[f45b1953] | 1 | <sect3 id="postlfs-security-fw-busybox" xreflabel="BusyBox">
|
---|
| 2 | <title>BusyBox</title>
|
---|
| 3 |
|
---|
| 4 | <para>This scenario isn't too different from (<xref linkend="postlfs-security-fw-masqRouter"/>),
|
---|
| 5 | but in this case you want to offer some services to your intranet.
|
---|
| 6 | Examples of this can be when you want to admin your box from another host
|
---|
[5628618e] | 7 | on your intranet or use it as a proxy or a name server. Note: Outlining a true
|
---|
[5e18c49c] | 8 | concept of how to protect a server that offers services on the Internet
|
---|
[f45b1953] | 9 | goes far beyond the scope of this document,
|
---|
| 10 | see <xref linkend="postlfs-security-fw-disclaimer"/>.</para>
|
---|
| 11 |
|
---|
| 12 | <para>Be cautious. Every service you offer and have enabled makes your
|
---|
| 13 | setup more complex and your box less secure: You induce the risks of
|
---|
| 14 | misconfigured services or running a service with an exploitable bug, both risks
|
---|
[64d97b7c] | 15 | that a firewall principally should be immune of. See the introduction to
|
---|
[f45b1953] | 16 | <xref linkend="postlfs-security-fw-masqRouter"/> for some more details.</para>
|
---|
| 17 |
|
---|
[5e18c49c] | 18 | <para>If the services you'd like to offer do not need to access the Internet
|
---|
[f45b1953] | 19 | themselves, like internal-only samba- or name-servers, it's quite
|
---|
| 20 | simple and should still be acceptable from a security standpoint.
|
---|
| 21 | Just add the following lines <emphasis>before</emphasis> the logging-rules
|
---|
[a4acd463] | 22 | into the script.</para>
|
---|
[f45b1953] | 23 |
|
---|
[1aacd4b5] | 24 | <screen>iptables -A INPUT -i ! ppp+ -j ACCEPT
|
---|
[a4acd463] | 25 | iptables -A OUTPUT -o ! ppp+ -j ACCEPT</screen>
|
---|
[f45b1953] | 26 |
|
---|
| 27 | <para>If your daemons have to access the web themselves, like squid would need
|
---|
[a4acd463] | 28 | to, you could open OUTPUT generally and restrict INPUT.</para>
|
---|
[f45b1953] | 29 |
|
---|
[1aacd4b5] | 30 | <screen>iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
---|
[a4acd463] | 31 | iptables -A OUTPUT -j ACCEPT</screen>
|
---|
[f45b1953] | 32 |
|
---|
| 33 | <para>However, it is generally not advisable to leave OUTPUT unrestricted: you lose
|
---|
| 34 | any control on trojans who'd like to "call home", and a bit of redundancy in case
|
---|
| 35 | you've (mis-)configured a service so that it does broadcast its existence to the
|
---|
| 36 | world.</para>
|
---|
| 37 |
|
---|
| 38 | <para>If you prefer to have this protection, you may restrict INPUT and OUTPUT
|
---|
| 39 | on all ports except those that it's absolutely necessary to have open.
|
---|
| 40 | Which ports you have to open depends on your needs: mostly you will find them
|
---|
| 41 | by looking for failed accesses in your log-files.</para>
|
---|
[1aacd4b5] | 42 | <itemizedlist spacing="compact">
|
---|
| 43 | <!-- <orderedlist numeration="arabic" spacing="compact"> -->
|
---|
[f45b1953] | 44 | <title>Have a look at the following examples:</title>
|
---|
| 45 |
|
---|
[a4acd463] | 46 | <listitem><para>Squid is caching the web:</para>
|
---|
[1aacd4b5] | 47 | <screen>iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
|
---|
[a4acd463] | 48 | iptables -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT</screen></listitem>
|
---|
[f45b1953] | 49 |
|
---|
[5628618e] | 50 | <listitem><para>Your caching name server (e.g., dnscache) does its
|
---|
[a4acd463] | 51 | lookups via udp:</para>
|
---|
[1aacd4b5] | 52 | <screen>iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
|
---|
[a4acd463] | 53 | iptables -A INPUT -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT</screen></listitem>
|
---|
[f45b1953] | 54 |
|
---|
| 55 | <listitem><para>Alternatively, if you want to be able to ping your box to ensure
|
---|
[a4acd463] | 56 | it's still alive:</para>
|
---|
[1aacd4b5] | 57 | <screen>iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT
|
---|
[a4acd463] | 58 | iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT</screen></listitem>
|
---|
[f45b1953] | 59 |
|
---|
| 60 | <listitem><para><anchor id='postlfs-security-fw-BB-4' xreflabel="example no. 4"/>If you are
|
---|
| 61 | frequently accessing ftp-servers or enjoy chatting you might notice certain
|
---|
| 62 | delays because some implementations of these daemons have the feature of
|
---|
| 63 | querying an identd on your box for your username for logging.
|
---|
| 64 | Although there's really no harm in this, having an identd running is not
|
---|
[5628618e] | 65 | recommended because some implementations are known to be vulnerable.</para>
|
---|
[f45b1953] | 66 |
|
---|
| 67 | <para>To avoid these delays you could reject the requests
|
---|
[a4acd463] | 68 | with a 'tcp-reset':</para>
|
---|
[f45b1953] | 69 |
|
---|
[1aacd4b5] | 70 | <screen>iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset
|
---|
[a4acd463] | 71 | iptables -A OUTPUT -p tcp --sport 113 -m state --state RELATED -j ACCEPT</screen></listitem>
|
---|
[f45b1953] | 72 |
|
---|
| 73 | <listitem><para>To log and drop invalid packets, mostly harmless packets
|
---|
[a4acd463] | 74 | that came in after netfilter's timeout, sometimes scans:</para>
|
---|
[f45b1953] | 75 |
|
---|
[1aacd4b5] | 76 | <screen>iptables -I INPUT 1 -p tcp -m state --state INVALID -j LOG --log-prefix \
|
---|
| 77 | "FIREWALL:INVALID"
|
---|
[a4acd463] | 78 | iptables -I INPUT 2 -p tcp -m state --state INVALID -j DROP</screen></listitem>
|
---|
[f45b1953] | 79 |
|
---|
| 80 | <listitem><para>Anything coming from the outside should not have a
|
---|
[a4acd463] | 81 | private address, this is a common attack called IP-spoofing:</para>
|
---|
[f45b1953] | 82 |
|
---|
[1aacd4b5] | 83 | <screen>iptables -t nat -A PREROUTING -i ppp+ -s 10.0.0.0/8 -j DROP
|
---|
| 84 | iptables -t nat -A PREROUTING -i ppp+ -s 172.16.0.0/12 -j DROP
|
---|
[a4acd463] | 85 | iptables -t nat -A PREROUTING -i ppp+ -s 192.168.0.0/16 -j DROP</screen></listitem>
|
---|
[f45b1953] | 86 |
|
---|
| 87 | <listitem><para>To simplify debugging and be fair to anyone who'd like to
|
---|
| 88 | access a service you have disabled, purposely or by mistake, you should REJECT
|
---|
| 89 | those packets that are dropped.</para>
|
---|
| 90 |
|
---|
| 91 | <para>Obviously this must be done directly after logging as the very
|
---|
[a4acd463] | 92 | last lines before the packets are dropped by policy:</para>
|
---|
[f45b1953] | 93 |
|
---|
[1aacd4b5] | 94 | <screen>iptables -A INPUT -j REJECT
|
---|
[a4acd463] | 95 | iptables -A OUTPUT -p icmp --icmp-type 3 -j ACCEPT</screen></listitem>
|
---|
[1aacd4b5] | 96 | </itemizedlist>
|
---|
| 97 | <!--</orderedlist>-->
|
---|
[f45b1953] | 98 |
|
---|
| 99 | <para>These are only examples to show you some of the capabilities of the new
|
---|
[c2ee009c] | 100 | firewall code in Linux-Kernel 2.4. Have a look at the man page of
|
---|
[f45b1953] | 101 | iptables.
|
---|
| 102 | There you will find more of them. The port-numbers you'll need for this
|
---|
[1aacd4b5] | 103 | can be found in <filename>/etc/services</filename>, in case you didn't
|
---|
[c2ee009c] | 104 | find them by trial and error in your log file.</para>
|
---|
[f45b1953] | 105 |
|
---|
| 106 | <para>If you add any of your offered or accessed services such as the above,
|
---|
| 107 | maybe even in FORWARD and for intranet-communication, and delete the
|
---|
| 108 | general clauses, you get an old fashioned packet filter.</para>
|
---|
| 109 |
|
---|
| 110 |
|
---|
| 111 | </sect3>
|
---|