1 | <sect3 id="postlfs-security-fw-busybox" xreflabel="BusyBox">
|
---|
2 | <title>BusyBox</title>
|
---|
3 |
|
---|
4 | <para>This scenario isn't too different from (<xref linkend="postlfs-security-fw-masqRouter"/>),
|
---|
5 | but in this case you want to offer some services to your intranet.
|
---|
6 | Examples of this can be when you want to admin your box from another host
|
---|
7 | on your intranet or use it as a proxy or a name server. Note: Outlining a true
|
---|
8 | concept of how to protect a server that offers services on the Internet
|
---|
9 | goes far beyond the scope of this document,
|
---|
10 | see <xref linkend="postlfs-security-fw-disclaimer"/>.</para>
|
---|
11 |
|
---|
12 | <para>Be cautious. Every service you offer and have enabled makes your
|
---|
13 | setup more complex and your box less secure: You induce the risks of
|
---|
14 | misconfigured services or running a service with an exploitable bug, both risks
|
---|
15 | that a firewall principally should be immune of. See the introduction to
|
---|
16 | <xref linkend="postlfs-security-fw-masqRouter"/> for some more details.</para>
|
---|
17 |
|
---|
18 | <para>If the services you'd like to offer do not need to access the Internet
|
---|
19 | themselves, like internal-only samba- or name-servers, it's quite
|
---|
20 | simple and should still be acceptable from a security standpoint.
|
---|
21 | Just add the following lines <emphasis>before</emphasis> the logging-rules
|
---|
22 | into the script.
|
---|
23 |
|
---|
24 | <screen>iptables -A INPUT -i ! ppp+ -j ACCEPT
|
---|
25 | iptables -A OUTPUT -o ! ppp+ -j ACCEPT</screen></para>
|
---|
26 |
|
---|
27 | <para>If your daemons have to access the web themselves, like squid would need
|
---|
28 | to, you could open OUTPUT generally and restrict INPUT.
|
---|
29 |
|
---|
30 | <screen>iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
---|
31 | iptables -A OUTPUT -j ACCEPT</screen></para>
|
---|
32 |
|
---|
33 | <para>However, it is generally not advisable to leave OUTPUT unrestricted: you lose
|
---|
34 | any control on trojans who'd like to "call home", and a bit of redundancy in case
|
---|
35 | you've (mis-)configured a service so that it does broadcast its existence to the
|
---|
36 | world.</para>
|
---|
37 |
|
---|
38 | <para>If you prefer to have this protection, you may restrict INPUT and OUTPUT
|
---|
39 | on all ports except those that it's absolutely necessary to have open.
|
---|
40 | Which ports you have to open depends on your needs: mostly you will find them
|
---|
41 | by looking for failed accesses in your log-files.</para>
|
---|
42 | <itemizedlist spacing="compact">
|
---|
43 | <!-- <orderedlist numeration="arabic" spacing="compact"> -->
|
---|
44 | <title>Have a look at the following examples:</title>
|
---|
45 |
|
---|
46 | <listitem><para>Squid is caching the web:
|
---|
47 | <screen>iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
|
---|
48 | iptables -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT</screen></para></listitem>
|
---|
49 |
|
---|
50 | <listitem><para>Your caching name server (e.g., dnscache) does its
|
---|
51 | lookups via udp:
|
---|
52 | <screen>iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
|
---|
53 | iptables -A INPUT -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT</screen></para></listitem>
|
---|
54 |
|
---|
55 | <listitem><para>Alternatively, if you want to be able to ping your box to ensure
|
---|
56 | it's still alive:
|
---|
57 | <screen>iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT
|
---|
58 | iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT</screen></para></listitem>
|
---|
59 |
|
---|
60 | <listitem><para><anchor id='postlfs-security-fw-BB-4' xreflabel="example no. 4"/>If you are
|
---|
61 | frequently accessing ftp-servers or enjoy chatting you might notice certain
|
---|
62 | delays because some implementations of these daemons have the feature of
|
---|
63 | querying an identd on your box for your username for logging.
|
---|
64 | Although there's really no harm in this, having an identd running is not
|
---|
65 | recommended because some implementations are known to be vulnerable.</para>
|
---|
66 |
|
---|
67 | <para>To avoid these delays you could reject the requests
|
---|
68 | with a 'tcp-reset':
|
---|
69 |
|
---|
70 | <screen>iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset
|
---|
71 | iptables -A OUTPUT -p tcp --sport 113 -m state --state RELATED -j ACCEPT</screen></para></listitem>
|
---|
72 |
|
---|
73 | <listitem><para>To log and drop invalid packets, mostly harmless packets
|
---|
74 | that came in after netfilter's timeout, sometimes scans:
|
---|
75 |
|
---|
76 | <screen>iptables -I INPUT 1 -p tcp -m state --state INVALID -j LOG --log-prefix \
|
---|
77 | "FIREWALL:INVALID"
|
---|
78 | iptables -I INPUT 2 -p tcp -m state --state INVALID -j DROP</screen></para></listitem>
|
---|
79 |
|
---|
80 | <listitem><para>Anything coming from the outside should not have a
|
---|
81 | private address, this is a common attack called IP-spoofing:
|
---|
82 |
|
---|
83 | <screen>iptables -t nat -A PREROUTING -i ppp+ -s 10.0.0.0/8 -j DROP
|
---|
84 | iptables -t nat -A PREROUTING -i ppp+ -s 172.16.0.0/12 -j DROP
|
---|
85 | iptables -t nat -A PREROUTING -i ppp+ -s 192.168.0.0/16 -j DROP</screen></para></listitem>
|
---|
86 |
|
---|
87 | <listitem><para>To simplify debugging and be fair to anyone who'd like to
|
---|
88 | access a service you have disabled, purposely or by mistake, you should REJECT
|
---|
89 | those packets that are dropped.</para>
|
---|
90 |
|
---|
91 | <para>Obviously this must be done directly after logging as the very
|
---|
92 | last lines before the packets are dropped by policy:
|
---|
93 |
|
---|
94 | <screen>iptables -A INPUT -j REJECT
|
---|
95 | iptables -A OUTPUT -p icmp --icmp-type 3 -j ACCEPT</screen></para></listitem>
|
---|
96 | </itemizedlist>
|
---|
97 | <!--</orderedlist>-->
|
---|
98 |
|
---|
99 | <para>These are only examples to show you some of the capabilities of the new
|
---|
100 | firewall code in Linux-Kernel 2.4. Have a look at the man page of
|
---|
101 | iptables.
|
---|
102 | There you will find more of them. The port-numbers you'll need for this
|
---|
103 | can be found in <filename>/etc/services</filename>, in case you didn't
|
---|
104 | find them by trial and error in your log file.</para>
|
---|
105 |
|
---|
106 | <para>If you add any of your offered or accessed services such as the above,
|
---|
107 | maybe even in FORWARD and for intranet-communication, and delete the
|
---|
108 | general clauses, you get an old fashioned packet filter.</para>
|
---|
109 |
|
---|
110 |
|
---|
111 | </sect3>
|
---|