Re: iptables help please

jhardy <rockyrocky81@yahoo.com.au> wrote:
> Jarkko K <moggie@iki.fi> wrote in message news:
>> jhardy <rockyrocky81@yahoo.com.au> wrote:
>>> Hi

>>> Also, how do i stop people from using my bandwidth. I am using red
>>> hat 8 server with and adsl connection hosting web and mail server.
>>> Apache 2 and sendmail.

>> Google for QoS or Quality of service or Bandwith throttling.
>> JKK

> Sorry what i mean is - how do i stop people that can hack into
my > system from using my bandwidth?

> thanks

If you want to prevent a hacked systems from abusing your bandwidth,
it seems obvious the policy will have to be enforced on some other
(uncompromised) system. Thus if you have a Linux box behind a router
(perhaps an OpenBSD or FreeBSD system --- perhaps another small Linux
appliance like those sold by US Robotics "Model 8200 Secure Storage
Router: http://www.linuxdevices.com/articles/AT4486854045.html )
or this OpenBlock: http://www.linuxdevices.com/articles/AT9236114679.html
or even this toy: http://www.snapgear.com/pci630.html (a single board
computer you plug into a PCI slot --- but which functions as an independent
system and looks like it's connected via ethernet) or
http://www.snapgear.com/lite.html)

All of those are small system with embedded Linux. You can put packet
filters and traffic shaping on (probably any of) them to enforce your
systems bandwidth limitation policies.

Of course it can be a bit silly to start with the assumption that
your box has been hacked completely. It's good risk assessment,
good for building a defensive perimeter *around* the box. However, there
are alternatives (like grsecurity patches, LIDS, and others) to make your
system less brittle. So the compromise of one daemon or service doesn't
lead to full root and kernel compromise.


--
Jim Dennis,
Starshine: Signed, Sealed, Delivered