FB Twitter YouTube LinkedIn GitHub G+
Nick Howitt

Profile Details

Toggle Sidebar
Recent updates
  • Can you remember if you installed any particular drivers in the past? This is a long shot, but what is the result of:

  • You're going to end up in all sorts of trouble if you're not careful and there are easier ways of achieving what you want.

    Firstly you need to understand the difference between INPUT, OUTPUT and FORWARD. INPUT ruled are for any traffic from outside ClearOS (LAN or WAN) destined for ClearOS and not through ClearOS. OUTPUT rules are the other way round - for any traffic originating from ClearOS and destined for outside ClearOS (including the proxy). The FORWARD chain is for any traffic passing through ClearOS in either direction. There are a couple of references here and here. Also understand that your rules only touch the filter table and not the nat or mangle tables.

    Don't fight the firewall, so don't clear it. Also understand what services you need to happen in the background (DHCP, DNS lookup come to mind, both on the LAN and WAN). Then in the Webconfig in the Egress Firewall click on the configure button and change the default policy to block by default if you need to. This operates on the FORWARD chain only. The INPUT chain is closed by default to any traffic originating from the internet, but not returning traffic (so ClearOS can request stuff from the internet) and is open to everything from the LAN in gateway mode. You can tighten down on this if you want by adding more rules. Do you need to close down the OUTPUT chain? If so make sure you leave open things like ClearOS updates and any rule updates (antivirus, snort etc) you want.

    OpenVPN needs more rules in the nat table.

    Webconfig is on port 81, not 80. Do you really want to open it to the internet, and what about "RELATED" traffic?

    Please don't open SSH to the internet? There are too many bots trying to hack it. If you need it open use something like OpenVPN to connect to the server then connect to SSH by the server LAN IP.

    The basic rules are fine to start with. Change the Egress firewall by all means. Close SSH and the Webconfig to the internet. You can tighten up if you know which IP's on your LAN you wish to access what in ClearOS, but work out first how your workstations are going to get their IP addresses and do their DNS lookups. Are you going to use ClearOS DHCP and/or DNS and so on.

  • Nick Howitt
    Nick Howitt replied to a discussion, NFS client

    Do you need to install nfs-utils first?

  • This one is going to be beyond my knowledge. You not only have MultiWAN but you also appear to have a fixed IP block. With app-mulitwan installed I'd have expected you to have a bigger routing table with extra tables for each interface, but I can't find the document which shows it......... many minutes later found it!. See if it makes sense and all the tables are present.

    As a thought, can you wither watch the pings in and out through the interface with tcpdump and/or try changing your interface IP to (your lowest usable address)? I am curious to know if ClearOS is using the correct IP address when sending the ping and is receiving it correctly.

    Out of curiosity is there any reason you are using a virtual interface on em1? There is the 1-to-1 NAT module if you're trying to forward the IP to your LAN. Otherwise I am not sure it is needed.

    Similarly what is the purpose of ppp0:200 with the same IP as ppp0?

    Are you using IPv6 on your LAN (em2?)? If so, that is also beyond my experience.

  • What are you using for your DNS servers?
    What do you see in /var/log/syswatch?
    What is the output of:Please put the results between code tags.

  • Link. Note the health warning. I guess the v6 instructions work on v7.

  • I've heard nothing more. The only thing we've been pointed to so far is to export and re-import users. There is a recent HowTo for migrating POP/IMAP, but not much else. For me there will be a huge amount of manual stuff to do so I'll have to put it off to the summer after my studies!

  • I don't know enough about it, but how did they get execute permissions to do things like create users if they did not have root access? This suggests to me than another account was compromised which was able to get elevated privileges through su/sudo.

    Could the intruder be getting access through ftp to dump files on your system and be using the same account to relay mail?

  • I can't advise too much as I have very little experience of this, but I would have thought a complete re-installation would be advisable. As port 22 access was obtained, I assume it was with the root user and they could have done anything. There must be something launching that script at reboot. Cron or different start up methods such as ntsysv/chkconfig or editing one of the rc files could have been used or other ways I've no idea about.

    At least if you completely reinstall then copy back in your data you won't have s rogue startup program which may reinfect you.