Changeset 018c0cc3
- Timestamp:
- 03/05/2020 08:54:16 PM (4 years ago)
- Branches:
- 10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 12.0, 12.1, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, lazarus, lxqt, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, trunk, upgradedb, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/test-20220226, xry111/xf86-video-removal
- Children:
- f11d372a
- Parents:
- bbe17e2
- Location:
- postlfs/security
- Files:
-
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
postlfs/security/firewalling.xml
rbbe17e2 r018c0cc3 16 16 <title>Setting Up a Network Firewall</title> 17 17 18 <para>Before you read this part of the chapter, you should have19 already installed iptables as described in the previous section.</para>20 21 18 <sect2 id="fw-intro" xreflabel="Firewalling Introduction"> 22 19 <title>Introduction to Firewall Creation</title> 23 20 24 <para>The general purpose of a firewall is to protect a computer or 25 a network against malicious access.</para> 26 27 <para>In a perfect world, every daemon or service on every machine 28 is perfectly configured and immune to flaws such as buffer overflows 29 or other problems regarding its security. Furthermore, you trust 30 every user accessing your services. In this world, you do not need 31 to have a firewall.</para> 32 33 <para>In the real world however, daemons may be misconfigured and 34 exploits against essential services are freely available. You may 35 wish to choose which services are accessible by certain machines or 36 you may wish to limit which machines or applications are allowed 37 external access. Alternatively, you may simply not trust some of 38 your applications or users. You are probably connected to the 39 Internet. In this world, a firewall is essential.</para> 40 41 <para>Don't assume however, that having a firewall makes careful 42 configuration redundant, or that it makes any negligent 43 misconfiguration harmless. It doesn't prevent anyone from exploiting 44 a service you intentionally offer but haven't recently updated or 45 patched after an exploit went public. Despite having a firewall, you 46 need to keep applications and daemons on your system properly 47 configured and up to date. A firewall is not a cure all, but should 48 be an essential part of your overall security strategy.</para> 21 <para> 22 The purpose of a firewall is to protect a computer or a network against 23 malicious access. In a perfect world every daemon or service, on every 24 machine, is perfectly configured and immune to security flaws, and all 25 users are trusted implicitly to use the equipment as intended. However, 26 this is rarely, if ever, the case. Daemons may be misconfigured, or 27 updates may not have been applied for known exploits against essential 28 services. Additionally, you may wish to choose which services are 29 accessible by certain machines or users, or you may wish to limit which 30 machines or applications are allowed external access. Alternatively, you 31 simply may not trust some of your applications or users. For these 32 reasons, a carefully designed firewall should be an essential part of 33 system security. 34 </para> 35 36 <para> 37 While a firewall can greatly limit the scope of the above issues, do not 38 assume that having a firewall makes careful configuration redundant, or 39 that any negligent misconfiguration is harmless. A firewall does not 40 prevent the exploitation of any service you offer outside of it. Despite 41 having a firewall, you need to keep applications and daemons properly 42 configured and up to date. 43 </para> 49 44 50 45 </sect2> … … 53 48 <title>Meaning of the Word "Firewall"</title> 54 49 55 <para>The word firewall can have several different meanings.</para> 56 57 <sect3> 58 <title><xref linkend="fw-persFw"/></title> 59 60 <para>This is a hardware device or software program commercially sold (or 61 offered via freeware) by companies such as Symantec which claims that 62 it secures a home or desktop computer connected to the Internet. This 63 type of firewall is highly relevant for users who do not know how their 64 computers might be accessed via the Internet or how to disable 65 that access, especially if they are always online and connected 66 via broadband links.</para> 67 68 </sect3> 69 70 <sect3> 71 <title><xref linkend="fw-masqRouter"/></title> 72 73 <para>This is a system placed between the Internet and an intranet. 74 To minimize the risk of compromising the firewall itself, it should 75 generally have only one role—that of protecting the intranet. 76 Although not completely risk free, the tasks of doing the routing and 77 IP masquerading (rewriting IP headers of the packets it routes from 78 clients with private IP addresses onto the Internet so that they seem 79 to come from the firewall itself) are commonly considered relatively 80 secure.</para> 81 82 </sect3> 83 84 <sect3> 85 <title><xref linkend="fw-busybox"/></title> 86 87 <para>This is often an old computer you may have retired and nearly 88 forgotten, performing masquerading or routing functions, but offering 89 non-firewall services such as a web-cache or mail. This may be used 90 for home networks, but is not to be considered as secure as a firewall 91 only machine because the combination of server and router/firewall on 92 one machine raises the complexity of the setup.</para> 93 94 </sect3> 95 96 <sect3> 97 <title>Firewall with a Demilitarized Zone [Not Further 98 Described Here]</title> 99 100 <para>This box performs masquerading or routing, but grants public 101 access to some branch of your network which, because of public IPs 102 and a physically separated structure, is essentially a separate 103 network with direct Internet access. The servers on this network are 104 those which must be easily accessible from both the Internet and 105 intranet. The firewall protects both networks. This type of firewall 106 has a minimum of three network interfaces.</para> 50 <para> 51 The word firewall can have several different meanings. 52 </para> 53 54 <sect3> 55 <title>Personal Firewall</title> 56 57 <para> 58 This is a hardware device or software program, intended to secure a 59 home or desktop computer connected to the Internet. This type of 60 firewall is highly relevant for users who do not know how their 61 computers might be accessed via the Internet or how to disable 62 that access, especially if they are always online and connected 63 via broadband links. 64 </para> 65 66 <para> 67 An example configuration for a personal firewall is provided at 68 <xref linkend="fw-persFw-ipt"/>. 69 </para> 70 71 </sect3> 72 73 <sect3> 74 <title>Masquerading Router</title> 75 76 <para> 77 This is a system placed between the Internet and an intranet. 78 To minimize the risk of compromising the firewall itself, it should 79 generally have only one role—that of protecting the intranet. 80 Although not completely risk-free, the tasks of doing the routing and 81 IP masquerading (rewriting IP headers of the packets it routes from 82 clients with private IP addresses onto the Internet so that they seem 83 to come from the firewall itself) are commonly considered relatively 84 secure. 85 </para> 86 87 <para> 88 An example configuration for a masquerading firewall is provided at 89 <xref linkend="fw-masqRouter-ipt"/>. 90 </para> 91 92 </sect3> 93 94 <sect3> 95 <title>BusyBox</title> 96 97 <para> 98 This is often an old computer you may have retired and nearly 99 forgotten, performing masquerading or routing functions, but offering 100 non-firewall services such as a web-cache or mail. This may be used 101 for home networks, but is not to be considered as secure as a firewall 102 only machine because the combination of server and router/firewall on 103 one machine raises the complexity of the setup. 104 </para> 105 106 <para> 107 An example configuration for a BusyBox is provided at 108 <xref linkend="fw-busybox-ipt"/>. 109 </para> 110 111 </sect3> 112 113 <sect3> 114 <title>Firewall with a Demilitarized Zone</title> 115 116 <para> 117 This type of firewall performs masquerading or routing, but grants 118 public access to some branch of your network that is physically 119 separated from your regular intranet and is essentially a separate 120 network with direct Internet access. The servers on this network are 121 those which must be easily accessible from both the Internet and 122 intranet. The firewall protects both networks. This type of firewall 123 has a minimum of three network interfaces. 124 </para> 107 125 108 126 </sect3> … … 111 129 <title>Packetfilter</title> 112 130 113 <para>This type of firewall does routing or masquerading, but does 114 not maintain a state table of ongoing communication streams. It is 115 fast, but quite limited in its ability to block undesired packets 116 without blocking desired packets.</para> 117 118 </sect3> 119 120 </sect2> 121 122 <sect2 id="fw-writing" xreflabel="writing the firewalling-setup-scripts"> 123 <title>Now You Can Start to Build your Firewall</title> 131 <para> 132 This type of firewall does routing or masquerading but does 133 not maintain a state table of ongoing communication streams. It is 134 fast but quite limited in its ability to block undesired packets 135 without blocking desired packets. 136 </para> 137 138 </sect3> 139 140 </sect2> 141 142 <sect2> 143 <title>Conclusion</title> 124 144 125 145 <caution> 126 <para>This introduction on how to setup a firewall is not a 127 complete guide to securing systems. Firewalling is a complex 128 issue that requires careful configuration. The scripts quoted 129 here are simply intended to give examples of how a firewall 130 works. They are not intended to fit into any particular 131 configuration and may not provide complete protection from 132 an attack.</para> 133 134 <para>Customization of these scripts for your specific situation 135 will be necessary for an optimal configuration, but you should 136 make a serious study of the iptables documentation and creating 137 firewalls in general before hacking away. Have a look at the 138 list of <xref linkend="fw-library"/> at the end of this section for 139 more details. There you will find a list of URLs that contain quite 140 comprehensive information about building your own firewall.</para> 146 <para> 147 The example configurations provided for <xref linkend="iptables"/> 148 <!-- and <xref linkend="nftables"/> --> 149 are not intended to be a complete guide to 150 securing systems. Firewalling is a complex issue that requires careful 151 configuration. The configurations provided by BLFS are intended only to 152 give examples of how a firewall works. They are not intended to fit any 153 particular configuration and may not provide complete protection from 154 an attack. 155 </para> 141 156 </caution> 142 143 <para revision="sysv">The firewall configuration script installed in the 144 iptables section differs from the standard configuration script. It only 145 has two of the standard targets: start and status. The other targets are 146 clear and lock. For instance if you issue:</para> 147 148 <screen role="root" revision="sysv"><userinput>/etc/rc.d/init.d/iptables start</userinput></screen> 149 150 <para revision="sysv">the firewall will be restarted just as it is upon 151 system startup. The status target will present a list of all currently 152 implemented rules. The clear target turns off all firewall rules and the 153 lock target will block all packets in and out of the computer with the 154 exception of the loopback interface.</para> 155 156 <para revision="sysv">The main startup firewall is located in the file 157 <filename>/etc/rc.d/rc.iptables</filename>. The sections below provide 158 three different approaches that can be used for a system.</para> 159 160 <para revision="systemd">The main startup firewall is located in the file 161 <filename>/etc/systemd/scripts/iptables</filename>. The sections below 162 provide three different approaches that can be used for a system.</para> 163 164 <note> 165 <para>You should always run your firewall rules from a script. 166 This ensures consistency and a record of what was done. It also 167 allows retention of comments that are essential for understanding 168 the rules long after they were written.</para> 169 </note> 170 171 <sect3 id="fw-persFw" xreflabel="Personal Firewall"> 172 <title>Personal Firewall</title> 173 174 <para>A Personal Firewall is designed to let you access all the 175 services offered on the Internet, but keep your box secure and 176 your data private.</para> 177 178 <para>Below is a slightly modified version of Rusty Russell's 179 recommendation from the <ulink 180 url="http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html"> 181 Linux 2.4 Packet Filtering HOWTO</ulink>. It is still applicable 182 to the Linux 2.6 kernels.</para> 183 184 <screen role="root" revision="sysv"><?dbfo keep-together="auto"?><userinput>cat > /etc/rc.d/rc.iptables << "EOF" 185 <literal>#!/bin/sh 186 187 # Begin rc.iptables 188 189 # Insert connection-tracking modules 190 # (not needed if built into the kernel) 191 modprobe nf_conntrack 192 modprobe xt_LOG 193 194 # Enable broadcast echo Protection 195 echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 196 197 # Disable Source Routed Packets 198 echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route 199 echo 0 > /proc/sys/net/ipv4/conf/default/accept_source_route 200 201 # Enable TCP SYN Cookie Protection 202 echo 1 > /proc/sys/net/ipv4/tcp_syncookies 203 204 # Disable ICMP Redirect Acceptance 205 echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects 206 207 # Do not send Redirect Messages 208 echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects 209 echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects 210 211 # Drop Spoofed Packets coming in on an interface, where responses 212 # would result in the reply going out a different interface. 213 echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter 214 echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter 215 216 # Log packets with impossible addresses. 217 echo 1 > /proc/sys/net/ipv4/conf/all/log_martians 218 echo 1 > /proc/sys/net/ipv4/conf/default/log_martians 219 220 # be verbose on dynamic ip-addresses (not needed in case of static IP) 221 echo 2 > /proc/sys/net/ipv4/ip_dynaddr 222 223 # disable Explicit Congestion Notification 224 # too many routers are still ignorant 225 echo 0 > /proc/sys/net/ipv4/tcp_ecn 226 227 # Set a known state 228 iptables -P INPUT DROP 229 iptables -P FORWARD DROP 230 iptables -P OUTPUT DROP 231 232 # These lines are here in case rules are already in place and the 233 # script is ever rerun on the fly. We want to remove all rules and 234 # pre-existing user defined chains before we implement new rules. 235 iptables -F 236 iptables -X 237 iptables -Z 238 239 iptables -t nat -F 240 241 # Allow local-only connections 242 iptables -A INPUT -i lo -j ACCEPT 243 244 # Free output on any interface to any ip for any service 245 # (equal to -P ACCEPT) 246 iptables -A OUTPUT -j ACCEPT 247 248 # Permit answers on already established connections 249 # and permit new connections related to established ones 250 # (e.g. port mode ftp) 251 iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT 252 253 # Log everything else. What's Windows' latest exploitable vulnerability? 254 iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT " 255 256 # End $rc_base/rc.iptables</literal> 257 EOF 258 chmod 700 /etc/rc.d/rc.iptables</userinput></screen> 259 260 261 <screen role="root" revision="systemd"><?dbfo keep-together="auto"?><userinput>install -v -dm755 /etc/systemd/scripts 262 263 cat > /etc/systemd/scripts/iptables << "EOF" 264 <literal>#!/bin/sh 265 266 # Begin /etc/systemd/scripts/iptables 267 268 # Insert connection-tracking modules 269 # (not needed if built into the kernel) 270 modprobe nf_conntrack 271 modprobe xt_LOG 272 273 # Enable broadcast echo Protection 274 echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 275 276 # Disable Source Routed Packets 277 echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route 278 echo 0 > /proc/sys/net/ipv4/conf/default/accept_source_route 279 280 # Enable TCP SYN Cookie Protection 281 echo 1 > /proc/sys/net/ipv4/tcp_syncookies 282 283 # Disable ICMP Redirect Acceptance 284 echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects 285 286 # Do not send Redirect Messages 287 echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects 288 echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects 289 290 # Drop Spoofed Packets coming in on an interface, where responses 291 # would result in the reply going out a different interface. 292 echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter 293 echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter 294 295 # Log packets with impossible addresses. 296 echo 1 > /proc/sys/net/ipv4/conf/all/log_martians 297 echo 1 > /proc/sys/net/ipv4/conf/default/log_martians 298 299 # be verbose on dynamic ip-addresses (not needed in case of static IP) 300 echo 2 > /proc/sys/net/ipv4/ip_dynaddr 301 302 # disable Explicit Congestion Notification 303 # too many routers are still ignorant 304 echo 0 > /proc/sys/net/ipv4/tcp_ecn 305 306 # Set a known state 307 iptables -P INPUT DROP 308 iptables -P FORWARD DROP 309 iptables -P OUTPUT DROP 310 311 # These lines are here in case rules are already in place and the 312 # script is ever rerun on the fly. We want to remove all rules and 313 # pre-existing user defined chains before we implement new rules. 314 iptables -F 315 iptables -X 316 iptables -Z 317 318 iptables -t nat -F 319 320 # Allow local-only connections 321 iptables -A INPUT -i lo -j ACCEPT 322 323 # Free output on any interface to any ip for any service 324 # (equal to -P ACCEPT) 325 iptables -A OUTPUT -j ACCEPT 326 327 # Permit answers on already established connections 328 # and permit new connections related to established ones 329 # (e.g. port mode ftp) 330 iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT 331 332 # Log everything else. What's Windows' latest exploitable vulnerability? 333 iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT " 334 335 # End /etc/systemd/scripts/iptables</literal> 336 EOF 337 chmod 700 /etc/systemd/scripts/iptables</userinput></screen> 338 339 <para>This script is quite simple, it drops all traffic coming 340 into your computer that wasn't initiated from your computer, but 341 as long as you are simply surfing the Internet you are unlikely 342 to exceed its limits.</para> 343 344 <para>If you frequently encounter certain delays at accessing 345 FTP servers, take a look at <xref linkend="fw-BB-4"/>.</para> 346 347 <para>Even if you have daemons or services running on your system, 348 these will be inaccessible everywhere but from your computer itself. 349 If you want to allow access to services on your machine, such as 350 <command>ssh</command> or <command>ping</command>, take a look at 351 <xref linkend="fw-busybox"/>.</para> 352 353 </sect3> 354 355 <sect3 id="fw-masqRouter" xreflabel="Masquerading Router"> 356 <title>Masquerading Router</title> 357 358 <para>A true Firewall has two interfaces, one connected to an 359 intranet, in this example <emphasis role="strong">eth0</emphasis>, 360 and one connected to the Internet, here <emphasis 361 role="strong">ppp0</emphasis>. To provide the maximum security 362 for the firewall itself, make sure that there are no unnecessary 363 servers running on it such as <application>X11</application> et 364 al. As a general principle, the firewall itself should not access 365 any untrusted service (think of a remote server giving answers that 366 makes a daemon on your system crash, or even worse, that implements 367 a worm via a buffer-overflow).</para> 368 369 <screen role="root" revision="sysv"><?dbfo keep-together="auto"?><userinput>cat > /etc/rc.d/rc.iptables << "EOF" 370 <literal>#!/bin/sh 371 372 # Begin rc.iptables 373 374 echo 375 echo "You're using the example configuration for a setup of a firewall" 376 echo "from Beyond Linux From Scratch." 377 echo "This example is far from being complete, it is only meant" 378 echo "to be a reference." 379 echo "Firewall security is a complex issue, that exceeds the scope" 380 echo "of the configuration rules below." 381 echo "You can find additional information" 382 echo "about firewalls in Chapter 4 of the BLFS book." 383 echo "http://www.&lfs-domainname;/blfs" 384 echo 385 386 # Insert iptables modules (not needed if built into the kernel). 387 388 modprobe nf_conntrack 389 modprobe nf_conntrack_ftp 390 modprobe xt_conntrack 391 modprobe xt_LOG 392 modprobe xt_state 393 394 # Enable broadcast echo Protection 395 echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 396 397 # Disable Source Routed Packets 398 echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route 399 400 # Enable TCP SYN Cookie Protection 401 echo 1 > /proc/sys/net/ipv4/tcp_syncookies 402 403 # Disable ICMP Redirect Acceptance 404 echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects 405 406 # Don't send Redirect Messages 407 echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects 408 409 # Drop Spoofed Packets coming in on an interface where responses 410 # would result in the reply going out a different interface. 411 echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter 412 413 # Log packets with impossible addresses. 414 echo 1 > /proc/sys/net/ipv4/conf/all/log_martians 415 416 # Be verbose on dynamic ip-addresses (not needed in case of static IP) 417 echo 2 > /proc/sys/net/ipv4/ip_dynaddr 418 419 # Disable Explicit Congestion Notification 420 # Too many routers are still ignorant 421 echo 0 > /proc/sys/net/ipv4/tcp_ecn 422 423 # Set a known state 424 iptables -P INPUT DROP 425 iptables -P FORWARD DROP 426 iptables -P OUTPUT DROP 427 428 # These lines are here in case rules are already in place and the 429 # script is ever rerun on the fly. We want to remove all rules and 430 # pre-existing user defined chains before we implement new rules. 431 iptables -F 432 iptables -X 433 iptables -Z 434 435 iptables -t nat -F 436 437 # Allow local connections 438 iptables -A INPUT -i lo -j ACCEPT 439 iptables -A OUTPUT -o lo -j ACCEPT 440 441 # Allow forwarding if the initiated on the intranet 442 iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT 443 iptables -A FORWARD ! -i ppp+ -m conntrack --ctstate NEW -j ACCEPT 444 445 # Do masquerading 446 # (not needed if intranet is not using private ip-addresses) 447 iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE 448 449 # Log everything for debugging 450 # (last of all rules, but before policy rules) 451 iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT " 452 iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD " 453 iptables -A OUTPUT -j LOG --log-prefix "FIREWALL:OUTPUT " 454 455 # Enable IP Forwarding 456 echo 1 > /proc/sys/net/ipv4/ip_forward</literal> 457 EOF 458 chmod 700 /etc/rc.d/rc.iptables</userinput></screen> 459 460 <screen role="root" revision="systemd"><?dbfo keep-together="auto"?><userinput>install -v -dm755 /etc/systemd/scripts 461 462 cat > /etc/systemd/scripts/iptables << "EOF" 463 <literal>#!/bin/sh 464 465 # Begin /etc/systemd/scripts/iptables 466 467 echo 468 echo "You're using the example configuration for a setup of a firewall" 469 echo "from Beyond Linux From Scratch." 470 echo "This example is far from being complete, it is only meant" 471 echo "to be a reference." 472 echo "Firewall security is a complex issue, that exceeds the scope" 473 echo "of the configuration rules below." 474 475 echo "You can find additional information" 476 echo "about firewalls in Chapter 4 of the BLFS book." 477 echo "http://www.&lfs-domainname;/blfs" 478 echo 479 480 # Insert iptables modules (not needed if built into the kernel). 481 482 modprobe nf_conntrack 483 modprobe nf_conntrack_ftp 484 modprobe xt_conntrack 485 modprobe xt_LOG 486 modprobe xt_state 487 488 # Enable broadcast echo Protection 489 echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 490 491 # Disable Source Routed Packets 492 echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route 493 494 # Enable TCP SYN Cookie Protection 495 echo 1 > /proc/sys/net/ipv4/tcp_syncookies 496 497 # Disable ICMP Redirect Acceptance 498 echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects 499 500 # Don't send Redirect Messages 501 echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects 502 503 # Drop Spoofed Packets coming in on an interface where responses 504 # would result in the reply going out a different interface. 505 echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter 506 507 # Log packets with impossible addresses. 508 echo 1 > /proc/sys/net/ipv4/conf/all/log_martians 509 510 # Be verbose on dynamic ip-addresses (not needed in case of static IP) 511 echo 2 > /proc/sys/net/ipv4/ip_dynaddr 512 513 # Disable Explicit Congestion Notification 514 # Too many routers are still ignorant 515 echo 0 > /proc/sys/net/ipv4/tcp_ecn 516 517 # Set a known state 518 iptables -P INPUT DROP 519 iptables -P FORWARD DROP 520 iptables -P OUTPUT DROP 521 522 # These lines are here in case rules are already in place and the 523 # script is ever rerun on the fly. We want to remove all rules and 524 # pre-existing user defined chains before we implement new rules. 525 iptables -F 526 iptables -X 527 iptables -Z 528 529 iptables -t nat -F 530 531 # Allow local connections 532 iptables -A INPUT -i lo -j ACCEPT 533 iptables -A OUTPUT -o lo -j ACCEPT 534 535 # Allow forwarding if the initiated on the intranet 536 iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT 537 iptables -A FORWARD ! -i ppp+ -m conntrack --ctstate NEW -j ACCEPT 538 539 # Do masquerading 540 # (not needed if intranet is not using private ip-addresses) 541 iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE 542 543 # Log everything for debugging 544 # (last of all rules, but before policy rules) 545 iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT " 546 iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD " 547 iptables -A OUTPUT -j LOG --log-prefix "FIREWALL:OUTPUT " 548 549 # Enable IP Forwarding 550 echo 1 > /proc/sys/net/ipv4/ip_forward 551 552 # End /etc/systemd/scripts/iptables</literal> 553 EOF 554 chmod 700 /etc/systemd/scripts/iptables</userinput></screen> 555 556 <para>With this script your intranet should be reasonably secure 557 against external attacks. No one should be able to setup a new 558 connection to any internal service and, if it's masqueraded, 559 makes your intranet invisible to the Internet. Furthermore, your 560 firewall should be relatively safe because there are no services 561 running that a cracker could attack.</para> 562 563 <note> 564 <para>If the interface you're connecting to the Internet 565 doesn't connect via PPP, you will need to change 566 <replaceable><ppp+></replaceable> to the name of the interface 567 (e.g., <emphasis role="strong">eth1</emphasis>) which you are 568 using.</para> 569 </note> 570 571 </sect3> 572 573 <sect3 id="fw-busybox" xreflabel="BusyBox"> 574 <title>BusyBox</title> 575 576 <para>This scenario isn't too different from the <xref 577 linkend="fw-masqRouter"/>, but additionally offers some 578 services to your intranet. Examples of this can be when 579 you want to administer your firewall from another host on 580 your intranet or use it as a proxy or a name server.</para> 581 582 <note> 583 <para>Outlining a true concept of how to protect a server that 584 offers services on the Internet goes far beyond the scope of 585 this document. See the references at the end of this section 586 for more information.</para> 587 </note> 588 589 <para>Be cautious. Every service you have enabled makes your 590 setup more complex and your firewall less secure. You are 591 exposed to the risks of misconfigured services or running 592 a service with an exploitable bug. A firewall should generally 593 not run any extra services. See the introduction to the 594 <xref linkend="fw-masqRouter"/> for some more details.</para> 595 596 <para>If you want to add services such as internal Samba or 597 name servers that do not need to access the Internet themselves, 598 the additional statements are quite simple and should still be 599 acceptable from a security standpoint. Just add the following lines 600 into the script <emphasis>before</emphasis> the logging rules.</para> 601 602 <screen><literal>iptables -A INPUT -i ! ppp+ -j ACCEPT 603 iptables -A OUTPUT -o ! ppp+ -j ACCEPT</literal></screen> 604 605 <para>If daemons, such as squid, have to access the Internet 606 themselves, you could open OUTPUT generally and restrict 607 INPUT.</para> 608 609 <screen><literal>iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT 610 iptables -A OUTPUT -j ACCEPT</literal></screen> 611 612 <para>However, it is generally not advisable to leave OUTPUT 613 unrestricted. You lose any control over trojans who would like 614 to "call home", and a bit of redundancy in case you've 615 (mis-)configured a service so that it broadcasts its existence 616 to the world.</para> 617 618 <para>To accomplish this, you should restrict INPUT and OUTPUT 619 on all ports except those that it's absolutely necessary to have 620 open. Which ports you have to open depends on your needs: mostly 621 you will find them by looking for failed accesses in your log 622 files.</para> 623 624 <itemizedlist spacing="compact" role='iptables'> 625 <title>Have a Look at the Following Examples:</title> 626 <listitem> 627 <para>Squid is caching the web:</para> 628 629 <screen><literal>iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT 630 iptables -A INPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED \ 631 -j ACCEPT</literal></screen> 632 633 </listitem> 634 <listitem> 635 <para>Your caching name server (e.g., named) does its 636 lookups via UDP:</para> 637 638 <screen><literal>iptables -A OUTPUT -p udp --dport 53 -j ACCEPT</literal></screen> 639 640 </listitem> 641 <listitem> 642 <para>You want to be able to ping your computer to 643 ensure it's still alive:</para> 644 645 <screen><literal>iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT 646 iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT</literal></screen> 647 648 </listitem> 649 <listitem> 650 <para id='fw-BB-4' xreflabel="BusyBox example number 4">If 651 you are frequently accessing FTP servers or enjoy chatting, you might 652 notice certain delays because some implementations of these daemons 653 have the feature of querying an identd on your system to obtain 654 usernames. Although there's really little harm in this, having an 655 identd running is not recommended because many security experts feel 656 the service gives out too much additional information.</para> 657 658 <para>To avoid these delays you could reject the requests 659 with a 'tcp-reset':</para> 660 661 <screen><literal>iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset</literal></screen> 662 663 </listitem> 664 <listitem> 665 <para>To log and drop invalid packets (packets 666 that came in after netfilter's timeout or some types of 667 network scans) insert these rules at the top of the chain:</para> 668 669 <screen><literal>iptables -I INPUT 0 -p tcp -m conntrack --ctstate INVALID \ 670 -j LOG --log-prefix "FIREWALL:INVALID " 671 iptables -I INPUT 1 -p tcp -m conntrack --ctstate INVALID -j DROP</literal></screen> 672 673 </listitem> 674 <listitem> 675 <para>Anything coming from the outside should not have a 676 private address, this is a common attack called IP-spoofing:</para> 677 678 <screen><literal>iptables -A INPUT -i ppp+ -s 10.0.0.0/8 -j DROP 679 iptables -A INPUT -i ppp+ -s 172.16.0.0/12 -j DROP 680 iptables -A INPUT -i ppp+ -s 192.168.0.0/16 -j DROP</literal></screen> 681 682 <para>There are other addresses that you may also want to 683 drop: 0.0.0.0/8, 127.0.0.0/8, 224.0.0.0/3 (multicast and 684 experimental), 169.254.0.0/16 (Link Local Networks), and 685 192.0.2.0/24 (IANA defined test network).</para> 686 </listitem> 687 <listitem> 688 <para>If your firewall is a DHCP client, you need to allow 689 those packets:</para> 690 691 <screen><literal>iptables -A INPUT -i ppp0 -p udp -s 0.0.0.0 --sport 67 \ 692 -d 255.255.255.255 --dport 68 -j ACCEPT</literal></screen> 693 694 </listitem> 695 <listitem> 696 <para>To simplify debugging and be fair to anyone who'd like 697 to access a service you have disabled, purposely or by mistake, 698 you could REJECT those packets that are dropped.</para> 699 700 <para>Obviously this must be done directly after logging as the very 701 last lines before the packets are dropped by policy:</para> 702 703 <screen><literal>iptables -A INPUT -j REJECT</literal></screen> 704 705 </listitem> 706 </itemizedlist> 707 708 <para>These are only examples to show you some of the capabilities 709 of the firewall code in Linux. Have a look at the man page of iptables. 710 There you will find much more information. The port numbers needed for 711 this can be found in <filename>/etc/services</filename>, in case you 712 didn't find them by trial and error in your log file.</para> 713 714 </sect3> 715 716 </sect2> 717 718 <sect2 id="fw-finale" xreflabel="Conclusion"> 719 <title>Conclusion</title> 720 721 <para>Finally, there is one fact you must not forget: The effort spent 722 attacking a system corresponds to the value the cracker expects to gain 723 from it. If you are responsible for valuable information, you need to 724 spend the time to protect it properly.</para> 725 726 </sect2> 727 728 <sect2 id="postlfs-security-fw-extra" xreflabel="Extra Information"> 157 <!-- 158 <para> 159 BLFS provides two utilities to manage the kernel Netfilter interface, 160 <xref linkend="iptables"/> and <xref linkend="nftables"/>. 161 </para> 162 --> 163 <para> 164 BLFS provides an utility to manage the kernel Netfilter interface, 165 <xref linkend="iptables"/>. It has been around since early 2.4 kernels, 166 and has been the standard since. This is likely the set of tools that 167 will be most familiar to existing admins. Other tools have been 168 developped more recently, see the list of further readings below 169 for more details. Here you will find a 170 list of URLs that contain comprehensive information about building 171 firewalls and further securing your system. 172 </para> 173 <!-- 174 <para> 175 <xref linkend="nftables"/> is the successor to <xref linkend="iptables"/> 176 and provies all of the same functionality with a single userspace tool, 177 <command>nft</command>, that uses similar syntax to BSD's 178 <application>pf</application> utility, and may be easier for new users or 179 admins already familiar with that platform. 180 </para> 181 182 <para> 183 While both can be used in tandem, that is an advanced configuration and 184 you should decide on one or the other. Both pages include very simple 185 example configurations, and customization of the provided configurations 186 for your specific environment will be necessary if you elect to use 187 either without a configuration tool. 188 </para> 189 190 <para> 191 Additionally, a firewall management tool, <xref linkend="firewalld"/>, is 192 provided to greatly ease firewall configuration for both simple and 193 complex environments, and can be used with either tool. You should not 194 use the example configurations if you intend to use 195 <application>firewalld</application> to manage your firewall rules. 196 </para> 197 198 <para> 199 If you elect to configure manually, have a look at the 200 list of further reading below for more details. Here you will find a 201 list of URLs that contain comprehensive information about building 202 firewalls and further securing your system. 203 </para> 204 --> 205 </sect2> 206 207 <sect2 id="fw-extra-info"> 729 208 <title>Extra Information</title> 730 209 731 <sect3 id="fw-library" xreflabel="links for further reading">732 <title> Where to Start withFurther Reading on Firewalls</title>210 <sect3> 211 <title>Further Reading on Firewalls</title> 733 212 734 213 <blockquote> 735 214 <literallayout> 736 <ulink url="http://www.netfilter.org/">www.netfilter.org - Homepage of the netfilter/iptables project</ulink>215 <ulink url="http://www.netfilter.org/">www.netfilter.org - Homepage of the netfilter/iptables/nftables projects</ulink> 737 216 <ulink url="http://www.netfilter.org/documentation/FAQ/netfilter-faq.html">Netfilter related FAQ</ulink> 738 217 <ulink url="http://www.netfilter.org/documentation/index.html#HOWTO">Netfilter related HOWTO's</ulink> 218 <ulink url="https://wiki.nftables.org/wiki-nftables/index.php/Main_Page">nftables HOWTO</ulink> 739 219 <ulink url="http://en.tldp.org/LDP/nag2/x-087-2-firewall.html">en.tldp.org/LDP/nag2/x-087-2-firewall.html</ulink> 740 220 <ulink url="http://en.tldp.org/HOWTO/Security-HOWTO.html">en.tldp.org/HOWTO/Security-HOWTO.html</ulink> … … 753 233 </blockquote> 754 234 755 <!-- The following are all dead links from the section above. They are756 moved out of the section so the literallayout won't produce blank757 lines in the rendered text758 759 <ulink url="http://www-106.ibm.com/developerworks/security/library/s-fire.html">www.ibm.com/developerworks/security/library/s-fire.html</ulink>760 <ulink url="http://www-106.ibm.com/developerworks/security/library/s-fire2.html">www.ibm.com/developerworks/security/library/s-fire2.html</ulink>761 <ulink url="http://www.interhack.net/pubs/fw-faq/">www.interhack.net/pubs/fw-faq/</ulink>762 <ulink url="http://www.linuxgazette.com/issue65/stumpel.html">www.linuxgazette.com/issue65/stumpel.html</ulink>763 <ulink url="http://www.linux-firewall-tools.com/linux/">www.linux-firewall-tools.com/linux/</ulink>764 <ulink url="http://logi.cc/linux/athome-firewall.php3">logi.cc/linux/athome-firewall.php3</ulink>765 <ulink url="http://www.robertgraham.com/pubs/firewall-seen.html">www.robertgraham.com/pubs/firewall-seen.html</ulink>766 767 -->768 769 235 </sect3> 770 236 -
postlfs/security/iptables.xml
rbbe17e2 r018c0cc3 75 75 <bridgehead renderas="sect4">Optional</bridgehead> 76 76 <para role="optional"> 77 <!--<xref linkend="nftables"/>, -->77 <!-- <xref linkend="nftables"/>, --> 78 78 <xref linkend="libpcap"/> (required for nfsypproxy support), 79 79 <ulink url="https://github.com/tadamdam/bpf-utils">bpf-utils</ulink> 80 80 (required for Berkely Packet Filter support), 81 81 <ulink url="https://netfilter.org/projects/libnfnetlink/">libnfnetlink</ulink> 82 (required for connlabel support), and83 <ulink url="https://netfilter.org/projects/libnetfilter_conntrack/">libnetfilter_conntrack"</ulink> 82 (required for connlabel support), 83 <ulink url="https://netfilter.org/projects/libnetfilter_conntrack/">libnetfilter_conntrack"</ulink>, and 84 84 (required for connlabel support) 85 <ulink url="https://netfilter.org/projects/nftables/">nftables</ulink> 85 86 </para> 86 87 … … 114 115 Include any connection tracking protocols that will be used, as well as 115 116 any protocols that you wish to use for match support under the 116 "Core Netfilter Configuration" section. <!--The above options are enough117 for running <xref linkend="fw-persFw-ipt"/> below. -->117 "Core Netfilter Configuration" section. The above options are enough 118 for running <xref linkend="fw-persFw-ipt"/> below. 118 119 </para> 119 120 … … 210 211 211 212 </sect2> 212 <!-- 213 213 214 <sect2 role="configuration"> 214 215 <title>Configuring iptables</title> 215 216 <!-- 216 217 <note> 217 218 <para> … … 223 224 </para> 224 225 </note> 225 226 --> 226 227 <note> 227 228 <para> … … 319 320 # and permit new connections related to established ones 320 321 # (e.g. port mode ftp) 321 322 iptables -A INPUT -m conntrack - -ctstate ESTABLISHED,RELATED -j ACCEPT 322 iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT 323 323 324 324 # Log everything else. What's Windows' latest exploitable vulnerability? 325 iptables -A INPUT -j LOG - 325 iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT " 326 326 327 327 # End $rc_base/rc.iptables</literal> … … 398 398 # and permit new connections related to established ones 399 399 # (e.g. port mode ftp) 400 iptables -A INPUT -m conntrack - 400 iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT 401 401 402 402 # Log everything else. What's Windows' latest exploitable vulnerability? 403 iptables -A INPUT -j LOG - 403 iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT " 404 404 405 405 # End /etc/systemd/scripts/iptables</literal> … … 519 519 520 520 # Allow forwarding if the initiated on the intranet 521 iptables -A FORWARD -m conntrack - 522 iptables -A FORWARD ! -i WAN1 -m conntrack - 521 iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT 522 iptables -A FORWARD ! -i WAN1 -m conntrack --ctstate NEW -j ACCEPT 523 523 524 524 # Do masquerading … … 528 528 # Log everything for debugging 529 529 # (last of all rules, but before policy rules) 530 iptables -A INPUT -j LOG - 531 iptables -A FORWARD -j LOG - 532 iptables -A OUTPUT -j LOG - 530 iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT " 531 iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD " 532 iptables -A OUTPUT -j LOG --log-prefix "FIREWALL:OUTPUT " 533 533 534 534 # Enable IP Forwarding … … 613 613 614 614 # Allow forwarding if the initiated on the intranet 615 iptables -A FORWARD -m conntrack - 616 iptables -A FORWARD ! -i WAN1 -m conntrack - 615 iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT 616 iptables -A FORWARD ! -i WAN1 -m conntrack --ctstate NEW -j ACCEPT 617 617 618 618 # Do masquerading … … 622 622 # Log everything for debugging 623 623 # (last of all rules, but before policy rules) 624 iptables -A INPUT -j LOG - 625 iptables -A FORWARD -j LOG - 626 iptables -A OUTPUT -j LOG - 624 iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT " 625 iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD " 626 iptables -A OUTPUT -j LOG --log-prefix "FIREWALL:OUTPUT " 627 627 628 628 # Enable IP Forwarding … … 633 633 634 634 # Allow ping on the external interface 635 #iptables -A INPUT -p icmp -m icmp - 636 #iptables -A OUTPUT -p icmp -m icmp - 635 #iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT 636 #iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT 637 637 638 638 # Reject ident packets with TCP reset to avoid delays with FTP or IRC 639 #iptables -A INPUT -p tcp - -dport 113 -j REJECT --reject-with tcp-reset639 #iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset 640 640 641 641 # Allow HTTP and HTTPS to 192.168.0.2 642 #iptables -A PREROUTING -t nat -i WAN1 -p tcp - -dport 80 -j DNAT --to 192.168.0.2643 #iptables -A PREROUTING -t nat -i WAN1 -p tcp - -dport 443 -j DNAT --to 192.168.0.2644 #iptables -A FORWARD -p tcp -d 192.168.0.2 - 645 #iptables -A FORWARD -p tcp -d 192.168.0.2 - 642 #iptables -A PREROUTING -t nat -i WAN1 -p tcp --dport 80 -j DNAT --to 192.168.0.2 643 #iptables -A PREROUTING -t nat -i WAN1 -p tcp --dport 443 -j DNAT --to 192.168.0.2 644 #iptables -A FORWARD -p tcp -d 192.168.0.2 --dport 80 -j ACCEPT 645 #iptables -A FORWARD -p tcp -d 192.168.0.2 --dport 443 -j ACCEPT 646 646 647 647 # End /etc/systemd/scripts/iptables</literal> … … 706 706 </para> 707 707 708 <screen><literal>iptables -A INPUT -m conntrack - 708 <screen><literal>iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT 709 709 iptables -A OUTPUT -j ACCEPT</literal></screen> 710 710 … … 732 732 </para> 733 733 734 <screen><literal>iptables -A OUTPUT -p tcp - 735 iptables -A INPUT -p tcp - -sport 80 -m conntrack --ctstate ESTABLISHED \734 <screen><literal>iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT 735 iptables -A INPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED \ 736 736 -j ACCEPT</literal></screen> 737 737 … … 742 742 </para> 743 743 744 <screen><literal>iptables -A OUTPUT -p udp - 744 <screen><literal>iptables -A OUTPUT -p udp --dport 53 -j ACCEPT</literal></screen> 745 745 746 746 </listitem> … … 751 751 </para> 752 752 753 <screen><literal>iptables -A INPUT -p icmp -m icmp - 754 iptables -A OUTPUT -p icmp -m icmp - 753 <screen><literal>iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT 754 iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT</literal></screen> 755 755 756 756 </listitem> … … 770 770 </para> 771 771 772 <screen><literal>iptables -A INPUT -p tcp - -dport 113 -j REJECT --reject-with tcp-reset</literal></screen>772 <screen><literal>iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset</literal></screen> 773 773 774 774 </listitem> … … 780 780 </para> 781 781 782 <screen><literal>iptables -I INPUT 0 -p tcp -m conntrack - 783 -j LOG - 784 iptables -I INPUT 1 -p tcp -m conntrack - 782 <screen><literal>iptables -I INPUT 0 -p tcp -m conntrack --ctstate INVALID \ 783 -j LOG --log-prefix "FIREWALL:INVALID " 784 iptables -I INPUT 1 -p tcp -m conntrack --ctstate INVALID -j DROP</literal></screen> 785 785 786 786 </listitem> … … 807 807 </para> 808 808 809 <screen><literal>iptables -A INPUT -i WAN1 -p udp -s 0.0.0.0 - 810 -d 255.255.255.255 - 809 <screen><literal>iptables -A INPUT -i WAN1 -p udp -s 0.0.0.0 --sport 67 \ 810 -d 255.255.255.255 --dport 68 -j ACCEPT</literal></screen> 811 811 812 812 </listitem> … … 863 863 864 864 </sect2> 865 --> 865 866 866 <sect2 role="content"> 867 867 <title>Contents</title>
Note:
See TracChangeset
for help on using the changeset viewer.