[f45b1953] | 1 | <sect3 id="postlfs-security-fw-busybox" xreflabel="BusyBox">
|
---|
| 2 | <title>BusyBox</title>
|
---|
| 3 |
|
---|
| 4 | <para>This scenario isn't too different from (<xref linkend="postlfs-security-fw-masqRouter"/>),
|
---|
| 5 | but in this case you want to offer some services to your intranet.
|
---|
| 6 | Examples of this can be when you want to admin your box from another host
|
---|
[5628618e] | 7 | on your intranet or use it as a proxy or a name server. Note: Outlining a true
|
---|
[f45b1953] | 8 | concept howto protect a server that offers services on the internet
|
---|
| 9 | goes far beyond the scope of this document,
|
---|
| 10 | see <xref linkend="postlfs-security-fw-disclaimer"/>.</para>
|
---|
| 11 |
|
---|
| 12 | <para>Be cautious. Every service you offer and have enabled makes your
|
---|
| 13 | setup more complex and your box less secure: You induce the risks of
|
---|
| 14 | misconfigured services or running a service with an exploitable bug, both risks
|
---|
[64d97b7c] | 15 | that a firewall principally should be immune of. See the introduction to
|
---|
[f45b1953] | 16 | <xref linkend="postlfs-security-fw-masqRouter"/> for some more details.</para>
|
---|
| 17 |
|
---|
| 18 | <para>If the services you'd like to offer do not need to access the internet
|
---|
| 19 | themselves, like internal-only samba- or name-servers, it's quite
|
---|
| 20 | simple and should still be acceptable from a security standpoint.
|
---|
| 21 | Just add the following lines <emphasis>before</emphasis> the logging-rules
|
---|
| 22 | into the script.
|
---|
| 23 |
|
---|
| 24 | <screen>iptables -A INPUT -i ! ppp+ -j ACCEPT
|
---|
| 25 | iptables -A OUTPUT -o ! ppp+ -j ACCEPT</screen></para>
|
---|
| 26 |
|
---|
| 27 | <para>If your daemons have to access the web themselves, like squid would need
|
---|
| 28 | to, you could open OUTPUT generally and restrict INPUT.
|
---|
| 29 |
|
---|
| 30 | <screen>iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
---|
| 31 | iptables -A OUTPUT -j ACCEPT</screen></para>
|
---|
| 32 |
|
---|
| 33 | <para>However, it is generally not advisable to leave OUTPUT unrestricted: you lose
|
---|
| 34 | any control on trojans who'd like to "call home", and a bit of redundancy in case
|
---|
| 35 | you've (mis-)configured a service so that it does broadcast its existence to the
|
---|
| 36 | world.</para>
|
---|
| 37 |
|
---|
| 38 | <para>If you prefer to have this protection, you may restrict INPUT and OUTPUT
|
---|
| 39 | on all ports except those that it's absolutely necessary to have open.
|
---|
| 40 | Which ports you have to open depends on your needs: mostly you will find them
|
---|
| 41 | by looking for failed accesses in your log-files.</para>
|
---|
| 42 |
|
---|
| 43 | <orderedlist numeration="arabic" spacing="compact">
|
---|
| 44 | <title>Have a look at the following examples:</title>
|
---|
| 45 |
|
---|
| 46 | <listitem><para>Squid is caching the web:</para>
|
---|
| 47 | <para><screen>iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
|
---|
| 48 | iptables -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED \
|
---|
| 49 | -j ACCEPT</screen></para></listitem>
|
---|
| 50 |
|
---|
[5628618e] | 51 | <listitem><para>Your caching name server (e.g., dnscache) does its
|
---|
[f45b1953] | 52 | lookups via udp:</para>
|
---|
| 53 | <para><screen>iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
|
---|
| 54 | iptables -A INPUT -p udp --sport 53 -m state --state ESTABLISHED \
|
---|
| 55 | -j ACCEPT</screen></para></listitem>
|
---|
| 56 |
|
---|
| 57 | <listitem><para>Alternatively, if you want to be able to ping your box to ensure
|
---|
| 58 | it's still alive:</para>
|
---|
| 59 | <para><screen>iptables -A INPUT -p icmp -m icmp --icmp-type echo-request \
|
---|
| 60 | -j ACCEPT
|
---|
| 61 | iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT</screen></para></listitem>
|
---|
| 62 |
|
---|
| 63 | <listitem><para><anchor id='postlfs-security-fw-BB-4' xreflabel="example no. 4"/>If you are
|
---|
| 64 | frequently accessing ftp-servers or enjoy chatting you might notice certain
|
---|
| 65 | delays because some implementations of these daemons have the feature of
|
---|
| 66 | querying an identd on your box for your username for logging.
|
---|
| 67 | Although there's really no harm in this, having an identd running is not
|
---|
[5628618e] | 68 | recommended because some implementations are known to be vulnerable.</para>
|
---|
[f45b1953] | 69 |
|
---|
| 70 | <para>To avoid these delays you could reject the requests
|
---|
| 71 | with a 'tcp-reset':</para>
|
---|
| 72 |
|
---|
| 73 | <para><screen>iptables -A INPUT -p tcp --dport 113 -j REJECT \
|
---|
| 74 | --reject-with tcp-reset
|
---|
| 75 | iptables -A OUTPUT -p tcp --sport 113 -m state --state RELATED \
|
---|
| 76 | -j ACCEPT</screen></para></listitem>
|
---|
| 77 |
|
---|
| 78 | <listitem><para>To log and drop invalid packets, mostly harmless packets
|
---|
| 79 | that came in after netfilter's timeout, sometimes scans:</para>
|
---|
| 80 |
|
---|
| 81 | <para><screen>iptables -I INPUT 1 -p tcp -m state --state INVALID -j LOG \
|
---|
| 82 | --log-prefix "FIREWALL:INVALID"
|
---|
| 83 | iptables -I INPUT 2 -p tcp -m state --state INVALID -j DROP</screen></para></listitem>
|
---|
| 84 |
|
---|
| 85 | <listitem><para>Anything coming from the outside should not have a
|
---|
| 86 | private address, this is a common attack called IP-spoofing:</para>
|
---|
| 87 |
|
---|
| 88 | <para><screen>iptables -t nat -A PREROUTING -i ppp+ -s 10.0.0.0/8 -j DROP
|
---|
| 89 | iptables -t nat -A PREROUTING -i ppp+ -s 172.16.0.0/12 -j DROP
|
---|
| 90 | iptables -t nat -A PREROUTING -i ppp+ -s 192.168.0.0/16 -j DROP</screen></para></listitem>
|
---|
| 91 |
|
---|
| 92 | <listitem><para>To simplify debugging and be fair to anyone who'd like to
|
---|
| 93 | access a service you have disabled, purposely or by mistake, you should REJECT
|
---|
| 94 | those packets that are dropped.</para>
|
---|
| 95 |
|
---|
| 96 | <para>Obviously this must be done directly after logging as the very
|
---|
| 97 | last lines before the packets are dropped by policy:</para>
|
---|
| 98 |
|
---|
| 99 | <para><screen>iptables -A INPUT -j REJECT
|
---|
| 100 | iptables -A OUTPUT -p icmp --icmp-type 3 -j ACCEPT</screen></para></listitem>
|
---|
| 101 |
|
---|
| 102 | </orderedlist>
|
---|
| 103 |
|
---|
| 104 | <para>These are only examples to show you some of the capabilities of the new
|
---|
[01600b9] | 105 | firewalling-code in Linux-Kernel 2.4. Have a look at the man page of
|
---|
[f45b1953] | 106 | iptables.
|
---|
| 107 | There you will find more of them. The port-numbers you'll need for this
|
---|
| 108 | can be found in /etc/services, in case you didn't find them via "try'n'error"
|
---|
| 109 | in your logfile.</para>
|
---|
| 110 |
|
---|
| 111 | <para>If you add any of your offered or accessed services such as the above,
|
---|
| 112 | maybe even in FORWARD and for intranet-communication, and delete the
|
---|
| 113 | general clauses, you get an old fashioned packet filter.</para>
|
---|
| 114 |
|
---|
| 115 |
|
---|
| 116 | </sect3>
|
---|