Kelly wrote:
>Gene Heskett wrote:
>> I think those suggestions refer to useing dyndns.com, which is a
>> service that essentially sets up your name so it only can be
>> resolved by their dns servers(points the rest of the worlds
>> servers at theirs for authoritative answers), all made to work in
>> pretty close to realtime by having you 'put me online' script grab
>> the ip address your are given and forwarding it to dyndns, at
>> which point your name will resolve, albeit a second or so slower
>> due to the indirection involved.
>
>SilverNail:/tmp# dnsdomainname -v
>gethostname()=`dave'
>Resolving `dave' ...
>Result: h_name=`dave'
>Result: h_aliases=`dave'
>Result: h_aliases=`dave.Belkin'
>Result: h_addr_list=`127.0.0.1'
>Result: h_addr_list=`192.168.2.2'
>
>
>
>http://danasoft.com/ and https://www.grc.com/x/ne.dll?bh0bkyd2
>both tell me that my IP address is 69.68.113.224
>
>
>I'm going to show some of the setting. Maybe you can spot something
> to get me back on the right tract.
>
>Using the command line 'dsndomainname -i' tells me this computer is
>'192.168.2.2'.
>The sign for 'Danasoft' that you put in your signature and
>http://www.grc.com/default.htm tell me that I am 69.68.113.224.
>
>Here are some of the settings to my Belkin router firewall
>Code:
>
>Version Info
> Firmware Version 4.05.03
> Boot Version 2.01.09
> Hardware F5D7230-4
> Serial No. BEL1HWZG
>
>LAN Settings
> LAN/WLAN MAC 00:11:50:34:F7:78 / 00:11:50:34:F7:79
> IP address 192.168.2.1
> Subnet mask 255.255.255.0
> DHCP Server Enabled
>Internet Settings
> WAN MAC address 00:11:50:34:F7:78
> Connection Type Dynamic
> Subnet mask 255.255.255.252
> Wan IP 192.168.1.2
> Default gateway 192.168.1.1
> DNS Address 192.168.1.1
>
>Features
> NAT Enabled
> Firewall Settings Enabled
> SSID belkin54g
> Security Disabled
>
The NAT Enabled is where the outside address gets translated to the
inside address, where the inside address in this case is in the
192.168.1.x block.. No router worth its electricity to run allows
direct access to these "inside" private addresses.
>
> DMZ
>The DMZ feature allows you to specify one computer on your network
> to be placed outside of the NAT firewall. This may be necessary if
> the NAT feature is causing problems with an application such as a
> game or video conferencing application. Use this feature on a
> temporary basis. The computer in the DMZ is not protected from
> hacker attacks. To put a computer in the DMZ, enter the last digits
> of its IP address in the field below and select "Enable". Click
> "Submit" for the change to take effect. More Info
>
> IP Address of Virtual DMZ Host >
> Static IP Private IP Enable
>1. 192.168.1.2 192.168.2.3 Enabled
>
>
>This one I did not completly understand or even if it would apply.
Setting up a DMZ is a minefield. I have that ability too, but its
never been turned on, and I would turn it on only under condition of
haveing a third nic in the box set up so that anything it did was in
a chroot jail, or a seperate, sacrificial box, with the rest of the
home network in a different subnet entirely to enforce the lack of
visibility of the rest of the network to that box in the DMZ and hence
wide open to the internet.
I don't have the expertise in my own head to set either of those
conditions up.
And one of the internet watchdogs has raised the security alert to
yellow just today as a new crop of zero-day exploits for the latest
M$ announced security patches has risen to the level of a full blown
pandemic. Its estimated that any unpatched M$ box, connected to the
net, is now to be considered infected 30 seconds after the net cable
is plugged in.
Also, there are stories being circulated since tuesday that a
favorite windows web search tool called CoolWebSearch is in fact a
key logger, sending everything you do to a site with an .ru address.
When Jim passed that announcement on to me, he had made the comment
that he'd had to remove it from virtually every machine in the
building, and from quite a large percentage of the machines coming in
for service at his part time computer repair shop. Then the other
partner in that chimed in and said he'd had to clean it off of every
machine with a net connection, and some that didn't have anything but
dialup at the coal company he also is the head accountant of. So its
pretty wide spread.
Again, the name of the utility is CoolWebSearch. If any of you have
it on your personal machines, either re-image the drive & apply all
patches from M$ up to late today before hooking up the net cable, or
get the newest virii killer and have it removed.
>
> Firewall > Virtual servers
>
>
> This function will allow you to route external (Internet)
> calls for services such as a web server (port 80), FTP server (Port
> 21), or other applications through your Router to your internal
> network. More Info
>
>
>
>Add ( This looked like a list of online games )
>Clear entry
> Enable Description Inbound port Type Private IP
>address Private port
>1. TCP
> - 192.168.2. -
>2. TCP -
> 192.168.2. -
>
>
>Here is the one change I made to the 'los_fw' file.
>
>start /sbin/iptables -A INPUT -p tcp --syn --dport 80 -j ACCEPT
> # HTTP
>
If you are going to do that, let me give you the rest of an iptables
ruleset thats worked pretty well here. Yeah, I know, its an older
iptables release. I don't fix what ain't broke.
------------
# Generated by iptables-save v1.2.7a on Sat Aug 13 23:33:50 2005
*mangle
:PREROUTING ACCEPT
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT
:POSTROUTING ACCEPT
COMMIT
# Completed on Sat Aug 13 23:33:50 2005
# Generated by iptables-save v1.2.7a on Sat Aug 13 23:33:50 2005
*nat
:PREROUTING ACCEPT
:POSTROUTING ACCEPT
:OUTPUT ACCEPT
-A POSTROUTING -s 192.168.71.3 -o eth0 -j MASQUERADE
COMMIT
# Completed on Sat Aug 13 23:33:50 2005
# Generated by iptables-save v1.2.7a on Sat Aug 13 23:33:50 2005
*filter
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT
-A INPUT -p tcp -m tcp --dport 6881:6999 -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp ! --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "New not syn: "
-A INPUT -p tcp -m state --state NEW -m tcp ! --tcp-flags SYN,RST,ACK SYN -j DROP
-A FORWARD -i eth1 -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth1 -j ACCEPT
-A OUTPUT -p icmp -m state --state INVALID -j DROP
-A OUTPUT -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
COMMIT
-------------
Now, the numbers stuff within the [ ] above is some sort of a hit counter for
logging purposes, and is irrevelant to a new install, and I believe
that they can be nuked. Which I've done above. All you should
have to do is edit the 192.168.x.x addresses in the above to suit your install.
And for only one machine, remove the lines that reference eth1.
This iptables sits between eth0, which is tied to the router, and
the rest of my network which is all on eth1.
Now, my firewall box also is setup to run tcpwrappers, which uses the
/etc/hosts.allow and /etc/hosts.deny files to allow or disallow a service
response. That can be made largely automatic by a utility called
portsentry, last version 1.2 I think. It can be set to write rules for iptables
and apply them on the fly, and to add blackhat addresses to the hosts.deny
automaticly. Between these guard dogs, I have actually logged 3 attempts
to access this network in about 29 months of 24/7 dsl connection. This machine
is not visible as anything but a closed identd port at my outside address.
The identd port must be present, even if closed or many of the internet services
don't work at all.
And those aren't windows statistics. It shows how real security works.
Oh, 2 of those attempted breakins came from my assigned by vz dns server,
which being an IIS server, often catches a virii. I send vz a nastygram &
they go re-image the box, all without an ack that I sent them a message.
Wouldn't wanna lose face or admit the liability you see. Did I mention
vz is an organic conduit pipe for waste products? Yeah... port 80 is
blocked and the TOS says no home servers allowed.
For 30 bucks a month I get to call them Jerks.
>
>
>This was in the script file. Does it have any revelance?
>
>
> # Grant access to everyone
>
> start /sbin/iptables -A INPUT -p all -j ACCEPT
> start /sbin/iptables -A OUTPUT -p all -j ACCEPT
> ;;
>
>
>Anyone got any idea what I need to do to get around this dynamic
>connection I have to the internet?
The best way I know is to write a script to get your reall address from the
router, either as a cron job, or anytime the networking is restarted,
and send it to dyndns after setting up an account, and some home
accounts are free. Even commercial is a quite nominal fee per month.
Less than a tenner I believe.
--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
99.35% setiathome rank, not too shabby for a WV hillbilly
Yahoo.com and AOL/TW attorneys please note, additions to the above
message by Gene Heskett are:
Copyright 2005 by Maurice Eugene Heskett, all rights reserved.
More information about the Coco
mailing list