source: postlfs/security/iptables.xml@ 7474050

10.0 10.1 11.0 11.1 9.1 lazarus qt5new trunk upgradedb xry111/intltool xry111/test-20220226
Last change on this file since 7474050 was 7474050, checked in by Pierre Labastie <pieere@…>, 2 years ago

Update kernel configuration for iptables

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@22470 af4574ff-66df-0310-9fd7-8a98e5e911e0

  • Property mode set to 100644
File size: 34.1 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY iptables-download-http "http://www.netfilter.org/projects/iptables/files/iptables-&iptables-version;.tar.bz2">
8 <!ENTITY iptables-download-ftp "ftp://ftp.netfilter.org/pub/iptables/iptables-&iptables-version;.tar.bz2">
9 <!ENTITY iptables-md5sum "9b201107957fbf62709c3d8226239b0d">
10 <!ENTITY iptables-size "688 KB">
11 <!ENTITY iptables-buildsize "17 MB">
12 <!ENTITY iptables-time "0.2 SBU">
13]>
14
15<sect1 id="iptables" xreflabel="iptables-&iptables-version;">
16 <?dbhtml filename="iptables.html"?>
17
18 <sect1info>
19 <othername>$LastChangedBy$</othername>
20 <date>$Date$</date>
21 </sect1info>
22
23 <title>iptables-&iptables-version;</title>
24
25 <indexterm zone="iptables">
26 <primary sortas="a-iptables">iptables</primary>
27 </indexterm>
28
29 <sect2 role="package">
30 <title>Introduction to iptables</title>
31
32 <para>
33 <application>iptables</application> is a userspace command line program
34 used to configure Linux 2.4 and later kernel packet filtering ruleset.
35 </para>
36
37 &lfs90_checked;
38
39 <bridgehead renderas="sect3">Package Information</bridgehead>
40 <itemizedlist spacing="compact">
41 <listitem>
42 <para>
43 Download (HTTP): <ulink url="&iptables-download-http;"/>
44 </para>
45 </listitem>
46 <listitem>
47 <para>
48 Download (FTP): <ulink url="&iptables-download-ftp;"/>
49 </para>
50 </listitem>
51 <listitem>
52 <para>
53 Download MD5 sum: &iptables-md5sum;
54 </para>
55 </listitem>
56 <listitem>
57 <para>
58 Download size: &iptables-size;
59 </para>
60 </listitem>
61 <listitem>
62 <para>
63 Estimated disk space required: &iptables-buildsize;
64 </para>
65 </listitem>
66 <listitem>
67 <para>
68 Estimated build time: &iptables-time;
69 </para>
70 </listitem>
71 </itemizedlist>
72
73 <bridgehead renderas="sect3">iptables Dependencies</bridgehead>
74
75 <bridgehead renderas="sect4">Optional</bridgehead>
76 <para role="optional">
77 <xref linkend="nftables"/>,
78 <xref linkend="libpcap"/> (required for nfsypproxy support),
79 <ulink url="https://github.com/tadamdam/bpf-utils">bpf-utils</ulink>
80 (required for Berkely Packet Filter support),
81 <ulink url="https://netfilter.org/projects/libnfnetlink/">libnfnetlink</ulink>
82 (required for connlabel support), and
83 <ulink url="https://netfilter.org/projects/libnetfilter_conntrack/">libnetfilter_conntrack"</ulink>
84 (required for connlabel support)
85 </para>
86
87
88 <para condition="html" role="usernotes">User Notes:
89 <ulink url="&blfs-wiki;/iptables"/>
90 </para>
91 </sect2>
92
93 <sect2 role="kernel" id="iptables-kernel">
94 <title>Kernel Configuration</title>
95
96 <para>
97 A firewall in Linux is accomplished through the netfilter interface. To
98 use <application>iptables</application> to configure netfilter, the
99 following kernel configuration parameters are required:
100 </para>
101
102<screen><literal>[*] Networking support ---&gt; [CONFIG_NET]
103 Networking Options ---&gt;
104 [*] Network packet filtering framework (Netfilter) ---&gt; [CONFIG_NETFILTER]
105 [*] Advanced netfilter configuration [CONFIG_NETFILTER_ADVANCED]
106 Core Netfilter Configuration ---&gt;
107 &lt;*/M&gt; Netfilter connection tracking support [CONFIG_NF_CONNTRACK]
108 &lt;*/M&gt; Netfilter Xtables support (required for ip_tables) [CONFIG_NETFILTER_XTABLES]
109 &lt;*/M&gt; LOG target support [CONFIG_NETFILTER_XT_TARGET_LOG]
110 IP: Netfilter Configuration ---&gt;
111 &lt;*/M&gt; IP tables support (required for filtering/masq/NAT) [CONFIG_IP_NF_IPTABLES]</literal></screen>
112
113 <para>
114 Include any connection tracking protocols that will be used, as well as
115 any protocols that you wish to use for match support under the
116 "Core Netfilter Configuration" section. The above options are enough
117 for running <xref linkend="fw-persFw-ipt"/> below.
118 </para>
119
120 <indexterm zone="iptables iptables-kernel">
121 <primary sortas="d-iptables">iptables</primary>
122 </indexterm>
123
124 </sect2>
125
126 <sect2 role="installation">
127 <title>Installation of iptables</title>
128
129 <note>
130 <para>
131 The installation below does not include building some specialized
132 extension libraries which require the raw headers in the
133 <application>Linux</application> source code. If you wish to build the
134 additional extensions (if you aren't sure, then you probably don't), you
135 can look at the <filename>INSTALL</filename> file to see an example of
136 how to change the <parameter>KERNEL_DIR=</parameter> parameter to point
137 at the <application>Linux</application> source code. Note that if you
138 upgrade the kernel version, you may also need to recompile
139 <application>iptables</application> and that the BLFS team has not
140 tested using the raw kernel headers.
141 </para>
142 </note>
143
144 <para>
145 Install <application>iptables</application> by running the following
146 commands:
147 </para>
148
149<screen><userinput>./configure --prefix=/usr \
150 --sbindir=/sbin \
151 --disable-nftables \
152 --enable-libipq \
153 --with-xtlibdir=/lib/xtables &amp;&amp;
154make</userinput></screen>
155
156 <para>
157 <!-- there is a iptables-test.py script which seems to run a
158 lot of tests. Unfortunatly, success rate is 50% only. Needs
159 to be clarified how to use and which prerequisites are required
160 to run to 100%. Contacted Shekhar Sharma for that (Dec'19),
161 waiting for answer (thomas). -->
162 This package does not come with a test suite.
163 </para>
164
165 <para>
166 Now, as the <systemitem class="username">root</systemitem> user:
167 </para>
168
169<screen role="root"><userinput>make install &amp;&amp;
170ln -sfv ../../sbin/xtables-legacy-multi /usr/bin/iptables-xml &amp;&amp;
171
172for file in ip4tc ip6tc ipq iptc xtables
173do
174 mv -v /usr/lib/lib${file}.so.* /lib &amp;&amp;
175 ln -sfv ../../lib/$(readlink /usr/lib/lib${file}.so) /usr/lib/lib${file}.so
176done</userinput></screen>
177
178 </sect2>
179
180 <sect2 role="commands">
181 <title>Command Explanations</title>
182
183 <para>
184 <parameter>--disable-nftables</parameter>: This switch disables building
185 nftables compat. Omit this switch if you have installed
186 <xref linkend="nftables"/>.
187 </para>
188
189 <para>
190 <parameter>--enable-libipq</parameter>: This switch enables building
191 of <filename class="libraryfile">libipq.so</filename> which
192 can be used by some packages outside of BLFS.
193 </para>
194
195 <para>
196 <parameter>--with-xtlibdir=/lib/xtables</parameter>: Ensure all
197 <application>iptables</application> modules are installed in the
198 <filename class="directory">/lib/xtables</filename> directory.
199 </para>
200
201 <para>
202 <option>--enable-nfsynproxy</option>: This switch enables installation
203 of <application>nfsynproxy</application> SYNPROXY configuration tool.
204 </para>
205
206 <para>
207 <command>ln -sfv ../../sbin/xtables-legacy-multi /usr/bin/iptables-xml</command>:
208 Ensure the symbolic link for <command>iptables-xml</command> is relative.
209 </para>
210
211 </sect2>
212
213 <sect2 role="configuration">
214 <title>Configuring iptables</title>
215
216 <note>
217 <para>
218 If you intend to use <xref linkend="firewalld"/> to configure your
219 firewall rules, you should not use the example configurations provided
220 here, nor should you enable the
221 <phrase revision="sysv">bootscript.</phrase>
222 <phrase revision="systemd">systemd unit.</phrase>
223 </para>
224 </note>
225
226 <note>
227 <para>
228 In the following example configurations, <emphasis
229 role="strong">LAN1</emphasis> is used for the internal LAN interface,
230 and <emphasis role="strong">WAN1</emphasis> is used for the external
231 interace connected to the Internet. You will need to replace these
232 values with appropriate interface names for your system.
233 </para>
234 </note>
235
236 <sect3 id="fw-persFw-ipt"
237 xreflabel="Creating a Personal Firewall With iptables">
238 <title>Personal Firewall</title>
239
240 <para>
241 A Personal Firewall is designed to let you access all the
242 services offered on the Internet, but keep your box secure and
243 your data private.
244 </para>
245
246 <para>
247 Below is a slightly modified version of Rusty Russell's
248 recommendation from the <ulink
249 url="http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html">
250 Linux 2.4 Packet Filtering HOWTO</ulink>. It is still applicable
251 to the Linux 3.x kernels.
252 </para>
253
254<screen role="root" revision="sysv"><?dbfo keep-together="auto"?><userinput>cat &gt; /etc/rc.d/rc.iptables &lt;&lt; "EOF"
255<literal>#!/bin/sh
256
257# Begin rc.iptables
258
259# Insert connection-tracking modules
260# (not needed if built into the kernel)
261modprobe nf_conntrack
262modprobe xt_LOG
263
264# Enable broadcast echo Protection
265echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
266
267# Disable Source Routed Packets
268echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route
269echo 0 &gt; /proc/sys/net/ipv4/conf/default/accept_source_route
270
271# Enable TCP SYN Cookie Protection
272echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies
273
274# Disable ICMP Redirect Acceptance
275echo 0 &gt; /proc/sys/net/ipv4/conf/default/accept_redirects
276
277# Do not send Redirect Messages
278echo 0 &gt; /proc/sys/net/ipv4/conf/all/send_redirects
279echo 0 &gt; /proc/sys/net/ipv4/conf/default/send_redirects
280
281# Drop Spoofed Packets coming in on an interface, where responses
282# would result in the reply going out a different interface.
283echo 1 &gt; /proc/sys/net/ipv4/conf/all/rp_filter
284echo 1 &gt; /proc/sys/net/ipv4/conf/default/rp_filter
285
286# Log packets with impossible addresses.
287echo 1 &gt; /proc/sys/net/ipv4/conf/all/log_martians
288echo 1 &gt; /proc/sys/net/ipv4/conf/default/log_martians
289
290# be verbose on dynamic ip-addresses (not needed in case of static IP)
291echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
292
293# disable Explicit Congestion Notification
294# too many routers are still ignorant
295echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
296
297# Set a known state
298iptables -P INPUT DROP
299iptables -P FORWARD DROP
300iptables -P OUTPUT DROP
301
302# These lines are here in case rules are already in place and the
303# script is ever rerun on the fly. We want to remove all rules and
304# pre-existing user defined chains before we implement new rules.
305iptables -F
306iptables -X
307iptables -Z
308
309iptables -t nat -F
310
311# Allow local-only connections
312iptables -A INPUT -i lo -j ACCEPT
313
314# Free output on any interface to any ip for any service
315# (equal to -P ACCEPT)
316iptables -A OUTPUT -j ACCEPT
317
318# Permit answers on already established connections
319# and permit new connections related to established ones
320# (e.g. port mode ftp)
321iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
322
323# Log everything else. What's Windows' latest exploitable vulnerability?
324iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
325
326# End $rc_base/rc.iptables</literal>
327EOF
328chmod 700 /etc/rc.d/rc.iptables</userinput></screen>
329
330<screen role="root" revision="systemd"><?dbfo keep-together="auto"?><userinput>install -v -dm755 /etc/systemd/scripts
331
332cat &gt; /etc/systemd/scripts/iptables &lt;&lt; "EOF"
333<literal>#!/bin/sh
334
335# Begin /etc/systemd/scripts/iptables
336
337# Insert connection-tracking modules
338# (not needed if built into the kernel)
339modprobe nf_conntrack
340modprobe xt_LOG
341
342# Enable broadcast echo Protection
343echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
344
345# Disable Source Routed Packets
346echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route
347echo 0 &gt; /proc/sys/net/ipv4/conf/default/accept_source_route
348
349# Enable TCP SYN Cookie Protection
350echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies
351
352# Disable ICMP Redirect Acceptance
353echo 0 &gt; /proc/sys/net/ipv4/conf/default/accept_redirects
354
355# Do not send Redirect Messages
356echo 0 &gt; /proc/sys/net/ipv4/conf/all/send_redirects
357echo 0 &gt; /proc/sys/net/ipv4/conf/default/send_redirects
358
359# Drop Spoofed Packets coming in on an interface, where responses
360# would result in the reply going out a different interface.
361echo 1 &gt; /proc/sys/net/ipv4/conf/all/rp_filter
362echo 1 &gt; /proc/sys/net/ipv4/conf/default/rp_filter
363
364# Log packets with impossible addresses.
365echo 1 &gt; /proc/sys/net/ipv4/conf/all/log_martians
366echo 1 &gt; /proc/sys/net/ipv4/conf/default/log_martians
367
368# be verbose on dynamic ip-addresses (not needed in case of static IP)
369echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
370
371# disable Explicit Congestion Notification
372# too many routers are still ignorant
373echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
374
375# Set a known state
376iptables -P INPUT DROP
377iptables -P FORWARD DROP
378iptables -P OUTPUT DROP
379
380# These lines are here in case rules are already in place and the
381# script is ever rerun on the fly. We want to remove all rules and
382# pre-existing user defined chains before we implement new rules.
383iptables -F
384iptables -X
385iptables -Z
386
387iptables -t nat -F
388
389# Allow local-only connections
390iptables -A INPUT -i lo -j ACCEPT
391
392# Free output on any interface to any ip for any service
393# (equal to -P ACCEPT)
394iptables -A OUTPUT -j ACCEPT
395
396# Permit answers on already established connections
397# and permit new connections related to established ones
398# (e.g. port mode ftp)
399iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
400
401# Log everything else. What's Windows' latest exploitable vulnerability?
402iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
403
404# End /etc/systemd/scripts/iptables</literal>
405EOF
406chmod 700 /etc/systemd/scripts/iptables</userinput></screen>
407
408 <para>
409 This script is quite simple, it drops all traffic coming
410 into your computer that wasn't initiated from your computer, but
411 as long as you are simply surfing the Internet you are unlikely
412 to exceed its limits.
413 </para>
414
415 <para>
416 If you frequently encounter certain delays at accessing
417 FTP servers, take a look at <xref linkend="fw-BB-4-ipt"/>.
418 </para>
419
420 <para>
421 Even if you have daemons or services running on your system,
422 these will be inaccessible everywhere but from your computer itself.
423 If you want to allow access to services on your machine, such as
424 <command>ssh</command> or <command>ping</command>, take a look at
425 <xref linkend="fw-busybox-ipt"/>.
426 </para>
427
428 </sect3>
429
430 <sect3 id="fw-masqRouter-ipt"
431 xreflabel="Creating a Masquerading Router With iptables">
432 <title>Masquerading Router</title>
433
434 <para>
435 A network Firewall has two interfaces, one connected to an
436 intranet, in this example <emphasis role="strong">LAN1</emphasis>,
437 and one connected to the Internet, here <emphasis
438 role="strong">WAN1</emphasis>. To provide the maximum security
439 for the firewall itself, make sure that there are no unnecessary
440 servers running on it such as <application>X11</application> et al.
441 As a general principle, the firewall itself should not access
442 any untrusted service (think of a remote server giving answers that
443 makes a daemon on your system crash, or even worse, that implements
444 a worm via a buffer-overflow).
445 </para>
446
447<screen role="root" revision="sysv"><?dbfo keep-together="auto"?><userinput>cat &gt; /etc/rc.d/rc.iptables &lt;&lt; "EOF"
448<literal>#!/bin/sh
449
450# Begin rc.iptables
451
452echo
453echo "You're using the example configuration for a setup of a firewall"
454echo "from Beyond Linux From Scratch."
455echo "This example is far from being complete, it is only meant"
456echo "to be a reference."
457echo "Firewall security is a complex issue, that exceeds the scope"
458echo "of the configuration rules below."
459echo "You can find additional information"
460echo "about firewalls in Chapter 4 of the BLFS book."
461echo "http://www.&lfs-domainname;/blfs"
462echo
463
464# Insert iptables modules (not needed if built into the kernel).
465
466modprobe nf_conntrack
467modprobe nf_conntrack_ftp
468modprobe xt_conntrack
469modprobe xt_LOG
470modprobe xt_state
471
472# Enable broadcast echo Protection
473echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
474
475# Disable Source Routed Packets
476echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route
477
478# Enable TCP SYN Cookie Protection
479echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies
480
481# Disable ICMP Redirect Acceptance
482echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_redirects
483
484# Don't send Redirect Messages
485echo 0 &gt; /proc/sys/net/ipv4/conf/default/send_redirects
486
487# Drop Spoofed Packets coming in on an interface where responses
488# would result in the reply going out a different interface.
489echo 1 &gt; /proc/sys/net/ipv4/conf/default/rp_filter
490
491# Log packets with impossible addresses.
492echo 1 &gt; /proc/sys/net/ipv4/conf/all/log_martians
493
494# Be verbose on dynamic ip-addresses (not needed in case of static IP)
495echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
496
497# Disable Explicit Congestion Notification
498# Too many routers are still ignorant
499echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
500
501# Set a known state
502iptables -P INPUT DROP
503iptables -P FORWARD DROP
504iptables -P OUTPUT DROP
505
506# These lines are here in case rules are already in place and the
507# script is ever rerun on the fly. We want to remove all rules and
508# pre-existing user defined chains before we implement new rules.
509iptables -F
510iptables -X
511iptables -Z
512
513iptables -t nat -F
514
515# Allow local connections
516iptables -A INPUT -i lo -j ACCEPT
517iptables -A OUTPUT -o lo -j ACCEPT
518
519# Allow forwarding if the initiated on the intranet
520iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
521iptables -A FORWARD ! -i WAN1 -m conntrack --ctstate NEW -j ACCEPT
522
523# Do masquerading
524# (not needed if intranet is not using private ip-addresses)
525iptables -t nat -A POSTROUTING -o WAN1 -j MASQUERADE
526
527# Log everything for debugging
528# (last of all rules, but before policy rules)
529iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
530iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD "
531iptables -A OUTPUT -j LOG --log-prefix "FIREWALL:OUTPUT "
532
533# Enable IP Forwarding
534echo 1 &gt; /proc/sys/net/ipv4/ip_forward</literal>
535EOF
536chmod 700 /etc/rc.d/rc.iptables</userinput></screen>
537
538<screen role="root" revision="systemd"><?dbfo keep-together="auto"?><userinput>install -v -dm755 /etc/systemd/scripts
539
540cat &gt; /etc/systemd/scripts/iptables &lt;&lt; "EOF"
541<literal>#!/bin/sh
542
543# Begin /etc/systemd/scripts/iptables
544
545echo
546echo "You're using the example configuration for a setup of a firewall"
547echo "from Beyond Linux From Scratch."
548echo "This example is far from being complete, it is only meant"
549echo "to be a reference."
550echo "Firewall security is a complex issue, that exceeds the scope"
551echo "of the configuration rules below."
552
553echo "You can find additional information"
554echo "about firewalls in Chapter 4 of the BLFS book."
555echo "http://www.&lfs-domainname;/blfs"
556echo
557
558# Insert iptables modules (not needed if built into the kernel).
559
560modprobe nf_conntrack
561modprobe nf_conntrack_ftp
562modprobe xt_conntrack
563modprobe xt_LOG
564modprobe xt_state
565
566# Enable broadcast echo Protection
567echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
568
569# Disable Source Routed Packets
570echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route
571
572# Enable TCP SYN Cookie Protection
573echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies
574
575# Disable ICMP Redirect Acceptance
576echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_redirects
577
578# Don't send Redirect Messages
579echo 0 &gt; /proc/sys/net/ipv4/conf/default/send_redirects
580
581# Drop Spoofed Packets coming in on an interface where responses
582# would result in the reply going out a different interface.
583echo 1 &gt; /proc/sys/net/ipv4/conf/default/rp_filter
584
585# Log packets with impossible addresses.
586echo 1 &gt; /proc/sys/net/ipv4/conf/all/log_martians
587
588# Be verbose on dynamic ip-addresses (not needed in case of static IP)
589echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
590
591# Disable Explicit Congestion Notification
592# Too many routers are still ignorant
593echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
594
595# Set a known state
596iptables -P INPUT DROP
597iptables -P FORWARD DROP
598iptables -P OUTPUT DROP
599
600# These lines are here in case rules are already in place and the
601# script is ever rerun on the fly. We want to remove all rules and
602# pre-existing user defined chains before we implement new rules.
603iptables -F
604iptables -X
605iptables -Z
606
607iptables -t nat -F
608
609# Allow local connections
610iptables -A INPUT -i lo -j ACCEPT
611iptables -A OUTPUT -o lo -j ACCEPT
612
613# Allow forwarding if the initiated on the intranet
614iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
615iptables -A FORWARD ! -i WAN1 -m conntrack --ctstate NEW -j ACCEPT
616
617# Do masquerading
618# (not needed if intranet is not using private ip-addresses)
619iptables -t nat -A POSTROUTING -o WAN1 -j MASQUERADE
620
621# Log everything for debugging
622# (last of all rules, but before policy rules)
623iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
624iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD "
625iptables -A OUTPUT -j LOG --log-prefix "FIREWALL:OUTPUT "
626
627# Enable IP Forwarding
628echo 1 &gt; /proc/sys/net/ipv4/ip_forward
629
630# The following sections allow inbound packets for specific examples
631# Uncomment the example lines and adjust as necessary
632
633# Allow ping on the external interface
634#iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT
635#iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT
636
637# Reject ident packets with TCP reset to avoid delays with FTP or IRC
638#iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset
639
640# Allow HTTP and HTTPS to 192.168.0.2
641#iptables -A PREROUTING -t nat -i WAN1 -p tcp --dport 80 -j DNAT --to 192.168.0.2
642#iptables -A PREROUTING -t nat -i WAN1 -p tcp --dport 443 -j DNAT --to 192.168.0.2
643#iptables -A FORWARD -p tcp -d 192.168.0.2 --dport 80 -j ACCEPT
644#iptables -A FORWARD -p tcp -d 192.168.0.2 --dport 443 -j ACCEPT
645
646# End /etc/systemd/scripts/iptables</literal>
647EOF
648chmod 700 /etc/systemd/scripts/iptables</userinput></screen>
649
650 <para>
651 With this script your intranet should be reasonably secure
652 against external attacks. No one should be able to setup a new
653 connection to any internal service and, if it's masqueraded,
654 makes your intranet invisible to the Internet. Furthermore, your
655 firewall should be relatively safe because there are no services
656 running that a cracker could attack.
657 </para>
658
659 </sect3>
660
661 <sect3 id="fw-busybox-ipt" xreflabel="Creating a BusyBox With iptables">
662 <title>BusyBox</title>
663
664 <para>
665 This scenario isn't too different from the <xref
666 linkend="fw-masqRouter-ipt"/>, but additionally offers some
667 services to your intranet. Examples of this can be when
668 you want to administer your firewall from another host on
669 your intranet or use it as a proxy or a name server.
670 </para>
671
672 <note>
673 <para>
674 Outlining specifically how to protect a server that
675 offers services on the Internet goes far beyond the scope of
676 this document. See the references in <xref linkend="fw-extra-info"/>
677 for more information.
678 </para>
679 </note>
680
681 <para>
682 Be cautious. Every service you have enabled makes your
683 setup more complex and your firewall less secure. You are
684 exposed to the risks of misconfigured services or running
685 a service with an exploitable bug. A firewall should generally
686 not run any extra services. See the introduction to the
687 <xref linkend="fw-masqRouter-ipt"/> for some more details.
688 </para>
689
690 <para>
691 If you want to add services such as internal Samba or
692 name servers that do not need to access the Internet themselves,
693 the additional statements are quite simple and should still be
694 acceptable from a security standpoint. Just add the following lines
695 into the script <emphasis>before</emphasis> the logging rules.
696 </para>
697
698<screen><literal>iptables -A INPUT -i ! WAN1 -j ACCEPT
699iptables -A OUTPUT -o ! WAN1 -j ACCEPT</literal></screen>
700
701 <para>
702 If daemons, such as squid, have to access the Internet
703 themselves, you could open OUTPUT generally and restrict
704 INPUT.
705 </para>
706
707<screen><literal>iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
708iptables -A OUTPUT -j ACCEPT</literal></screen>
709
710 <para>
711 However, it is generally not advisable to leave OUTPUT
712 unrestricted. You lose any control over trojans who would like
713 to "call home", and a bit of redundancy in case you've
714 (mis-)configured a service so that it broadcasts its existence
715 to the world.
716 </para>
717
718 <para>
719 To accomplish this, you should restrict INPUT and OUTPUT
720 on all ports except those that it's absolutely necessary to have
721 open. Which ports you have to open depends on your needs: mostly
722 you will find them by looking for failed accesses in your log
723 files.
724 </para>
725
726 <itemizedlist spacing="compact" role='iptables'>
727 <title>Have a Look at the Following Examples:</title>
728 <listitem>
729 <para>
730 Squid is caching the web:
731 </para>
732
733<screen><literal>iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
734iptables -A INPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED \
735 -j ACCEPT</literal></screen>
736
737 </listitem>
738 <listitem>
739 <para>
740 Your caching name server (e.g., named) does its lookups via UDP:
741 </para>
742
743<screen><literal>iptables -A OUTPUT -p udp --dport 53 -j ACCEPT</literal></screen>
744
745 </listitem>
746 <listitem>
747 <para>
748 You want to be able to ping your computer to ensure it's still
749 alive:
750 </para>
751
752<screen><literal>iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT
753iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT</literal></screen>
754
755 </listitem>
756 <listitem>
757 <para id='fw-BB-4-ipt' xreflabel="BusyBox with iptable example number 4">
758 If you are frequently accessing FTP servers or enjoy chatting, you
759 might notice delays because some implementations of these daemons
760 query an identd daemon on your system to obtain usernames. Although
761 there's really little harm in this, having an identd running is not
762 recommended because many security experts feel the service gives
763 out too much additional information.
764 </para>
765
766 <para>
767 To avoid these delays you could reject the requests with a
768 'tcp-reset' response:
769 </para>
770
771<screen><literal>iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset</literal></screen>
772
773 </listitem>
774 <listitem>
775 <para>
776 To log and drop invalid packets (packets
777 that came in after netfilter's timeout or some types of
778 network scans) insert these rules at the top of the chain:
779 </para>
780
781<screen><literal>iptables -I INPUT 0 -p tcp -m conntrack --ctstate INVALID \
782 -j LOG --log-prefix "FIREWALL:INVALID "
783iptables -I INPUT 1 -p tcp -m conntrack --ctstate INVALID -j DROP</literal></screen>
784
785 </listitem>
786 <listitem>
787 <para>
788 Anything coming from the outside should not have a
789 private address, this is a common attack called IP-spoofing:
790 </para>
791
792<screen><literal>iptables -A INPUT -i WAN1 -s 10.0.0.0/8 -j DROP
793iptables -A INPUT -i WAN1 -s 172.16.0.0/12 -j DROP
794iptables -A INPUT -i WAN1 -s 192.168.0.0/16 -j DROP</literal></screen>
795
796 <para>
797 There are other addresses that you may also want to drop:
798 0.0.0.0/8, 127.0.0.0/8, 224.0.0.0/3 (multicast and
799 experimental), 169.254.0.0/16 (Link Local Networks), and
800 192.0.2.0/24 (IANA defined test network).
801 </para>
802 </listitem>
803 <listitem>
804 <para>
805 If your firewall is a DHCP client, you need to allow those packets:
806 </para>
807
808<screen><literal>iptables -A INPUT -i WAN1 -p udp -s 0.0.0.0 --sport 67 \
809 -d 255.255.255.255 --dport 68 -j ACCEPT</literal></screen>
810
811 </listitem>
812 <listitem>
813 <para>
814 To simplify debugging and be fair to anyone who'd like
815 to access a service you have disabled, purposely or by mistake,
816 you could REJECT those packets that are dropped.
817 </para>
818
819 <para>
820 Obviously this must be done directly after logging as the very
821 last lines before the packets are dropped by policy:
822 </para>
823
824<screen><literal>iptables -A INPUT -j REJECT</literal></screen>
825
826 </listitem>
827 </itemizedlist>
828
829 <para>
830 These are only examples to show you some of the capabilities
831 of the firewall code in Linux. Have a look at the man page of iptables.
832 There you will find much more information. The port numbers needed for
833 this can be found in <filename>/etc/services</filename>, in case you
834 didn't find them by trial and error in your log file.
835 </para>
836
837 </sect3>
838
839 <sect3 id="iptables-init">
840 <title><phrase revision="sysv">Boot Script</phrase>
841 <phrase revision="systemd">Systemd Unit</phrase></title>
842
843 <para revision="sysv">
844 To set up the iptables firewall at boot, install the
845 <filename>/etc/rc.d/init.d/iptables</filename> init script included
846 in the <xref linkend="bootscripts"/> package.
847 </para>
848
849 <para revision="systemd">
850 To set up the iptables firewall at boot, install the
851 <filename>iptables.service</filename> unit included in the
852 <xref linkend="systemd-units"/> package.
853 </para>
854
855 <indexterm zone="iptables iptables-init">
856 <primary sortas="f-iptables">iptables</primary>
857 </indexterm>
858
859<screen role="root"><userinput>make install-iptables</userinput></screen>
860
861 </sect3>
862
863 </sect2>
864
865 <sect2 role="content">
866 <title>Contents</title>
867
868 <segmentedlist>
869 <segtitle>Installed Programs</segtitle>
870 <segtitle>Installed Libraries</segtitle>
871 <segtitle>Installed Directories</segtitle>
872
873 <seglistitem>
874 <seg>
875 ip6tables, ip6tables-restore, ip6tables-save, iptables, iptables-restore,
876 iptables-save, iptables-xml, nfsynproxy (optional) and xtables-multi
877 </seg>
878 <seg>
879 libip4tc.so, libip6tc.so, libipq.so, libiptc.so, and libxtables.so
880 </seg>
881 <seg>
882 /lib/xtables and /usr/include/libiptc
883 </seg>
884 </seglistitem>
885 </segmentedlist>
886
887 <variablelist>
888 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
889 <?dbfo list-presentation="list"?>
890 <?dbhtml list-presentation="table"?>
891
892 <varlistentry id="iptables-prog">
893 <term><command>iptables</command></term>
894 <listitem>
895 <para>
896 is used to set up, maintain, and inspect the tables of
897 IP packet filter rules in the Linux kernel.
898 </para>
899 <indexterm zone="iptables iptables-prog">
900 <primary sortas="b-iptables">iptables</primary>
901 </indexterm>
902 </listitem>
903 </varlistentry>
904
905 <varlistentry id="iptables-restore">
906 <term><command>iptables-restore</command></term>
907 <listitem>
908 <para>
909 is used to restore IP Tables from data specified on
910 STDIN. Use I/O redirection provided by your
911 shell to read from a file.
912 </para>
913 <indexterm zone="iptables iptables-restore">
914 <primary sortas="b-iptables-restore">iptables-restore</primary>
915 </indexterm>
916 </listitem>
917 </varlistentry>
918
919 <varlistentry id="iptables-save">
920 <term><command>iptables-save</command></term>
921 <listitem>
922 <para>
923 is used to dump the contents of an IP Table in easily
924 parseable format to STDOUT. Use I/O-redirection
925 provided by your shell to write to a file.
926 </para>
927 <indexterm zone="iptables iptables-save">
928 <primary sortas="b-iptables-save">iptables-save</primary>
929 </indexterm>
930 </listitem>
931 </varlistentry>
932
933 <varlistentry id="iptables-xml">
934 <term><command>iptables-xml</command></term>
935 <listitem>
936 <para>
937 is used to convert the output of
938 <command>iptables-save</command> to an XML format. Using the
939 <filename>iptables.xslt</filename> stylesheet converts the XML
940 back to the format of <command>iptables-restore</command>.
941 </para>
942 <indexterm zone="iptables iptables-xml">
943 <primary sortas="b-iptables-xml">iptables-xml</primary>
944 </indexterm>
945 </listitem>
946 </varlistentry>
947
948 <varlistentry id="ip6tables">
949 <term><command>ip6tables*</command></term>
950 <listitem>
951 <para>
952 are a set of commands for IPV6 that parallel the iptables
953 commands above.
954 </para>
955 <indexterm zone="iptables ip6tables">
956 <primary sortas="b-ip6tables">ip6tables</primary>
957 </indexterm>
958 </listitem>
959 </varlistentry>
960
961 <varlistentry id="nfsynproxy">
962 <term><command>nfsynproxy</command></term>
963 <listitem>
964 <para>
965 (optional) configuration tool. SYNPROXY target makes handling of
966 large SYN floods possible without the large performance penalties
967 imposed by the connection tracking in such cases.
968 </para>
969 <indexterm zone="iptables nfsynproxy">
970 <primary sortas="b-nfsynproxy">nfsynproxy</primary>
971 </indexterm>
972 </listitem>
973 </varlistentry>
974
975 <varlistentry id="xtables-multi">
976 <term><command>xtables-multi</command></term>
977 <listitem>
978 <para>
979 is a binary that behaves according to the name it is called by.
980 </para>
981 <indexterm zone="iptables xtables-multi">
982 <primary sortas="b-xtables-multi">xtables-multi</primary>
983 </indexterm>
984 </listitem>
985 </varlistentry>
986
987 </variablelist>
988
989 </sect2>
990
991</sect1>
Note: See TracBrowser for help on using the repository browser.