top button
Flag Notify
    Connect to us
      Site Registration

Site Registration

reset default configuration sysctl.conf

+1 vote
389 views

I have a problem with sysctl.conf, A week ago I have modified the file sysctl.conf for implementing security. Now, the machine is not reachable via ping

In IPtables configuration I have:

 -A INPUT -p icmp -s 111.111.111.111 -j ACCEPT (my home)
 -A INPUT -p icmp -s 222.222.222.222 -j ACCEPT (my office)

also commenting on all lines (#), the result does not change

at right time, I have commented all lines (#) in sysctl but result does not change in console, after the change, I gave:

 # sudo sysctl -p
posted Oct 6, 2013 by Mandeep Sehgal

Share this question
Facebook Share Button Twitter Share Button LinkedIn Share Button

1 Answer

+1 vote

Set the following parameters in /etc/sysctl.conf (if this is related to sysctl.conf)

net.ipv4.icmp_echo_ignore_broadcasts = 0  
net.ipv4.icmp_echo_ignore_all = 0
answer Oct 6, 2013 by Anderson
Similar Questions
+1 vote

Is there a way to redirect ports 80 and 443 to 8443. I have a non root user but I cannot use CentOS firewalld nor iptables. I have tried these things. But it still fails.

+1 vote

Is there a way to find out if there any iptables rules set on a machine ?

There are some indirect ways which will not always work; for example, I know that on most hosts, iptables -S will return the following output (when no iptable rules are set)
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT

So you can check whether or not the number of output lines is greater than 3 (as an indication of whether or not iptables rules are set). But there are hosts on which there are more chains then these 3; these chains are set by application/services, even without any iptable rules which are set. And after running iptables -F on these machines, iptables -S will still show more than 3 chains, even that there are no iptables rules set in these chains.

So the question is - is there a way to know whether or not netfilter rules are set on a host, regardless of the number of chains ?

+1 vote

I am trying to use byte counters to know how much total data is transferred from an IP. However, simple test with ping shows that it counts 14 bytes less, probably ignoring later 2 header.

Is my understanding correct or am I missing something in this?

+1 vote

After testing and looking at the kernel source, I realize that this mapping:

iptables -t nat -I PREROUTING -p tcp -m tcp --dport 30000:40000 -j DNAT --to [local_ip]:10000-2000

Doesn't do a one-to-one port mapping
e.g.:

100.0.0.1:30000 > 192.168.0.5:10000
100.0.0.1.30001 > 192.168.0.5:10001
100.0.0.1.30002 > 192.168.0.5:10002

I was wondering if it was possible to do the 1:1 port range forwarding to different port ranges or if you have to use individual rules.

0 votes

I have been using denyhosts for almost a year. To date I have only prevented one person logging in and that is ME ( I used the wrong login name).
Also, I know of no successful break-ins.

My iptables is as follows:

-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N block
-A INPUT -j block
-A FORWARD -j block
-A block -i wifi_card -p tcp -m tcp --dport 12123 -j ACCEPT
-A block -i Nic_external -p tcp -m tcp --dport 12123 -j ACCEPT
-A block -i Nic_enternal -j ACCEPT
-A block -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A block -i lo -m conntrack --ctstate NEW -j ACCEPT
-A block -j DROP

First, I think that the above will keep the bad guys out, Is that a true statement?

Sencondly, I have added a LOG rule just above the DROP rule and I have been monitoring it for about 1 1/2 weeks. As each entry is logged I have been adding it to /etc/hosts.deny. Currently there are 4318 ip adresses in the file and the number of packets that have been logged is 51592.

Denyhosts is for stopping ssh attempts and nothing else as I understand it.

Having over 4300 lines in /etc/hosts.deny causes almost no delay in logging in remotely.

Am I being to paranoid about keeping the bad guys out or is the iptable above completely adequate?

I would very much like to here your opinion on this,

...