source: postlfs/security/firewalling.xml@ f7415c4d

10.0 10.1 11.0 11.1 11.2 9.1 lazarus plabs/python-mods qt5new trunk upgradedb xry111/intltool xry111/soup3 xry111/test-20220226
Last change on this file since f7415c4d was f7415c4d, checked in by Bruce Dubbs <bdubbs@…>, 3 years ago

Comment out the nftables and firewalld sections until
we can make them a bit more usable.

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@22759 af4574ff-66df-0310-9fd7-8a98e5e911e0

  • Property mode set to 100644
File size: 30.3 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6]>
7
8<sect1 id="fw-firewall" xreflabel="Firewalling">
9 <?dbhtml filename="firewall.html"?>
10
11 <sect1info>
12 <othername>$LastChangedBy$</othername>
13 <date>$Date$</date>
14 </sect1info>
15
16 <title>Setting Up a Network Firewall</title>
17
18 <para>Before you read this part of the chapter, you should have
19 already installed iptables as described in the previous section.</para>
20
21 <sect2 id="fw-intro" xreflabel="Firewalling Introduction">
22 <title>Introduction to Firewall Creation</title>
23
24 <para>The general purpose of a firewall is to protect a computer or
25 a network against malicious access.</para>
26
27 <para>In a perfect world, every daemon or service on every machine
28 is perfectly configured and immune to flaws such as buffer overflows
29 or other problems regarding its security. Furthermore, you trust
30 every user accessing your services. In this world, you do not need
31 to have a firewall.</para>
32
33 <para>In the real world however, daemons may be misconfigured and
34 exploits against essential services are freely available. You may
35 wish to choose which services are accessible by certain machines or
36 you may wish to limit which machines or applications are allowed
37 external access. Alternatively, you may simply not trust some of
38 your applications or users. You are probably connected to the
39 Internet. In this world, a firewall is essential.</para>
40
41 <para>Don't assume however, that having a firewall makes careful
42 configuration redundant, or that it makes any negligent
43 misconfiguration harmless. It doesn't prevent anyone from exploiting
44 a service you intentionally offer but haven't recently updated or
45 patched after an exploit went public. Despite having a firewall, you
46 need to keep applications and daemons on your system properly
47 configured and up to date. A firewall is not a cure all, but should
48 be an essential part of your overall security strategy.</para>
49
50 </sect2>
51
52 <sect2>
53 <title>Meaning of the Word "Firewall"</title>
54
55 <para>The word firewall can have several different meanings.</para>
56
57 <sect3>
58 <title><xref linkend="fw-persFw"/></title>
59
60 <para>This is a hardware device or software program commercially sold (or
61 offered via freeware) by companies such as Symantec which claims that
62 it secures a home or desktop computer connected to the Internet. This
63 type of firewall is highly relevant for users who do not know how their
64 computers might be accessed via the Internet or how to disable
65 that access, especially if they are always online and connected
66 via broadband links.</para>
67
68 </sect3>
69
70 <sect3>
71 <title><xref linkend="fw-masqRouter"/></title>
72
73 <para>This is a system placed between the Internet and an intranet.
74 To minimize the risk of compromising the firewall itself, it should
75 generally have only one role&mdash;that of protecting the intranet.
76 Although not completely risk free, the tasks of doing the routing and
77 IP masquerading (rewriting IP headers of the packets it routes from
78 clients with private IP addresses onto the Internet so that they seem
79 to come from the firewall itself) are commonly considered relatively
80 secure.</para>
81
82 </sect3>
83
84 <sect3>
85 <title><xref linkend="fw-busybox"/></title>
86
87 <para>This is often an old computer you may have retired and nearly
88 forgotten, performing masquerading or routing functions, but offering
89 non-firewall services such as a web-cache or mail. This may be used
90 for home networks, but is not to be considered as secure as a firewall
91 only machine because the combination of server and router/firewall on
92 one machine raises the complexity of the setup.</para>
93
94 </sect3>
95
96 <sect3>
97 <title>Firewall with a Demilitarized Zone [Not Further
98 Described Here]</title>
99
100 <para>This box performs masquerading or routing, but grants public
101 access to some branch of your network which, because of public IPs
102 and a physically separated structure, is essentially a separate
103 network with direct Internet access. The servers on this network are
104 those which must be easily accessible from both the Internet and
105 intranet. The firewall protects both networks. This type of firewall
106 has a minimum of three network interfaces.</para>
107
108 </sect3>
109
110 <sect3>
111 <title>Packetfilter</title>
112
113 <para>This type of firewall does routing or masquerading, but does
114 not maintain a state table of ongoing communication streams. It is
115 fast, but quite limited in its ability to block undesired packets
116 without blocking desired packets.</para>
117
118 </sect3>
119
120 </sect2>
121
122 <sect2 id="fw-writing" xreflabel="writing the firewalling-setup-scripts">
123 <title>Now You Can Start to Build your Firewall</title>
124
125 <caution>
126 <para>This introduction on how to setup a firewall is not a
127 complete guide to securing systems. Firewalling is a complex
128 issue that requires careful configuration. The scripts quoted
129 here are simply intended to give examples of how a firewall
130 works. They are not intended to fit into any particular
131 configuration and may not provide complete protection from
132 an attack.</para>
133
134 <para>Customization of these scripts for your specific situation
135 will be necessary for an optimal configuration, but you should
136 make a serious study of the iptables documentation and creating
137 firewalls in general before hacking away. Have a look at the
138 list of <xref linkend="fw-library"/> at the end of this section for
139 more details. There you will find a list of URLs that contain quite
140 comprehensive information about building your own firewall.</para>
141 </caution>
142
143 <para revision="sysv">The firewall configuration script installed in the
144 iptables section differs from the standard configuration script. It only
145 has two of the standard targets: start and status. The other targets are
146 clear and lock. For instance if you issue:</para>
147
148<screen role="root" revision="sysv"><userinput>/etc/rc.d/init.d/iptables start</userinput></screen>
149
150 <para revision="sysv">the firewall will be restarted just as it is upon
151 system startup. The status target will present a list of all currently
152 implemented rules. The clear target turns off all firewall rules and the
153 lock target will block all packets in and out of the computer with the
154 exception of the loopback interface.</para>
155
156 <para revision="sysv">The main startup firewall is located in the file
157 <filename>/etc/rc.d/rc.iptables</filename>. The sections below provide
158 three different approaches that can be used for a system.</para>
159
160 <para revision="systemd">The main startup firewall is located in the file
161 <filename>/etc/systemd/scripts/iptables</filename>. The sections below
162 provide three different approaches that can be used for a system.</para>
163
164 <note>
165 <para>You should always run your firewall rules from a script.
166 This ensures consistency and a record of what was done. It also
167 allows retention of comments that are essential for understanding
168 the rules long after they were written.</para>
169 </note>
170
171 <sect3 id="fw-persFw" xreflabel="Personal Firewall">
172 <title>Personal Firewall</title>
173
174 <para>A Personal Firewall is designed to let you access all the
175 services offered on the Internet, but keep your box secure and
176 your data private.</para>
177
178 <para>Below is a slightly modified version of Rusty Russell's
179 recommendation from the <ulink
180 url="http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html">
181 Linux 2.4 Packet Filtering HOWTO</ulink>. It is still applicable
182 to the Linux 2.6 kernels.</para>
183
184<screen role="root" revision="sysv"><?dbfo keep-together="auto"?><userinput>cat &gt; /etc/rc.d/rc.iptables &lt;&lt; "EOF"
185<literal>#!/bin/sh
186
187# Begin rc.iptables
188
189# Insert connection-tracking modules
190# (not needed if built into the kernel)
191modprobe nf_conntrack
192modprobe xt_LOG
193
194# Enable broadcast echo Protection
195echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
196
197# Disable Source Routed Packets
198echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route
199echo 0 &gt; /proc/sys/net/ipv4/conf/default/accept_source_route
200
201# Enable TCP SYN Cookie Protection
202echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies
203
204# Disable ICMP Redirect Acceptance
205echo 0 &gt; /proc/sys/net/ipv4/conf/default/accept_redirects
206
207# Do not send Redirect Messages
208echo 0 &gt; /proc/sys/net/ipv4/conf/all/send_redirects
209echo 0 &gt; /proc/sys/net/ipv4/conf/default/send_redirects
210
211# Drop Spoofed Packets coming in on an interface, where responses
212# would result in the reply going out a different interface.
213echo 1 &gt; /proc/sys/net/ipv4/conf/all/rp_filter
214echo 1 &gt; /proc/sys/net/ipv4/conf/default/rp_filter
215
216# Log packets with impossible addresses.
217echo 1 &gt; /proc/sys/net/ipv4/conf/all/log_martians
218echo 1 &gt; /proc/sys/net/ipv4/conf/default/log_martians
219
220# be verbose on dynamic ip-addresses (not needed in case of static IP)
221echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
222
223# disable Explicit Congestion Notification
224# too many routers are still ignorant
225echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
226
227# Set a known state
228iptables -P INPUT DROP
229iptables -P FORWARD DROP
230iptables -P OUTPUT DROP
231
232# These lines are here in case rules are already in place and the
233# script is ever rerun on the fly. We want to remove all rules and
234# pre-existing user defined chains before we implement new rules.
235iptables -F
236iptables -X
237iptables -Z
238
239iptables -t nat -F
240
241# Allow local-only connections
242iptables -A INPUT -i lo -j ACCEPT
243
244# Free output on any interface to any ip for any service
245# (equal to -P ACCEPT)
246iptables -A OUTPUT -j ACCEPT
247
248# Permit answers on already established connections
249# and permit new connections related to established ones
250# (e.g. port mode ftp)
251iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
252
253# Log everything else. What's Windows' latest exploitable vulnerability?
254iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
255
256# End $rc_base/rc.iptables</literal>
257EOF
258chmod 700 /etc/rc.d/rc.iptables</userinput></screen>
259
260
261<screen role="root" revision="systemd"><?dbfo keep-together="auto"?><userinput>install -v -dm755 /etc/systemd/scripts
262
263cat &gt; /etc/systemd/scripts/iptables &lt;&lt; "EOF"
264<literal>#!/bin/sh
265
266# Begin /etc/systemd/scripts/iptables
267
268# Insert connection-tracking modules
269# (not needed if built into the kernel)
270modprobe nf_conntrack
271modprobe xt_LOG
272
273# Enable broadcast echo Protection
274echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
275
276# Disable Source Routed Packets
277echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route
278echo 0 &gt; /proc/sys/net/ipv4/conf/default/accept_source_route
279
280# Enable TCP SYN Cookie Protection
281echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies
282
283# Disable ICMP Redirect Acceptance
284echo 0 &gt; /proc/sys/net/ipv4/conf/default/accept_redirects
285
286# Do not send Redirect Messages
287echo 0 &gt; /proc/sys/net/ipv4/conf/all/send_redirects
288echo 0 &gt; /proc/sys/net/ipv4/conf/default/send_redirects
289
290# Drop Spoofed Packets coming in on an interface, where responses
291# would result in the reply going out a different interface.
292echo 1 &gt; /proc/sys/net/ipv4/conf/all/rp_filter
293echo 1 &gt; /proc/sys/net/ipv4/conf/default/rp_filter
294
295# Log packets with impossible addresses.
296echo 1 &gt; /proc/sys/net/ipv4/conf/all/log_martians
297echo 1 &gt; /proc/sys/net/ipv4/conf/default/log_martians
298
299# be verbose on dynamic ip-addresses (not needed in case of static IP)
300echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
301
302# disable Explicit Congestion Notification
303# too many routers are still ignorant
304echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
305
306# Set a known state
307iptables -P INPUT DROP
308iptables -P FORWARD DROP
309iptables -P OUTPUT DROP
310
311# These lines are here in case rules are already in place and the
312# script is ever rerun on the fly. We want to remove all rules and
313# pre-existing user defined chains before we implement new rules.
314iptables -F
315iptables -X
316iptables -Z
317
318iptables -t nat -F
319
320# Allow local-only connections
321iptables -A INPUT -i lo -j ACCEPT
322
323# Free output on any interface to any ip for any service
324# (equal to -P ACCEPT)
325iptables -A OUTPUT -j ACCEPT
326
327# Permit answers on already established connections
328# and permit new connections related to established ones
329# (e.g. port mode ftp)
330iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
331
332# Log everything else. What's Windows' latest exploitable vulnerability?
333iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
334
335# End /etc/systemd/scripts/iptables</literal>
336EOF
337chmod 700 /etc/systemd/scripts/iptables</userinput></screen>
338
339 <para>This script is quite simple, it drops all traffic coming
340 into your computer that wasn't initiated from your computer, but
341 as long as you are simply surfing the Internet you are unlikely
342 to exceed its limits.</para>
343
344 <para>If you frequently encounter certain delays at accessing
345 FTP servers, take a look at <xref linkend="fw-BB-4"/>.</para>
346
347 <para>Even if you have daemons or services running on your system,
348 these will be inaccessible everywhere but from your computer itself.
349 If you want to allow access to services on your machine, such as
350 <command>ssh</command> or <command>ping</command>, take a look at
351 <xref linkend="fw-busybox"/>.</para>
352
353 </sect3>
354
355 <sect3 id="fw-masqRouter" xreflabel="Masquerading Router">
356 <title>Masquerading Router</title>
357
358 <para>A true Firewall has two interfaces, one connected to an
359 intranet, in this example <emphasis role="strong">eth0</emphasis>,
360 and one connected to the Internet, here <emphasis
361 role="strong">ppp0</emphasis>. To provide the maximum security
362 for the firewall itself, make sure that there are no unnecessary
363 servers running on it such as <application>X11</application> et
364 al. As a general principle, the firewall itself should not access
365 any untrusted service (think of a remote server giving answers that
366 makes a daemon on your system crash, or even worse, that implements
367 a worm via a buffer-overflow).</para>
368
369<screen role="root" revision="sysv"><?dbfo keep-together="auto"?><userinput>cat &gt; /etc/rc.d/rc.iptables &lt;&lt; "EOF"
370<literal>#!/bin/sh
371
372# Begin rc.iptables
373
374echo
375echo "You're using the example configuration for a setup of a firewall"
376echo "from Beyond Linux From Scratch."
377echo "This example is far from being complete, it is only meant"
378echo "to be a reference."
379echo "Firewall security is a complex issue, that exceeds the scope"
380echo "of the configuration rules below."
381echo "You can find additional information"
382echo "about firewalls in Chapter 4 of the BLFS book."
383echo "http://www.&lfs-domainname;/blfs"
384echo
385
386# Insert iptables modules (not needed if built into the kernel).
387
388modprobe nf_conntrack
389modprobe nf_conntrack_ftp
390modprobe xt_conntrack
391modprobe xt_LOG
392modprobe xt_state
393
394# Enable broadcast echo Protection
395echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
396
397# Disable Source Routed Packets
398echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route
399
400# Enable TCP SYN Cookie Protection
401echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies
402
403# Disable ICMP Redirect Acceptance
404echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_redirects
405
406# Don't send Redirect Messages
407echo 0 &gt; /proc/sys/net/ipv4/conf/default/send_redirects
408
409# Drop Spoofed Packets coming in on an interface where responses
410# would result in the reply going out a different interface.
411echo 1 &gt; /proc/sys/net/ipv4/conf/default/rp_filter
412
413# Log packets with impossible addresses.
414echo 1 &gt; /proc/sys/net/ipv4/conf/all/log_martians
415
416# Be verbose on dynamic ip-addresses (not needed in case of static IP)
417echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
418
419# Disable Explicit Congestion Notification
420# Too many routers are still ignorant
421echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
422
423# Set a known state
424iptables -P INPUT DROP
425iptables -P FORWARD DROP
426iptables -P OUTPUT DROP
427
428# These lines are here in case rules are already in place and the
429# script is ever rerun on the fly. We want to remove all rules and
430# pre-existing user defined chains before we implement new rules.
431iptables -F
432iptables -X
433iptables -Z
434
435iptables -t nat -F
436
437# Allow local connections
438iptables -A INPUT -i lo -j ACCEPT
439iptables -A OUTPUT -o lo -j ACCEPT
440
441# Allow forwarding if the initiated on the intranet
442iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
443iptables -A FORWARD ! -i ppp+ -m conntrack --ctstate NEW -j ACCEPT
444
445# Do masquerading
446# (not needed if intranet is not using private ip-addresses)
447iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE
448
449# Log everything for debugging
450# (last of all rules, but before policy rules)
451iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
452iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD "
453iptables -A OUTPUT -j LOG --log-prefix "FIREWALL:OUTPUT "
454
455# Enable IP Forwarding
456echo 1 &gt; /proc/sys/net/ipv4/ip_forward</literal>
457EOF
458chmod 700 /etc/rc.d/rc.iptables</userinput></screen>
459
460<screen role="root" revision="systemd"><?dbfo keep-together="auto"?><userinput>install -v -dm755 /etc/systemd/scripts
461
462cat &gt; /etc/systemd/scripts/iptables &lt;&lt; "EOF"
463<literal>#!/bin/sh
464
465# Begin /etc/systemd/scripts/iptables
466
467echo
468echo "You're using the example configuration for a setup of a firewall"
469echo "from Beyond Linux From Scratch."
470echo "This example is far from being complete, it is only meant"
471echo "to be a reference."
472echo "Firewall security is a complex issue, that exceeds the scope"
473echo "of the configuration rules below."
474
475echo "You can find additional information"
476echo "about firewalls in Chapter 4 of the BLFS book."
477echo "http://www.&lfs-domainname;/blfs"
478echo
479
480# Insert iptables modules (not needed if built into the kernel).
481
482modprobe nf_conntrack
483modprobe nf_conntrack_ftp
484modprobe xt_conntrack
485modprobe xt_LOG
486modprobe xt_state
487
488# Enable broadcast echo Protection
489echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
490
491# Disable Source Routed Packets
492echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route
493
494# Enable TCP SYN Cookie Protection
495echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies
496
497# Disable ICMP Redirect Acceptance
498echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_redirects
499
500# Don't send Redirect Messages
501echo 0 &gt; /proc/sys/net/ipv4/conf/default/send_redirects
502
503# Drop Spoofed Packets coming in on an interface where responses
504# would result in the reply going out a different interface.
505echo 1 &gt; /proc/sys/net/ipv4/conf/default/rp_filter
506
507# Log packets with impossible addresses.
508echo 1 &gt; /proc/sys/net/ipv4/conf/all/log_martians
509
510# Be verbose on dynamic ip-addresses (not needed in case of static IP)
511echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
512
513# Disable Explicit Congestion Notification
514# Too many routers are still ignorant
515echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
516
517# Set a known state
518iptables -P INPUT DROP
519iptables -P FORWARD DROP
520iptables -P OUTPUT DROP
521
522# These lines are here in case rules are already in place and the
523# script is ever rerun on the fly. We want to remove all rules and
524# pre-existing user defined chains before we implement new rules.
525iptables -F
526iptables -X
527iptables -Z
528
529iptables -t nat -F
530
531# Allow local connections
532iptables -A INPUT -i lo -j ACCEPT
533iptables -A OUTPUT -o lo -j ACCEPT
534
535# Allow forwarding if the initiated on the intranet
536iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
537iptables -A FORWARD ! -i ppp+ -m conntrack --ctstate NEW -j ACCEPT
538
539# Do masquerading
540# (not needed if intranet is not using private ip-addresses)
541iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE
542
543# Log everything for debugging
544# (last of all rules, but before policy rules)
545iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
546iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD "
547iptables -A OUTPUT -j LOG --log-prefix "FIREWALL:OUTPUT "
548
549# Enable IP Forwarding
550echo 1 &gt; /proc/sys/net/ipv4/ip_forward
551
552# End /etc/systemd/scripts/iptables</literal>
553EOF
554chmod 700 /etc/systemd/scripts/iptables</userinput></screen>
555
556 <para>With this script your intranet should be reasonably secure
557 against external attacks. No one should be able to setup a new
558 connection to any internal service and, if it's masqueraded,
559 makes your intranet invisible to the Internet. Furthermore, your
560 firewall should be relatively safe because there are no services
561 running that a cracker could attack.</para>
562
563 <note>
564 <para>If the interface you're connecting to the Internet
565 doesn't connect via PPP, you will need to change
566 <replaceable>&lt;ppp+&gt;</replaceable> to the name of the interface
567 (e.g., <emphasis role="strong">eth1</emphasis>) which you are
568 using.</para>
569 </note>
570
571 </sect3>
572
573 <sect3 id="fw-busybox" xreflabel="BusyBox">
574 <title>BusyBox</title>
575
576 <para>This scenario isn't too different from the <xref
577 linkend="fw-masqRouter"/>, but additionally offers some
578 services to your intranet. Examples of this can be when
579 you want to administer your firewall from another host on
580 your intranet or use it as a proxy or a name server.</para>
581
582 <note>
583 <para>Outlining a true concept of how to protect a server that
584 offers services on the Internet goes far beyond the scope of
585 this document. See the references at the end of this section
586 for more information.</para>
587 </note>
588
589 <para>Be cautious. Every service you have enabled makes your
590 setup more complex and your firewall less secure. You are
591 exposed to the risks of misconfigured services or running
592 a service with an exploitable bug. A firewall should generally
593 not run any extra services. See the introduction to the
594 <xref linkend="fw-masqRouter"/> for some more details.</para>
595
596 <para>If you want to add services such as internal Samba or
597 name servers that do not need to access the Internet themselves,
598 the additional statements are quite simple and should still be
599 acceptable from a security standpoint. Just add the following lines
600 into the script <emphasis>before</emphasis> the logging rules.</para>
601
602<screen><literal>iptables -A INPUT -i ! ppp+ -j ACCEPT
603iptables -A OUTPUT -o ! ppp+ -j ACCEPT</literal></screen>
604
605 <para>If daemons, such as squid, have to access the Internet
606 themselves, you could open OUTPUT generally and restrict
607 INPUT.</para>
608
609<screen><literal>iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
610iptables -A OUTPUT -j ACCEPT</literal></screen>
611
612 <para>However, it is generally not advisable to leave OUTPUT
613 unrestricted. You lose any control over trojans who would like
614 to "call home", and a bit of redundancy in case you've
615 (mis-)configured a service so that it broadcasts its existence
616 to the world.</para>
617
618 <para>To accomplish this, you should restrict INPUT and OUTPUT
619 on all ports except those that it's absolutely necessary to have
620 open. Which ports you have to open depends on your needs: mostly
621 you will find them by looking for failed accesses in your log
622 files.</para>
623
624 <itemizedlist spacing="compact" role='iptables'>
625 <title>Have a Look at the Following Examples:</title>
626 <listitem>
627 <para>Squid is caching the web:</para>
628
629<screen><literal>iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
630iptables -A INPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED \
631 -j ACCEPT</literal></screen>
632
633 </listitem>
634 <listitem>
635 <para>Your caching name server (e.g., named) does its
636 lookups via UDP:</para>
637
638<screen><literal>iptables -A OUTPUT -p udp --dport 53 -j ACCEPT</literal></screen>
639
640 </listitem>
641 <listitem>
642 <para>You want to be able to ping your computer to
643 ensure it's still alive:</para>
644
645<screen><literal>iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT
646iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT</literal></screen>
647
648 </listitem>
649 <listitem>
650 <para id='fw-BB-4' xreflabel="BusyBox example number 4">If
651 you are frequently accessing FTP servers or enjoy chatting, you might
652 notice certain delays because some implementations of these daemons
653 have the feature of querying an identd on your system to obtain
654 usernames. Although there's really little harm in this, having an
655 identd running is not recommended because many security experts feel
656 the service gives out too much additional information.</para>
657
658 <para>To avoid these delays you could reject the requests
659 with a 'tcp-reset':</para>
660
661<screen><literal>iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset</literal></screen>
662
663 </listitem>
664 <listitem>
665 <para>To log and drop invalid packets (packets
666 that came in after netfilter's timeout or some types of
667 network scans) insert these rules at the top of the chain:</para>
668
669<screen><literal>iptables -I INPUT 0 -p tcp -m conntrack --ctstate INVALID \
670 -j LOG --log-prefix "FIREWALL:INVALID "
671iptables -I INPUT 1 -p tcp -m conntrack --ctstate INVALID -j DROP</literal></screen>
672
673 </listitem>
674 <listitem>
675 <para>Anything coming from the outside should not have a
676 private address, this is a common attack called IP-spoofing:</para>
677
678<screen><literal>iptables -A INPUT -i ppp+ -s 10.0.0.0/8 -j DROP
679iptables -A INPUT -i ppp+ -s 172.16.0.0/12 -j DROP
680iptables -A INPUT -i ppp+ -s 192.168.0.0/16 -j DROP</literal></screen>
681
682 <para>There are other addresses that you may also want to
683 drop: 0.0.0.0/8, 127.0.0.0/8, 224.0.0.0/3 (multicast and
684 experimental), 169.254.0.0/16 (Link Local Networks), and
685 192.0.2.0/24 (IANA defined test network).</para>
686 </listitem>
687 <listitem>
688 <para>If your firewall is a DHCP client, you need to allow
689 those packets:</para>
690
691<screen><literal>iptables -A INPUT -i ppp0 -p udp -s 0.0.0.0 --sport 67 \
692 -d 255.255.255.255 --dport 68 -j ACCEPT</literal></screen>
693
694 </listitem>
695 <listitem>
696 <para>To simplify debugging and be fair to anyone who'd like
697 to access a service you have disabled, purposely or by mistake,
698 you could REJECT those packets that are dropped.</para>
699
700 <para>Obviously this must be done directly after logging as the very
701 last lines before the packets are dropped by policy:</para>
702
703<screen><literal>iptables -A INPUT -j REJECT</literal></screen>
704
705 </listitem>
706 </itemizedlist>
707
708 <para>These are only examples to show you some of the capabilities
709 of the firewall code in Linux. Have a look at the man page of iptables.
710 There you will find much more information. The port numbers needed for
711 this can be found in <filename>/etc/services</filename>, in case you
712 didn't find them by trial and error in your log file.</para>
713
714 </sect3>
715
716 </sect2>
717
718 <sect2 id="fw-finale" xreflabel="Conclusion">
719 <title>Conclusion</title>
720
721 <para>Finally, there is one fact you must not forget: The effort spent
722 attacking a system corresponds to the value the cracker expects to gain
723 from it. If you are responsible for valuable information, you need to
724 spend the time to protect it properly.</para>
725
726 </sect2>
727
728 <sect2 id="postlfs-security-fw-extra" xreflabel="Extra Information">
729 <title>Extra Information</title>
730
731 <sect3 id="fw-library" xreflabel="links for further reading">
732 <title>Where to Start with Further Reading on Firewalls</title>
733
734 <blockquote>
735 <literallayout>
736<ulink url="http://www.netfilter.org/">www.netfilter.org - Homepage of the netfilter/iptables project</ulink>
737<ulink url="http://www.netfilter.org/documentation/FAQ/netfilter-faq.html">Netfilter related FAQ</ulink>
738<ulink url="http://www.netfilter.org/documentation/index.html#HOWTO">Netfilter related HOWTO's</ulink>
739<ulink url="http://en.tldp.org/LDP/nag2/x-087-2-firewall.html">en.tldp.org/LDP/nag2/x-087-2-firewall.html</ulink>
740<ulink url="http://en.tldp.org/HOWTO/Security-HOWTO.html">en.tldp.org/HOWTO/Security-HOWTO.html</ulink>
741<ulink url="http://en.tldp.org/HOWTO/Firewall-HOWTO.html">en.tldp.org/HOWTO/Firewall-HOWTO.html</ulink>
742<ulink url="http://www.linuxsecurity.com/docs/">www.linuxsecurity.com/docs/</ulink>
743<ulink url="http://www.little-idiot.de/firewall">www.little-idiot.de/firewall (German &amp; outdated, but very comprehensive)</ulink>
744<ulink url="http://linux.oreillynet.com/pub/a/linux/2000/03/10/netadmin/ddos.html">linux.oreillynet.com/pub/a/linux/2000/03/10/netadmin/ddos.html</ulink>
745<ulink url="http://staff.washington.edu/dittrich/misc/ddos">staff.washington.edu/dittrich/misc/ddos</ulink>
746<ulink url="http://www.e-infomax.com/ipmasq">www.e-infomax.com/ipmasq</ulink>
747<ulink url="http://www.circlemud.org/~jelson/writings/security/index.htm">www.circlemud.org/~jelson/writings/security/index.htm</ulink>
748<ulink url="http://www.securityfocus.com">www.securityfocus.com</ulink>
749<ulink url="http://www.cert.org/tech_tips/">www.cert.org - tech_tips</ulink>
750<ulink url="http://security.ittoolbox.com/">security.ittoolbox.com</ulink>
751<ulink url="http://www.insecure.org/reading.html">www.insecure.org/reading.html</ulink>
752 </literallayout>
753 </blockquote>
754
755 <!-- The following are all dead links from the section above. They are
756 moved out of the section so the literallayout won't produce blank
757 lines in the rendered text
758
759<ulink url="http://www-106.ibm.com/developerworks/security/library/s-fire.html">www.ibm.com/developerworks/security/library/s-fire.html</ulink>
760<ulink url="http://www-106.ibm.com/developerworks/security/library/s-fire2.html">www.ibm.com/developerworks/security/library/s-fire2.html</ulink>
761<ulink url="http://www.interhack.net/pubs/fw-faq/">www.interhack.net/pubs/fw-faq/</ulink>
762<ulink url="http://www.linuxgazette.com/issue65/stumpel.html">www.linuxgazette.com/issue65/stumpel.html</ulink>
763<ulink url="http://www.linux-firewall-tools.com/linux/">www.linux-firewall-tools.com/linux/</ulink>
764<ulink url="http://logi.cc/linux/athome-firewall.php3">logi.cc/linux/athome-firewall.php3</ulink>
765<ulink url="http://www.robertgraham.com/pubs/firewall-seen.html">www.robertgraham.com/pubs/firewall-seen.html</ulink>
766
767 -->
768
769 </sect3>
770
771 </sect2>
772
773</sect1>
Note: See TracBrowser for help on using the repository browser.