1 | <sect3 id="postlfs-security-fw-busybox" xreflabel="BusyBox">
|
---|
2 | <title>BusyBox</title>
|
---|
3 |
|
---|
4 | <para>This scenario isn't too different from (<xref linkend="postlfs-security-fw-masqRouter"/>),
|
---|
5 | but in this case you want to offer some services to your intranet.
|
---|
6 | Examples of this can be when you want to admin your box from another host
|
---|
7 | on your intranet or use it as a proxy or a nameserver. Note: Outlining a true
|
---|
8 | concept howto protect a server that offers services on the internet
|
---|
9 | goes far beyond the scope of this document,
|
---|
10 | see <xref linkend="postlfs-security-fw-disclaimer"/>.</para>
|
---|
11 |
|
---|
12 | <para>Be cautious. Every service you offer and have enabled makes your
|
---|
13 | setup more complex and your box less secure: You induce the risks of
|
---|
14 | misconfigured services or running a service with an exploitable bug, both risks
|
---|
15 | that a firewall principially should be immune of. See the introduction to
|
---|
16 | <xref linkend="postlfs-security-fw-masqRouter"/> for some more details.</para>
|
---|
17 |
|
---|
18 | <para>If the services you'd like to offer do not need to access the internet
|
---|
19 | themselves, like internal-only samba- or name-servers, it's quite
|
---|
20 | simple and should still be acceptable from a security standpoint.
|
---|
21 | Just add the following lines <emphasis>before</emphasis> the logging-rules
|
---|
22 | into the script.
|
---|
23 |
|
---|
24 | <screen>iptables -A INPUT -i ! ppp+ -j ACCEPT
|
---|
25 | iptables -A OUTPUT -o ! ppp+ -j ACCEPT</screen></para>
|
---|
26 |
|
---|
27 | <para>If your daemons have to access the web themselves, like squid would need
|
---|
28 | to, you could open OUTPUT generally and restrict INPUT.
|
---|
29 |
|
---|
30 | <screen>iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
---|
31 | iptables -A OUTPUT -j ACCEPT</screen></para>
|
---|
32 |
|
---|
33 | <para>However, it is generally not advisable to leave OUTPUT unrestricted: you lose
|
---|
34 | any control on trojans who'd like to "call home", and a bit of redundancy in case
|
---|
35 | you've (mis-)configured a service so that it does broadcast its existence to the
|
---|
36 | world.</para>
|
---|
37 |
|
---|
38 | <para>If you prefer to have this protection, you may restrict INPUT and OUTPUT
|
---|
39 | on all ports except those that it's absolutely necessary to have open.
|
---|
40 | Which ports you have to open depends on your needs: mostly you will find them
|
---|
41 | by looking for failed accesses in your log-files.</para>
|
---|
42 |
|
---|
43 | <orderedlist numeration="arabic" spacing="compact">
|
---|
44 | <title>Have a look at the following examples:</title>
|
---|
45 |
|
---|
46 | <listitem><para>Squid is caching the web:</para>
|
---|
47 | <para><screen>iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
|
---|
48 | iptables -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED \
|
---|
49 | -j ACCEPT</screen></para></listitem>
|
---|
50 |
|
---|
51 | <listitem><para>Your caching-nameserver (e.g., dnscache) does its
|
---|
52 | lookups via udp:</para>
|
---|
53 | <para><screen>iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
|
---|
54 | iptables -A INPUT -p udp --sport 53 -m state --state ESTABLISHED \
|
---|
55 | -j ACCEPT</screen></para></listitem>
|
---|
56 |
|
---|
57 | <listitem><para>Alternatively, if you want to be able to ping your box to ensure
|
---|
58 | it's still alive:</para>
|
---|
59 | <para><screen>iptables -A INPUT -p icmp -m icmp --icmp-type echo-request \
|
---|
60 | -j ACCEPT
|
---|
61 | iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT</screen></para></listitem>
|
---|
62 |
|
---|
63 | <listitem><para><anchor id='postlfs-security-fw-BB-4' xreflabel="example no. 4"/>If you are
|
---|
64 | frequently accessing ftp-servers or enjoy chatting you might notice certain
|
---|
65 | delays because some implementations of these daemons have the feature of
|
---|
66 | querying an identd on your box for your username for logging.
|
---|
67 | Although there's really no harm in this, having an identd running is not
|
---|
68 | recommended because some implementions are known to be vulnerable.</para>
|
---|
69 |
|
---|
70 | <para>To avoid these delays you could reject the requests
|
---|
71 | with a 'tcp-reset':</para>
|
---|
72 |
|
---|
73 | <para><screen>iptables -A INPUT -p tcp --dport 113 -j REJECT \
|
---|
74 | --reject-with tcp-reset
|
---|
75 | iptables -A OUTPUT -p tcp --sport 113 -m state --state RELATED \
|
---|
76 | -j ACCEPT</screen></para></listitem>
|
---|
77 |
|
---|
78 | <listitem><para>To log and drop invalid packets, mostly harmless packets
|
---|
79 | that came in after netfilter's timeout, sometimes scans:</para>
|
---|
80 |
|
---|
81 | <para><screen>iptables -I INPUT 1 -p tcp -m state --state INVALID -j LOG \
|
---|
82 | --log-prefix "FIREWALL:INVALID"
|
---|
83 | iptables -I INPUT 2 -p tcp -m state --state INVALID -j DROP</screen></para></listitem>
|
---|
84 |
|
---|
85 | <listitem><para>Anything coming from the outside should not have a
|
---|
86 | private address, this is a common attack called IP-spoofing:</para>
|
---|
87 |
|
---|
88 | <para><screen>iptables -t nat -A PREROUTING -i ppp+ -s 10.0.0.0/8 -j DROP
|
---|
89 | iptables -t nat -A PREROUTING -i ppp+ -s 172.16.0.0/12 -j DROP
|
---|
90 | iptables -t nat -A PREROUTING -i ppp+ -s 192.168.0.0/16 -j DROP</screen></para></listitem>
|
---|
91 |
|
---|
92 | <listitem><para>To simplify debugging and be fair to anyone who'd like to
|
---|
93 | access a service you have disabled, purposely or by mistake, you should REJECT
|
---|
94 | those packets that are dropped.</para>
|
---|
95 |
|
---|
96 | <para>Obviously this must be done directly after logging as the very
|
---|
97 | last lines before the packets are dropped by policy:</para>
|
---|
98 |
|
---|
99 | <para><screen>iptables -A INPUT -j REJECT
|
---|
100 | iptables -A OUTPUT -p icmp --icmp-type 3 -j ACCEPT</screen></para></listitem>
|
---|
101 |
|
---|
102 | </orderedlist>
|
---|
103 |
|
---|
104 | <para>These are only examples to show you some of the capabilities of the new
|
---|
105 | firewalling-code in Linux-Kernel 2.4. Have a look at the man-page of
|
---|
106 | iptables.
|
---|
107 | There you will find more of them. The port-numbers you'll need for this
|
---|
108 | can be found in /etc/services, in case you didn't find them via "try'n'error"
|
---|
109 | in your logfile.</para>
|
---|
110 |
|
---|
111 | <para>If you add any of your offered or accessed services such as the above,
|
---|
112 | maybe even in FORWARD and for intranet-communication, and delete the
|
---|
113 | general clauses, you get an old fashioned packet filter.</para>
|
---|
114 |
|
---|
115 |
|
---|
116 | </sect3>
|
---|