Context Navigation

← Previous Change
Next Change →

Changeset 0e3848e3 for postlfs

Timestamp:

03/13/2005 07:24:56 AM (19 years ago)

Author:

Bruce Dubbs <bdubbs@…>

Branches:

10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 12.0, 12.1, 6.0, 6.1, 6.2, 6.2.0, 6.2.0-rc1, 6.2.0-rc2, 6.3, 6.3-rc1, 6.3-rc2, 6.3-rc3, 7.10, 7.4, 7.5, 7.6, 7.6-blfs, 7.6-systemd, 7.7, 7.8, 7.9, 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, basic, bdubbs/svn, elogind, gnome, kde5-13430, kde5-14269, kde5-14686, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, krejzi/svn, lazarus, lxqt, nosym, perl-modules, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, systemd-11177, systemd-13485, trunk, upgradedb, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/test-20220226, xry111/xf86-video-removal

Children:

Parents:

Message:

Update firewalling section

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@3539 af4574ff-66df-0310-9fd7-8a98e5e911e0

Location:

postlfs/security

Files:

: 2 edited

firewalling.xml (modified) (11 diffs)
iptables.xml (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

postlfs/security/firewalling.xml

-              rf8962fe
+              r0e3848e3
 <title>Setting up a network firewall</title>
 <para>Before you read this part of the chapter, note that we assume that you
+<para>Before you read this part of the chapter, you should
 have already installed iptables as described in the previous section.</para>
 …
 <title>Introduction to Firewall Creation</title>
+<para>The general purpose of a firewall is to protect a network
+against malicious access by using a single machine as a firewall.
+This does imply that the firewall is to be considered a single point
+of failure, but it can make the administrator's life a lot easier.</para>
+<para>In a perfect world where you knew that every daemon or service
+on every machine was perfectly configured and was immune to, e.g.,
+buffer-overflows and any other imaginable problem regarding its
+security, and where you trusted every user accessing your services
+to aim no harm, you wouldn't need to have a firewall!
+In the real world however, daemons may be misconfigured,
+exploits against essential services are freely available, you
+may wish to choose which services are accessible by certain machines,
+you may wish to limit which machines or applications are allowed
+to have Internet access, or you may simply not trust some of your
+apps or users. In these situations you might benefit by using a
+firewall.</para>
+<para>Don't assume however, that having a firewall makes careful
+configuration redundant, or that it makes any negligent
+misconfiguration harmless. It also doesn't prevent anyone from exploiting a
+service you intentionally offer but haven't recently updated or patched
+after an exploit went public.  Despite having a firewall, you need to
+keep applications and daemons on your system well-configured and
+up-to-date; a firewall is not a cure-all!</para>
+<para>The general purpose of a firewall is to protect a computer or a network
+against malicious access.</para>
+<para>In a perfect world, every daemon or service
+on every machine is perfectly configured and immune to flaws such as
+buffer overflows or other problems regarding its
+security. Furthermore, you trust every user accessing your services.
+In this world, you do not need to have a firewall.</para>
+<para>In the real world however, daemons may be misconfigured
+and exploits against essential services are freely available.  You
+may wish to choose which services are accessible by certain machines or
+you may wish to limit which machines or applications are allowed external
+access. Alternatively, you may simply not trust some of your
+applications or users. You are probably connected to the Internet.  In this
+world, a firewall is essential.</para>
+<para>Don't assume however, that having a firewall makes careful configuration
+redundant, or that it makes any negligent misconfiguration harmless. It doesn't
+prevent anyone from exploiting a service you intentionally offer but haven't
+recently updated or patched after an exploit went public.  Despite having a
+firewall, you need to keep applications and daemons on your system properly
+configured and up to date.  A firewall is not a cure all, but should be an
+essential part of your overall security startegy.</para>
 </sect2>
 <sect2>
 <title>Meaning of the word firewall.</title>
+<title>Meaning of the word "firewall"</title>
 <para>The word firewall can have several different meanings.</para>
 …
 <sect3><title><xref linkend="fw-persFw"/></title>
 <para>This is a setup or program, for Windows commercially sold by
 companies such as Symantec, of which they claim or pretend that it
 secures a home or desktop-pc with Internet access. This topic is
 highly relevant for users who do not know the methods their computers
 might be accessed via the Internet or how to disable them,
+<para>This is a hardware device or software program commercially sold by
+companies such as Symantec which claims that it
+secures a home or desktop computer with Internet access. This type of firewall is
+highly relevant for users who do not know how their computers
+might be accessed via the Internet or how to disable that access,
 especially if they are always online and connected via
 broadband links.</para></sect3>
+<sect3><title><xref linkend="fw-masqRouter"/></title>
+<para>This is a box placed between the Internet and an intranet.
+To minimize the risk of compromising the firewall itself it
+should generally have only one role, that of protecting the intranet.
+Although not completely risk free, the tasks of doing the routing
+and eventually IP masquerading (rewriting IP-headers
+of the packets it routes from clients with private IP-addresses onto
+the Internet so that they seem to come from the firewall
+itself) are commonly considered harmless.</para></sect3>
+<sect3><title><xref linkend="fw-busybox"/></title>
+<para>This is often an old box you may have retired and nearly forgotten,
+performing masquerading or routing functions, but offering a bunch of
+services, e.g., web-cache, mail, etc.  This may be very commonly used
+for home networks, but can definitely not be considered as secure
+anymore because the combining of server and router on one machine raises
+the complexity of the setup.</para></sect3>
+<sect3><title>Firewall with a demilitarized zone [not further described
+here]</title>
+<sect3>
+<title><xref linkend="fw-masqRouter"/></title>
+<para>This is a system placed between the Internet and an intranet.  To minimize
+the risk of compromising the firewall itself, it should generally have only one
+role&mdash;that of protecting the intranet.  Although not completely risk free,
+the tasks of doing the routing and  IP masquerading (rewriting IP headers of
+the packets it routes from clients with private IP addresses onto the Internet
+so that they seem to come from the firewall itself) are commonly considered
+relatively secure.</para>
+</sect3>
+<sect3>
+<title><xref linkend="fw-busybox"/></title>
+<para>This is often an old computer you may have retired and nearly forgotten,
+performing masquerading or routing functions, but offering non-firewall
+services such as a web-cache or mail.  This may be used for home
+networks, but is not be considered as secure as a firewall only
+machine because the combination of server and router/firewall on one machine
+raises the complexity of the setup.</para>
+</sect3>
+<sect3>
+<title>Firewall with a demilitarized zone [not further described here]</title>
 <para>This box performs masquerading or routing, but grants public access to
 some branch of your network which, because of public IP's and a physically
+separated structure, is neither considered to be part of the inter- nor
+intranet.  These servers are those which must be easily accessible
+from both the inter- and intranet. The firewall protects
+them all.</para></sect3>
+<sect3><title>Packetfilter / partly accessible net [partly described
+here, see <xref linkend="fw-busybox"/>]</title>
+<para>Doing routing or masquerading, but permitting only selected
+services to be accessible, sometimes only by selected internal users or boxes;
+mostly used in highly secure business contexts, sometimes by distrusting
+employers.  This was the common configuration of a firewall at the time of
+the Linux 2.2 kernel.  It's still possible to configure a firewall this way,
+but it makes the rules quite complex and lengthy.</para></sect3>
+separated structure, is essentially a separate network with direct Internet access.
+The servers on this network are those which must be easily accessible
+from both the Internet and intranet. The firewall protects
+both networks. This type of firewall has a minimum of three network interfaces.</para>
+</sect3>
+<sect3>
+<title>Packetfilter</title>
+<para>This type of firewall does routing or masquerading, but does not maintain
+a state table of ongoing communication streams. It is fast, but quite limited
+in its ability to block inappropriate packets without blocking desired
+packets.</para>
+</sect3>
 </sect2>
+<sect2 id="postlfs-security-fw-disclaimer" xreflabel="Disclaimer">
+<title>Disclaimer</title>
+<!-- <para><emphasis>NEITHER THE AUTHOR NOR ANY OF THE LINUXFROMSCRATCH TEAM
+ARE RESPONSIBLE FOR ANY DAMAGES INCURRED DUE TO ACTIONS TAKEN BASED ON THIS
+DOCUMENT.</emphasis></para> -->
+<para>This document is meant as an introduction to how to setup a firewall.  It
+<sect2 id="fw-writing" xreflabel="writing the firewalling-setup-scripts">
+<title>Now you can start to build your Firewall</title>
+<caution><para>This introduction on how to setup a firewall
 is not a complete guide to securing systems.  Firewalling is a complex issue
 that requires careful configuration.  The scripts quoted here are simply
+intended to give examples as to how a firewall works, they are not intended to
+fit into any imaginable configuration and may not prevent any imaginable
+attack.</para>
+<para>The purpose of this text is simply to give you a hint on how to get
+started with a firewall.</para>
+intended to give examples of how a firewall works. They are not intended to
+fit into any particular configuration and may not provide complete protection
+from an attack.</para>
 <para>Customization of these scripts for your specific situation will
 …
 hacking away.  Have a look at the list of
 <xref linkend="fw-library"/> at the end of this section for
 more details.  Here you will find a list of URLs that contain quite
+more details.  There you will find a list of URLs that contain quite
 comprehensive information about building your own firewall.</para>
+</sect2>
+<sect2 id="fw-kernel" xreflabel="getting a firewalling-enabled Kernel">
+<title>Getting a firewall enabled Kernel</title>
+<indexterm zone="fw-kernel">
+<primary sortas="d-Firewalls">Firewalls (using iptables)</primary>
+</indexterm>
+<para>If you want your Linux-Box to have a firewall, you must first ensure
+that your kernel has been compiled with the relevant options turned on.
+<!-- <footnote><para>If you needed assistance how to configure, compile and
+install a new kernel, refer back to chapter VIII of the LinuxFromScratch book,
+<ulink url="http://www.linuxfromscratch.org/view/3.1/chapter08/kernel.html">
+Installing a kernel</ulink>  and eventually
+<ulink url="http://www.linuxfromscratch.org/view/3.1/chapter08/lilo.html">
+Making the LFS system bootable</ulink>; note, that you'll need to reboot
+to actually run your new kernel.</para></footnote>-->
+</para>
+<para>How to configure your kernel, with enabling the options to be
+either compiled into the kernel or as modules, depends on your personal
+preferences and experience. Note, that for the quoted scripts it is assumed
+that the modules need to be loaded at first.</para>
+<screen>Network options menu
+  Network packet filtering:                         Y
+  Unix domain sockets:                         Y or M
+  TCP/IP networking:                                Y
+  IP: advanced router:                              Y
+  IP: verbose route monitoring:                     Y
+  IP: TCP Explicit Congestion Notification support: Y
+  IP: TCP syncookie support:                        Y
+  IP: Netfilter Configuration menu
+    Every option except:                       Y or M
+      ipchains (2.2-style) support                  N
+      ipfwadm (2.0-style) support                   N
+  Fast switching:                                   N</screen>
+<!--
+<table frame='none'>
+<title>Essential config-options for a firewall enabled Kernel</title>
+<tgroup cols='5'>
+<colspec colnum='1' colwidth='8*'  align='center'/>
+<colspec colnum='2' colwidth='19*' align='left'/>
+<colspec colnum='3' colwidth='11*' align='center'/>
+<colspec colnum='4' colwidth='1*'  align='center'/>
+<colspec colnum='5' colwidth='14*' align='left'/>
+<tbody>
+<row>
+<entry><emphasis><userinput>Networking options:</userinput></emphasis></entry>
+<entry><userinput>Network packet filtering</userinput></entry>
+<entry></entry>
+<entry>=</entry>
+<entry>CONFIG_NETFILTER</entry>
+</row>
+<row>
+<entry></entry>
+<entry><userinput>Unix domain sockets</userinput></entry>
+<entry></entry>
+<entry>=</entry>
+<entry>CONFIG_UNIX</entry>
+</row>
+<row>
+<entry></entry>
+<entry><userinput>IP: TCP/IP networking</userinput></entry>
+<entry></entry>
+<entry>=</entry>
+<entry>CONFIG_INET</entry>
+</row>
+<row>
+<entry></entry>
+<entry><userinput>IP: advanced router</userinput></entry>
+<entry></entry>
+<entry>=</entry>
+<entry>CONFIG_IP_ADVANCED_ROUTER</entry>
+</row>
+<row>
+<entry></entry>
+<entry><userinput>IP: verbose route monitoring</userinput></entry>
+<entry></entry>
+<entry>=</entry>
+<entry>CONFIG_IP_ROUTE_VERBOSE</entry>
+</row>
+<row>
+<entry></entry>
+<entry><userinput>IP: TCP Explicit Congestion Notification support</userinput></entry>
+<entry></entry>
+<entry>=</entry>
+<entry>CONFIG_INET_ECN</entry>
+</row>
+<row>
+<entry></entry>
+<entry><userinput>IP: TCP syncookie support</userinput></entry>
+<entry></entry>
+<entry>=</entry>
+<entry>CONFIG_SYN_COOKIES</entry>
+</row>
+<row>
+<entry></entry>
+<entry align='center'>
+<emphasis><userinput>IP: Netfilter Configuration:</userinput></emphasis></entry>
+<entry align='left'><userinput>every option</userinput></entry>
+<entry>=</entry>
+<entry>CONFIG_IP_NF_*</entry>
+</row>
+<row>
+<entry></entry>
+<entry align='right'><emphasis>WITHOUT:</emphasis></entry>
+<entry align='left'><literallayout><userinput>ipchains (2.2-style) support
+ipfw-adm (2.0-style) support</userinput></literallayout></entry>
+<entry>w\</entry>
+<entry>CONFIG_IP_NF_COMPAT_*</entry>
+</row>
+<row>
+<entry></entry>
+<entry><userinput>Fast switching</userinput></entry>
+<entry>Make sure to disable it because it would setup a bypass around
+your firewall rules.</entry>
+<entry>w\</entry>
+<entry>CONFIG_NET_FASTROUTE</entry>
+</row>
+</tbody>
+</tgroup>
+</table> -->
+</sect2>
+<sect2 id="fw-writing" xreflabel="writing the firewalling-setup-scripts">
+<title>Now you can start to build your Firewall</title>
+</caution>
+<para>The firewall configuration script installed in the last section differs
+from the standard configuration script.  It only has two of the standard
+targets: start and status.  The other targets are clear and lock.  For instance when you
+run:
+<screen><userinput><command>/etc/rc.d/init.d/iptables start</command></userinput></screen>
+the firewall will be restarted just as it is upon system startup.  The status target
+will present a list of all currently implemented rules.  The clear target turns off all
+firewall rules and the lock target will block all packets in and out of the computer
+with the exception of the loopback interface.</para>
+<para>The main startup firewall is located in the file
+<filename>/etc/rc.d/rc.iptables</filename>.  The sections below provide three different
+approaches that can be used for a system.</para>
+<note><para>You should always run your firewall rules from a script.  This ensures
+consistency and a record of what was done.  It also allows retention of comments
+that are essential for understanding the rules long after they were written.
+</para></note>
 <sect3 id="fw-persFw" xreflabel="Personal Firewall">
 <title>Personal Firewall</title>
 <para>A Personal Firewall is supposed to let you access all the services
+<para>A Personal Firewall is designed to let you access all the services
 offered on the Internet, but keep your box secure and your data private.</para>
 <para>Below is a slightly modified version of Rusty Russell's recommendation
 from the <ulink
 url="http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html">
 Linux 2.4 Packet Filtering HOWTO</ulink>:</para>
 <screen><userinput><command>cat &gt; /etc/rc.d/init.d/firewall &lt;&lt; "EOF"</command>
+from the
+<ulink url="http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html">
+Linux 2.4 Packet Filtering HOWTO</ulink>.  It is still applicable to the Linux 2.6 kernels.</para>
+<screen><userinput><command>cat &gt; /etc/rc.d/rc.iptables &lt;&lt; "EOF"</command>
 #!/bin/sh
 # Begin $rc_base/init.d/firewall
+# Begin $rc_base/rc.iptables
 # Insert connection-tracking modules
 …
 modprobe ipt_LOG
+# allow local-only connections
+# Enable broadcast echo Protection
+echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
+# Disable Source Routed Packets
+echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route
+# Enable TCP SYN Cookie Protection
+echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies
+# Disable ICMP Redirect Acceptance
+echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_redirects
+# Don¹t send Redirect Messages
+echo 0 &gt; /proc/sys/net/ipv4/conf/all/send_redirects
+# Drop Spoofed Packets coming in on an interface, where responses
+# would result in the reply going out a different interface.
+echo 1 &gt; /proc/sys/net/ipv4/conf/all/rp_filter
+# Log packets with impossible addresses.
+echo 1 &gt; /proc/sys/net/ipv4/conf/all/log_martians
+# be verbose on dynamic ip-addresses  (not needed in case of static IP)
+echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
+# disable Explicit Congestion Notification
+# too many routers are still ignorant
+echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
+# Set a known state
+iptables -P INPUT   DROP
+iptables -P FORWARD DROP
+iptables -P OUTPUT  DROP
+# These lines are here in case rules are already in place and the
+# script is ever rerun on the fly. We want to remove all rules and
+# pre-exisiting user defined chains before we implement new rules.
+iptables -F
+iptables -X
+iptables -Z
+iptables -t nat -F
+# Allow local-only connections
 iptables -A INPUT  -i lo -j ACCEPT
 # free output on any interface to any ip for any service
+# Free output on any interface to any ip for any service
 # (equal to -P ACCEPT)
 iptables -A OUTPUT -j ACCEPT
 # permit answers on already established connections
+# Permit answers on already established connections
 # and permit new connections related to established ones
 # (eg active-ftp)
+# (e.g. port mode ftp)
 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 # Log everything else:  What's Windows' latest exploitable vulnerability?
+# Log everything else. What's Windows' latest exploitable vulnerability?
 iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
+# set a sane policy:    everything not accepted &gt; /dev/null
+iptables -P INPUT    DROP
+iptables -P FORWARD  DROP
+iptables -P OUTPUT   DROP
+# be verbose on dynamic ip-addresses  (not needed in case of static IP)
+echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
+# disable ExplicitCongestionNotification
+# too many routers are still ignorant
+echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
+# End $rc_base/init.d/firewall
+# End $rc_base/rc.iptables
 <command>EOF</command></userinput></screen>
 <para>His script is quite simple, it drops all traffic coming in into your
+<para>This script is quite simple, it drops all traffic coming in into your
 computer that wasn't initiated from your box, but as long as you are simply
 surfing the Internet you are unlikely to exceed its limits.</para>
 <para>If you frequently encounter certain delays at accessing ftp-servers,
+please have a look at <xref linkend="fw-busybox"/> -
+<xref linkend="fw-BB-4"/>.</para>
+<para>Even if you have daemons or services running on your box, these
+should be inaccessible everywhere but from your box itself.
+take a look at <xref linkend="fw-BB-4"/>.</para>
+<para>Even if you have daemons or services running on your system, these
+will be inaccessible everywhere but from your computer itself.
 If you want to allow access to services on your machine, such as ssh or
+pinging, take a look at <xref linkend="fw-busybox"/>.</para>
+</sect3>
+ping, take a look at <xref linkend="fw-busybox"/>.</para>
+</sect3>
 <sect3 id="fw-masqRouter" xreflabel="Masquerading Router">
 <title>Masquerading Router</title>
+<para>A true Firewall has two interfaces, one connected to an intranet,
+in this example, <emphasis role="strong">eth0</emphasis>, and one
+connected to the Internet, here, <emphasis role="strong">ppp0</emphasis>.
+To provide the maximum security against the box itself being broken into,
+make sure that there are no servers running on it, especially not
+<application>X11</application> et
+al.  And, as a general principle, the box itself should not access any
+untrusted service (Think of a name server giving answers that make your
+bind crash, or, even worse, that implement a worm via a
+buffer-overflow).</para>
+<screen><userinput><command>cat &gt; /etc/rc.d/init.d/firewall &lt;&lt; "EOF"</command>
+<para>A true Firewall has two interfaces, one connected to an intranet, in this
+example <emphasis role="strong">eth0</emphasis>, and one connected to the
+Internet, here <emphasis role="strong">ppp0</emphasis>.  To provide the
+maximum security for the firewall itself, make sure that there
+are no unnecessary servers running on it such as <application>X11</application> et
+al.  As a general principle, the firewall itself should not access any
+untrusted service (Think of a remote server giving answers that makes a daemin on
+your system
+crash, or, even worse, that implements a worm via a buffer-overflow).</para>
+<screen><userinput><command>cat &gt; /etc/rc.d/rc.iptables &lt;&lt; "EOF"</command>
 #!/bin/sh
 # Begin $rc_base/init.d/firewall
+# Begin $rc_base/rc.iptables
 echo
 echo "You're using the example-config for a setup of a firewall"
 echo "from the firewalling-hint written for LinuxFromScratch."
+echo "You're using the example configuration for a setup of a firewall"
+echo "from Beyond Linux From Scratch."
 echo "This example is far from being complete, it is only meant"
 echo "to be a reference."
 echo "Firewall security is a complex issue, that exceeds the scope"
 echo "of the quoted configuration rules."
 echo "You can find some quite comprehensive information"
+echo "of the configuration rules below."
+echo "You can find additional information"
 echo "about firewalls in Chapter 4 of the BLFS book."
 echo "http://www.linuxfromscratch.org/blfs"
 …
 modprobe ipt_REJECT
+# allow local-only connections
+# Enable broadcast echo Protection
+echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
+# Disable Source Routed Packets
+echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route
+# Enable TCP SYN Cookie Protection
+echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies
+# Disable ICMP Redirect Acceptance
+echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_redirects
+# Don¹t send Redirect Messages
+echo 0 &gt; /proc/sys/net/ipv4/conf/all/send_redirects
+# Drop Spoofed Packets coming in on an interface where responses
+# would result in the reply going out a different interface.
+echo 1 &gt; /proc/sys/net/ipv4/conf/all/rp_filter
+# Log packets with impossible addresses.
+echo 1 &gt; /proc/sys/net/ipv4/conf/all/log_martians
+# Be verbose on dynamic ip-addresses  (not needed in case of static IP)
+echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
+# Disable Explicit Congestion Notification
+# Too many routers are still ignorant
+echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
+# Set a known state
+iptables -P INPUT   DROP
+iptables -P FORWARD DROP
+iptables -P OUTPUT  DROP
+# These lines are here in case rules are already in place and the
+# script is ever rerun on the fly. We want to remove all rules and
+# pre-exisiting user defined chains before we implement new rules.
+iptables -F
+iptables -X
+iptables -Z
+iptables -t nat -F
+# Allow local connections
 iptables -A INPUT  -i lo -j ACCEPT
 iptables -A OUTPUT -o lo -j ACCEPT
 # allow forwarding
+# Allow forwarding if the initiated on the intranet
 iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
 iptables -A FORWARD -m state --state NEW -i ! ppp+       -j ACCEPT
 # do masquerading
+iptables -A FORWARD  -i ! ppp+ -m state --state NEW      -j ACCEPT
+# Do masquerading
 # (not needed if intranet is not using private ip-addresses)
 iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE
 # Log everything for debugging
 # (last of all rules, but before DROP/REJECT)
+# (last of all rules, but before policy rules)
 iptables -A INPUT   -j LOG --log-prefix "FIREWALL:INPUT  "
 iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD"
 iptables -A OUTPUT  -j LOG --log-prefix "FIREWALL:OUTPUT "
+# set a sane policy
+iptables -P INPUT   DROP
+iptables -P FORWARD DROP
+iptables -P OUTPUT  DROP
+# be verbose on dynamic ip-addresses
+# (not needed in case of static IP)
+echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
+# disable ExplicitCongestionNotification
+echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
+# activate TCPsyncookies
+echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies
+# activate Route-Verification = IP-Spoofing_protection
+for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
+        echo 1 &gt; $f
+done
+# activate IP-Forwarding
+# Enable IP Forwarding
 echo 1 &gt; /proc/sys/net/ipv4/ip_forward
 <command>EOF</command></userinput></screen>
 <para>With this script your intranet should be sufficiently secure against
+<para>With this script your intranet should be reasonably secure against
 external attacks. No one should be able to setup a new connection to any
+internal service and, if it's masqueraded, it's even invisible. Furthermore,
+your firewall should be nearly immune because there are no services running
+that a cracker could attack.</para>
+<para>Note: if the interface you're connecting to the Internet
+doesn't connect via ppp, you will need to change
+<replaceable>ppp+</replaceable> to the name of the interface which you are
+using.  If you are using the same interface type to connect to both your
+intranet and the Internet, you need to use the actual name of the
+interface such as <emphasis role="strong">eth0</emphasis>,
+on both interfaces.</para>
+<para>If you need stronger security (e.g., against DOS, connection
+highjacking, spoofing, etc.), have a look at the list of
+<xref linkend="fw-library"/> at the end of this section.</para>
+internal service and, if it's masqueraded, makes your intranet invisible to the
+Internet. Furthermore, your firewall should be relatively safe because there
+are no services running that a cracker could attack.</para>
+<note><para>If the interface you're connecting to the Internet doesn't connect
+via ppp, you will need to change <replaceable>ppp+</replaceable> to the name of
+the interface, e.g. <emphasis role="strong">eth1</emphasis>, which you are using.
+</para></note>
 </sect3>
 …
 <title>BusyBox</title>
+<para>This scenario isn't too different from (<xref linkend="fw-masqRouter"/>),
+but in this case you want to offer some services to your intranet.
+Examples of this can be when you want to admin your box from another host
+on your intranet or use it as a proxy or a name server. Note: Outlining a true
+concept of how to protect a server that offers services on the Internet
+goes far beyond the scope of this document,
+see <xref linkend="postlfs-security-fw-disclaimer"/>.</para>
+<para>Be cautious.  Every service you offer and have enabled makes your
+setup more complex and your box less secure. You induce the risks of
+<para>This scenario isn't too different from the <xref linkend="fw-masqRouter"/>,
+but additionally offers some services to your intranet.
+Examples of this can be when you want to administer your firewall from another host
+on your intranet or use it as a proxy or a name server.</para>
+<note><para>Outlining a true concept of how to protect a server that offers
+services on the Internet goes far beyond the scope of this document. See the references
+at the end of this section for more information.</para></note>
+<para>Be cautious.  Every service you have enabled makes your
+setup more complex and your firewall less secure. You are exposed to the risks of
 misconfigured services or running a service with an exploitable bug.  A
 firewall should generally not run any extra services.  See the introduction to
 <xref linkend="fw-masqRouter"/> for some more details.</para>
 <para>If the services you'd like to offer do not need to access the Internet
 themselves, like internal-only samba- or name-servers, it's quite
+the <xref linkend="fw-masqRouter"/> for some more details.</para>
+<para>If you want to add services such as internal samba or name servers that do not
+need to access the Internet themselves,  the additional statements are quite
 simple and should still be acceptable from a security standpoint.
 Just add the following lines <emphasis>before</emphasis> the logging-rules
 into the script.</para>
+Just add the following lines
+into the script <emphasis>before</emphasis> the logging rules.</para>
 <screen>iptables -A INPUT  -i ! ppp+  -j ACCEPT
 iptables -A OUTPUT -o ! ppp+  -j ACCEPT</screen>
 <para>If your daemons have to access the web themselves, like squid would need
 to, you could open OUTPUT generally and restrict INPUT.</para>
 <screen>iptables -A INPUT -m state --state ESTABLISHED,RELATED  -j ACCEPT
+<para>If daemons, such as squid, have to access the Internet themselves,
+you could open OUTPUT generally and restrict INPUT.</para>
+<screen>iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 iptables -A OUTPUT                                     -j ACCEPT</screen>
 <para>However, it is generally not advisable to leave OUTPUT unrestricted. You
 lose any control over trojans who'd like to "call home", and a bit of
 redundancy in case you've (mis-)configured a service so that it does broadcast
+lose any control over trojans who would like to "call home", and a bit of
+redundancy in case you've (mis-)configured a service so that it broadcasts
 its existence to the world.</para>
 <para>If you prefer to have this protection, you may restrict INPUT and OUTPUT
+<para>To accomplish this, you should restrict INPUT and OUTPUT
 on all ports except those that it's absolutely necessary to have open.
 Which ports you have to open depends on your needs: mostly you will find them
 by looking for failed accesses in your log-files.</para>
 <itemizedlist spacing="compact">
+<!-- <orderedlist numeration="arabic" spacing="compact"> -->
+by looking for failed accesses in your log files.</para>
+<itemizedlist spacing="compact" role='iptables'>
 <title>Have a look at the following examples:</title>
 <listitem><para>Squid is caching the web:</para>
 <screen>iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
 iptables -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED \
 -j ACCEPT</screen>
 </listitem>
 <listitem><para>Your caching name server (e.g., dnscache) does its
+iptables -A INPUT  -p tcp --sport 80 -m state --state ESTABLISHED \
+  -j ACCEPT</screen>
+</listitem>
+<listitem><para>Your caching name server (e.g., named) does its
 lookups via udp:</para>
+<screen>iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
+iptables -A INPUT  -p udp --sport 53 -m state --state ESTABLISHED \
+-j ACCEPT</screen>
+</listitem>
+<listitem><para>Alternatively, if you want to be able to ping your box to
+<screen>iptables -A OUTPUT -p udp --dport 53 -j ACCEPT</screen>
+</listitem>
+<listitem><para>You want to be able to ping your box to
 ensure it's still alive:</para>
 …
 </listitem>
 <listitem><para><anchor id='fw-BB-4' xreflabel="example no. 4"/>If you are
 frequently accessing ftp-servers or enjoy chatting, you might notice certain
 delays because some implementations of these daemons have the feature of
 querying an identd on your box for logging usernames.
+Although there's really no harm in this, having an identd running is not
 recommended because some implementations are known to be vulnerable.</para>
+<listitem><para><anchor id='fw-BB-4' xreflabel="BusyBox example number 4"/>If you are
+frequently accessing ftp servers or enjoy chatting, you might notice certain
+delays because some implementations of these daemons have the feature of
+querying an identd on your system to obtain usernames.  Although there's really
+little harm in this, having an identd running is not recommended because many
+security experts feel the service gives out too much additional information.</para>
 <para>To avoid these delays you could reject the requests
 with a 'tcp-reset':</para>
+<screen>iptables -A INPUT  -p tcp --dport 113 -j REJECT --reject-with tcp-reset
+iptables -A OUTPUT -p tcp --sport 113 -m state --state RELATED -j ACCEPT</screen>
+</listitem>
+<listitem><para>To log and drop invalid packets (harmless packets
+<screen>iptables -A INPUT  -p tcp --dport 113 -j REJECT --reject-with tcp-reset</screen>
+</listitem>
+<listitem><para>To log and drop invalid packets (packets
 that came in after netfilter's timeout or some types of network scans):</para>
 <screen>iptables -I INPUT 1 -p tcp -m state --state INVALID -j LOG \
 --log-prefix "FIREWALL:INVALID"
 iptables -I INPUT 2 -p tcp -m state --state INVALID -j DROP</screen></listitem>
+<screen>iptables -I INPUT -p tcp -m state --state INVALID \
+  -j LOG --log-prefix "FIREWALL:INVALID"
+iptables -I INPUT -p tcp -m state --state INVALID -j DROP</screen></listitem>
 <listitem><para>Anything coming from the outside should not have a
+private address, this is a common attack called IP-spoofing:</para>
+<screen>iptables -t nat -A PREROUTING -i ppp+ -s 10.0.0.0/8     -j DROP
+iptables -t nat -A PREROUTING -i ppp+ -s 172.16.0.0/12  -j DROP
+iptables -t nat -A PREROUTING -i ppp+ -s 192.168.0.0/16 -j DROP</screen>
+private address, this is a common attack called IP-spoofing:
+<screen>iptables -A INPUT -i ppp+ -s 10.0.0.0/8     -j DROP
+iptables -A INPUT -i ppp+ -s 172.16.0.0/12  -j DROP
+iptables -A INPUT -i ppp+ -s 192.168.0.0/16 -j DROP</screen>
+There are other addresses that you may also want to drop: 0.0.0.0/8,
+.0.0.0/8, 224.0.0.0/3 (multicast and experimental), 169.254.0.0/16 (Link
+Local Networks), and  192.0.2.0/24 (IANA defined test network).</para>
+</listitem>
+<listitem><para>If your firewall is a DHCP client, you need to allow
+those packets:</para>
+<screen>iptables -A INPUT  -i ppp0 -p udp -s 0.0.0.0 --sport 67 \
+   -d 255.255.255.255 --dport 68 -j ACCEPT</screen>
 </listitem>
 <listitem><para>To simplify debugging and be fair to anyone who'd like to
 access a service you have disabled, purposely or by mistake, you should REJECT
+access a service you have disabled, purposely or by mistake, you could REJECT
 those packets that are dropped.</para>
 …
 last lines before the packets are dropped by policy:</para>
 <screen>iptables -A INPUT                        -j REJECT
 iptables -A OUTPUT -p icmp --icmp-type 3 -j ACCEPT</screen></listitem>
+<screen>iptables -A INPUT -j REJECT</screen>
+</listitem>
 </itemizedlist>
+<!--</orderedlist>-->
+<para>These are only examples to show you some of the capabilities of the new
+firewall code in Linux-Kernel 2.4. Have a look at the man page of
+iptables.
+There you will find more of them. The port-numbers you'll need for this
+can be found in <filename>/etc/services</filename>, in case you didn't
+find them by trial and error in your log file.</para>
+<para>If you add any of your offered or accessed services such as the above,
+maybe even in FORWARD and for intranet-communication, and delete the
+general clauses, you get an old fashioned packet filter.</para>
+</sect3>
+<para>These are only examples to show you some of the capabilities of the
+firewall code in Linux. Have a look at the man page of iptables.
+There you will find much more information. The port numbers needed for this can be
+found in <filename>/etc/services</filename>, in case you didn't find them by
+trial and error in your log file.</para>
+</sect3>
 </sect2>
 …
 <title>Conclusion</title>
+<para>Finally, I'd like to remind you of one fact we must not forget:
+The effort spent attacking a system corresponds to the value the cracker
+expects to gain from it.
+If you are responsible for such valuable assets that you expect great
+effort to be made by potential crackers, you hopefully won't be in the
+need of this hint!</para>
+<!-- <para><literallayout>Be cautious!
+    Henning Rohde
+<email>Henning.Rohde@uni-bayreuth.de</email></literallayout></para>
+<para>PS: And always do remember:
+SecureIT is not a matter of a status-quo but one of never stopping
+to take care!</para>
+<para>PPS: If any of these scripts fail, please tell me. I will try to trace
+any faults.</para> -->
+<para>Finally, there is one fact you must not forget: The effort spent
+attacking a system corresponds to the value the cracker expects to gain from
+it.  If you are responsible for valuable information, you need to spend the
+time to protect it properly.</para>
 </sect2>
 …
 </sect3>
-<sect3 id="fw-status" xreflabel="/etc/rc.d/init.d/firewall.status">
-<title>firewall.status</title>
-<para>If you'd like to have a look at the chains your firewall consists of and
-the order in which the rules take effect:</para>
-<screen><userinput><command>cat &gt; /etc/rc.d/init.d/firewall.status &lt;&lt; "EOF"</command>
-#!/bin/sh
-# Begin $rc_base/init.d/firewall.status
-echo "iptables.mangling:"
-iptables -t mangle  -v -L -n --line-numbers
-echo
-echo "iptables.nat:"
-iptables -t nat     -v -L -n --line-numbers
-echo
-echo "iptables.filter:"
-iptables            -v -L -n --line-numbers
-<command>EOF</command></userinput></screen>
-</sect3>
-<sect3 id="postlfs-security-fw-stop" xreflabel="/etc/rc.d/init.d/firewall.stop">
-<title>firewall.stop</title>
-<para>If you need to turn the firewall off, this script will do it:</para>
-<screen><userinput><command>cat &gt; /etc/rc.d/init.d/firewall.stop &lt;&lt; "EOF"</command>
-#!/bin/sh
-# Being $rc_base/init.d/firewall.stop
-# deactivate IP-Forwarding
-echo 0 > /proc/sys/net/ipv4/ip_forward
-iptables -Z
-iptables -F
-iptables -t nat         -F PREROUTING
-iptables -t nat         -F OUTPUT
-iptables -t nat         -F POSTROUTING
-iptables -t mangle      -F PREROUTING
-iptables -t mangle      -F OUTPUT
-iptables -X
-iptables -P INPUT       ACCEPT
-iptables -P FORWARD     ACCEPT
-iptables -P OUTPUT      ACCEPT
-<command>EOF</command></userinput></screen>
-</sect3>
 </sect2>
 </sect1>

postlfs/security/iptables.xml

-              rf8962fe
+              r0e3848e3
 a firewall.</para>
 <sect2>
+<sect2 id='iptables-kernel'>
 <title>Introduction to <application>iptables</application></title>
 <para>To use a firewall, as well as installing
+<application>iptables</application>, you will need
+to configure the relevant options into your kernel.  This is discussed
 in the next part of this chapter &ndash;
+<xref linkend="fw-kernel"/>.</para>
+<para>A firewall in Linux is accomplished through a portion of the kernel
+called netfilter.  The interface to netfilter is <application>iptables</application>.
+To use it, the appropriate kernel configuration parameters are found in
+Device Drivers -&gt; Networking Support -&gt; Networking Options -&gt;
+Network Packet Filtering -&gt; IP: Netfilter Configuration.
+<para>If you intend to use <acronym>IP</acronym>v6 you might consider extending
+the kernel by running <command>make patch-o-matic</command> in the top-level
+source tree directory of <application>iptables</application>.  If you are
+going to do this, on a freshly untarred kernel, you need to run
+<command>yes "" | make config &amp;&amp; make dep</command> first because
+otherwise the patch-o-matic command is likely to fail while setting up
+some dependencies.</para>
+<indexterm zone="iptables iptables-kernel">
+  <primary sortas="d-iptables">Iptables</primary>
+</indexterm>
+<para>If you are going to patch the kernel, you need to do it before you
+compile <application>iptables</application>, because during the compilation,
+the kernel source tree is checked (if it is available at <filename
+class="directory">/usr/src/linux-<replaceable>[version]</replaceable>
+</filename>) to see which features are available.  Support will only be compiled
+into <application>iptables</application> for the features recognized at
+compile-time.  Applying a kernel patch may result in errors, often because the
+hooks for the patches have changed or because the <command>runme</command>
+script doesn't recognize that a patch has already been incorporated.</para>
+<para>Note that for most people, patching the kernel is unnecessary.
+With the later 2.4.x kernels, most functionality is already available
+and those who need to patch it are generally those who need a specific
+feature; if you don't know why you need to patch the kernel, you're
+unlikely to need to!</para>
+</para>
 <sect3>

Note: See TracChangeset for help on using the changeset viewer.

Download in other formats: