- Timestamp:
- 03/13/2005 07:24:56 AM (19 years ago)
- Branches:
- 10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 12.0, 12.1, 6.0, 6.1, 6.2, 6.2.0, 6.2.0-rc1, 6.2.0-rc2, 6.3, 6.3-rc1, 6.3-rc2, 6.3-rc3, 7.10, 7.4, 7.5, 7.6, 7.6-blfs, 7.6-systemd, 7.7, 7.8, 7.9, 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, basic, bdubbs/svn, elogind, gnome, kde5-13430, kde5-14269, kde5-14686, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, krejzi/svn, lazarus, lxqt, nosym, perl-modules, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, systemd-11177, systemd-13485, trunk, upgradedb, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/test-20220226, xry111/xf86-video-removal
- Children:
- ed1b95e
- Parents:
- f8962fe
- Location:
- postlfs/security
- Files:
-
- 2 edited
Legend:
- Unmodified
- Added
- Removed
-
postlfs/security/firewalling.xml
rf8962fe r0e3848e3 14 14 <title>Setting up a network firewall</title> 15 15 16 <para>Before you read this part of the chapter, note that we assume that you16 <para>Before you read this part of the chapter, you should 17 17 have already installed iptables as described in the previous section.</para> 18 18 … … 20 20 <title>Introduction to Firewall Creation</title> 21 21 22 <para>The general purpose of a firewall is to protect a network 23 against malicious access by using a single machine as a firewall. 24 This does imply that the firewall is to be considered a single point 25 of failure, but it can make the administrator's life a lot easier.</para> 26 27 <para>In a perfect world where you knew that every daemon or service 28 on every machine was perfectly configured and was immune to, e.g., 29 buffer-overflows and any other imaginable problem regarding its 30 security, and where you trusted every user accessing your services 31 to aim no harm, you wouldn't need to have a firewall! 32 In the real world however, daemons may be misconfigured, 33 exploits against essential services are freely available, you 34 may wish to choose which services are accessible by certain machines, 35 you may wish to limit which machines or applications are allowed 36 to have Internet access, or you may simply not trust some of your 37 apps or users. In these situations you might benefit by using a 38 firewall.</para> 39 40 <para>Don't assume however, that having a firewall makes careful 41 configuration redundant, or that it makes any negligent 42 misconfiguration harmless. It also doesn't prevent anyone from exploiting a 43 service you intentionally offer but haven't recently updated or patched 44 after an exploit went public. Despite having a firewall, you need to 45 keep applications and daemons on your system well-configured and 46 up-to-date; a firewall is not a cure-all!</para> 22 <para>The general purpose of a firewall is to protect a computer or a network 23 against malicious access.</para> 24 25 <para>In a perfect world, every daemon or service 26 on every machine is perfectly configured and immune to flaws such as 27 buffer overflows or other problems regarding its 28 security. Furthermore, you trust every user accessing your services. 29 In this world, you do not need to have a firewall.</para> 30 31 <para>In the real world however, daemons may be misconfigured 32 and exploits against essential services are freely available. You 33 may wish to choose which services are accessible by certain machines or 34 you may wish to limit which machines or applications are allowed external 35 access. Alternatively, you may simply not trust some of your 36 applications or users. You are probably connected to the Internet. In this 37 world, a firewall is essential.</para> 38 39 <para>Don't assume however, that having a firewall makes careful configuration 40 redundant, or that it makes any negligent misconfiguration harmless. It doesn't 41 prevent anyone from exploiting a service you intentionally offer but haven't 42 recently updated or patched after an exploit went public. Despite having a 43 firewall, you need to keep applications and daemons on your system properly 44 configured and up to date. A firewall is not a cure all, but should be an 45 essential part of your overall security startegy.</para> 47 46 48 47 </sect2> 49 48 50 49 <sect2> 51 <title>Meaning of the word firewall.</title>50 <title>Meaning of the word "firewall"</title> 52 51 53 52 <para>The word firewall can have several different meanings.</para> … … 55 54 <sect3><title><xref linkend="fw-persFw"/></title> 56 55 57 <para>This is a setup or program, for Windowscommercially sold by58 companies such as Symantec , of which they claim or pretendthat it59 secures a home or desktop -pc with Internet access. This topicis60 highly relevant for users who do not know the methodstheir computers61 might be accessed via the Internet or how to disable th em,56 <para>This is a hardware device or software program commercially sold by 57 companies such as Symantec which claims that it 58 secures a home or desktop computer with Internet access. This type of firewall is 59 highly relevant for users who do not know how their computers 60 might be accessed via the Internet or how to disable that access, 62 61 especially if they are always online and connected via 63 62 broadband links.</para></sect3> 64 63 65 <sect3><title><xref linkend="fw-masqRouter"/></title> 66 <para>This is a box placed between the Internet and an intranet. 67 To minimize the risk of compromising the firewall itself it 68 should generally have only one role, that of protecting the intranet. 69 Although not completely risk free, the tasks of doing the routing 70 and eventually IP masquerading (rewriting IP-headers 71 of the packets it routes from clients with private IP-addresses onto 72 the Internet so that they seem to come from the firewall 73 itself) are commonly considered harmless.</para></sect3> 74 75 <sect3><title><xref linkend="fw-busybox"/></title> 76 <para>This is often an old box you may have retired and nearly forgotten, 77 performing masquerading or routing functions, but offering a bunch of 78 services, e.g., web-cache, mail, etc. This may be very commonly used 79 for home networks, but can definitely not be considered as secure 80 anymore because the combining of server and router on one machine raises 81 the complexity of the setup.</para></sect3> 82 83 <sect3><title>Firewall with a demilitarized zone [not further described 84 here]</title> 64 <sect3> 65 <title><xref linkend="fw-masqRouter"/></title> 66 67 <para>This is a system placed between the Internet and an intranet. To minimize 68 the risk of compromising the firewall itself, it should generally have only one 69 role—that of protecting the intranet. Although not completely risk free, 70 the tasks of doing the routing and IP masquerading (rewriting IP headers of 71 the packets it routes from clients with private IP addresses onto the Internet 72 so that they seem to come from the firewall itself) are commonly considered 73 relatively secure.</para> 74 </sect3> 75 76 <sect3> 77 <title><xref linkend="fw-busybox"/></title> 78 79 <para>This is often an old computer you may have retired and nearly forgotten, 80 performing masquerading or routing functions, but offering non-firewall 81 services such as a web-cache or mail. This may be used for home 82 networks, but is not be considered as secure as a firewall only 83 machine because the combination of server and router/firewall on one machine 84 raises the complexity of the setup.</para> 85 </sect3> 86 87 <sect3> 88 <title>Firewall with a demilitarized zone [not further described here]</title> 85 89 <para>This box performs masquerading or routing, but grants public access to 86 90 some branch of your network which, because of public IP's and a physically 87 separated structure, is neither considered to be part of the inter- nor 88 intranet. These servers are those which must be easily accessible 89 from both the inter- and intranet. The firewall protects 90 them all.</para></sect3> 91 92 <sect3><title>Packetfilter / partly accessible net [partly described 93 here, see <xref linkend="fw-busybox"/>]</title> 94 <para>Doing routing or masquerading, but permitting only selected 95 services to be accessible, sometimes only by selected internal users or boxes; 96 mostly used in highly secure business contexts, sometimes by distrusting 97 employers. This was the common configuration of a firewall at the time of 98 the Linux 2.2 kernel. It's still possible to configure a firewall this way, 99 but it makes the rules quite complex and lengthy.</para></sect3> 100 91 separated structure, is essentially a separate network with direct Internet access. 92 The servers on this network are those which must be easily accessible 93 from both the Internet and intranet. The firewall protects 94 both networks. This type of firewall has a minimum of three network interfaces.</para> 95 </sect3> 96 97 <sect3> 98 <title>Packetfilter</title> 99 <para>This type of firewall does routing or masquerading, but does not maintain 100 a state table of ongoing communication streams. It is fast, but quite limited 101 in its ability to block inappropriate packets without blocking desired 102 packets.</para> 103 </sect3> 101 104 </sect2> 102 105 103 <sect2 id="postlfs-security-fw-disclaimer" xreflabel="Disclaimer"> 104 <title>Disclaimer</title> 105 106 <!-- <para><emphasis>NEITHER THE AUTHOR NOR ANY OF THE LINUXFROMSCRATCH TEAM 107 ARE RESPONSIBLE FOR ANY DAMAGES INCURRED DUE TO ACTIONS TAKEN BASED ON THIS 108 DOCUMENT.</emphasis></para> --> 109 110 <para>This document is meant as an introduction to how to setup a firewall. It 106 <sect2 id="fw-writing" xreflabel="writing the firewalling-setup-scripts"> 107 <title>Now you can start to build your Firewall</title> 108 109 <caution><para>This introduction on how to setup a firewall 111 110 is not a complete guide to securing systems. Firewalling is a complex issue 112 111 that requires careful configuration. The scripts quoted here are simply 113 intended to give examples as to how a firewall works, they are not intended to 114 fit into any imaginable configuration and may not prevent any imaginable 115 attack.</para> 116 117 <para>The purpose of this text is simply to give you a hint on how to get 118 started with a firewall.</para> 112 intended to give examples of how a firewall works. They are not intended to 113 fit into any particular configuration and may not provide complete protection 114 from an attack.</para> 119 115 120 116 <para>Customization of these scripts for your specific situation will … … 123 119 hacking away. Have a look at the list of 124 120 <xref linkend="fw-library"/> at the end of this section for 125 more details. Here you will find a list of URLs that contain quite121 more details. There you will find a list of URLs that contain quite 126 122 comprehensive information about building your own firewall.</para> 127 128 </sect2> 129 130 <sect2 id="fw-kernel" xreflabel="getting a firewalling-enabled Kernel"> 131 <title>Getting a firewall enabled Kernel</title> 132 <indexterm zone="fw-kernel"> 133 <primary sortas="d-Firewalls">Firewalls (using iptables)</primary> 134 </indexterm> 135 136 <para>If you want your Linux-Box to have a firewall, you must first ensure 137 that your kernel has been compiled with the relevant options turned on. 138 <!-- <footnote><para>If you needed assistance how to configure, compile and 139 install a new kernel, refer back to chapter VIII of the LinuxFromScratch book, 140 <ulink url="http://www.linuxfromscratch.org/view/3.1/chapter08/kernel.html"> 141 Installing a kernel</ulink> and eventually 142 <ulink url="http://www.linuxfromscratch.org/view/3.1/chapter08/lilo.html"> 143 Making the LFS system bootable</ulink>; note, that you'll need to reboot 144 to actually run your new kernel.</para></footnote>--> 145 </para> 146 147 <para>How to configure your kernel, with enabling the options to be 148 either compiled into the kernel or as modules, depends on your personal 149 preferences and experience. Note, that for the quoted scripts it is assumed 150 that the modules need to be loaded at first.</para> 151 152 <screen>Network options menu 153 Network packet filtering: Y 154 Unix domain sockets: Y or M 155 TCP/IP networking: Y 156 IP: advanced router: Y 157 IP: verbose route monitoring: Y 158 IP: TCP Explicit Congestion Notification support: Y 159 IP: TCP syncookie support: Y 160 IP: Netfilter Configuration menu 161 Every option except: Y or M 162 ipchains (2.2-style) support N 163 ipfwadm (2.0-style) support N 164 Fast switching: N</screen> 165 166 <!-- 167 <table frame='none'> 168 <title>Essential config-options for a firewall enabled Kernel</title> 169 170 <tgroup cols='5'> 171 <colspec colnum='1' colwidth='8*' align='center'/> 172 <colspec colnum='2' colwidth='19*' align='left'/> 173 <colspec colnum='3' colwidth='11*' align='center'/> 174 <colspec colnum='4' colwidth='1*' align='center'/> 175 <colspec colnum='5' colwidth='14*' align='left'/> 176 177 <tbody> 178 179 <row> 180 <entry><emphasis><userinput>Networking options:</userinput></emphasis></entry> 181 <entry><userinput>Network packet filtering</userinput></entry> 182 <entry></entry> 183 <entry>=</entry> 184 <entry>CONFIG_NETFILTER</entry> 185 </row> 186 187 <row> 188 <entry></entry> 189 <entry><userinput>Unix domain sockets</userinput></entry> 190 <entry></entry> 191 <entry>=</entry> 192 <entry>CONFIG_UNIX</entry> 193 </row> 194 195 <row> 196 <entry></entry> 197 <entry><userinput>IP: TCP/IP networking</userinput></entry> 198 <entry></entry> 199 <entry>=</entry> 200 <entry>CONFIG_INET</entry> 201 </row> 202 203 <row> 204 <entry></entry> 205 <entry><userinput>IP: advanced router</userinput></entry> 206 <entry></entry> 207 <entry>=</entry> 208 <entry>CONFIG_IP_ADVANCED_ROUTER</entry> 209 </row> 210 211 <row> 212 <entry></entry> 213 <entry><userinput>IP: verbose route monitoring</userinput></entry> 214 <entry></entry> 215 <entry>=</entry> 216 <entry>CONFIG_IP_ROUTE_VERBOSE</entry> 217 </row> 218 219 <row> 220 <entry></entry> 221 <entry><userinput>IP: TCP Explicit Congestion Notification support</userinput></entry> 222 <entry></entry> 223 <entry>=</entry> 224 <entry>CONFIG_INET_ECN</entry> 225 </row> 226 227 <row> 228 <entry></entry> 229 <entry><userinput>IP: TCP syncookie support</userinput></entry> 230 <entry></entry> 231 <entry>=</entry> 232 <entry>CONFIG_SYN_COOKIES</entry> 233 </row> 234 235 <row> 236 <entry></entry> 237 <entry align='center'> 238 <emphasis><userinput>IP: Netfilter Configuration:</userinput></emphasis></entry> 239 <entry align='left'><userinput>every option</userinput></entry> 240 <entry>=</entry> 241 <entry>CONFIG_IP_NF_*</entry> 242 </row> 243 244 <row> 245 <entry></entry> 246 <entry align='right'><emphasis>WITHOUT:</emphasis></entry> 247 <entry align='left'><literallayout><userinput>ipchains (2.2-style) support 248 ipfw-adm (2.0-style) support</userinput></literallayout></entry> 249 <entry>w\</entry> 250 <entry>CONFIG_IP_NF_COMPAT_*</entry> 251 </row> 252 253 <row> 254 <entry></entry> 255 <entry><userinput>Fast switching</userinput></entry> 256 <entry>Make sure to disable it because it would setup a bypass around 257 your firewall rules.</entry> 258 <entry>w\</entry> 259 <entry>CONFIG_NET_FASTROUTE</entry> 260 </row> 261 262 </tbody> 263 264 </tgroup> 265 266 </table> --> 267 268 </sect2> 269 270 <sect2 id="fw-writing" xreflabel="writing the firewalling-setup-scripts"> 271 <title>Now you can start to build your Firewall</title> 123 </caution> 124 125 <para>The firewall configuration script installed in the last section differs 126 from the standard configuration script. It only has two of the standard 127 targets: start and status. The other targets are clear and lock. For instance when you 128 run: 129 130 <screen><userinput><command>/etc/rc.d/init.d/iptables start</command></userinput></screen> 131 132 the firewall will be restarted just as it is upon system startup. The status target 133 will present a list of all currently implemented rules. The clear target turns off all 134 firewall rules and the lock target will block all packets in and out of the computer 135 with the exception of the loopback interface.</para> 136 137 <para>The main startup firewall is located in the file 138 <filename>/etc/rc.d/rc.iptables</filename>. The sections below provide three different 139 approaches that can be used for a system.</para> 140 141 <note><para>You should always run your firewall rules from a script. This ensures 142 consistency and a record of what was done. It also allows retention of comments 143 that are essential for understanding the rules long after they were written. 144 </para></note> 272 145 273 146 <sect3 id="fw-persFw" xreflabel="Personal Firewall"> 274 147 <title>Personal Firewall</title> 275 148 276 <para>A Personal Firewall is supposed to let you access all the services149 <para>A Personal Firewall is designed to let you access all the services 277 150 offered on the Internet, but keep your box secure and your data private.</para> 278 151 279 152 <para>Below is a slightly modified version of Rusty Russell's recommendation 280 from the <ulink281 url="http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html">282 Linux 2.4 Packet Filtering HOWTO</ulink> :</para>283 284 <screen><userinput><command>cat > /etc/rc.d/ init.d/firewall<< "EOF"</command>153 from the 154 <ulink url="http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html"> 155 Linux 2.4 Packet Filtering HOWTO</ulink>. It is still applicable to the Linux 2.6 kernels.</para> 156 157 <screen><userinput><command>cat > /etc/rc.d/rc.iptables << "EOF"</command> 285 158 #!/bin/sh 286 159 287 # Begin $rc_base/ init.d/firewall160 # Begin $rc_base/rc.iptables 288 161 289 162 # Insert connection-tracking modules … … 296 169 modprobe ipt_LOG 297 170 298 # allow local-only connections 171 # Enable broadcast echo Protection 172 echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 173 174 # Disable Source Routed Packets 175 echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route 176 177 # Enable TCP SYN Cookie Protection 178 echo 1 > /proc/sys/net/ipv4/tcp_syncookies 179 180 # Disable ICMP Redirect Acceptance 181 echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects 182 183 # Don¹t send Redirect Messages 184 echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects 185 186 # Drop Spoofed Packets coming in on an interface, where responses 187 # would result in the reply going out a different interface. 188 echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter 189 190 # Log packets with impossible addresses. 191 echo 1 > /proc/sys/net/ipv4/conf/all/log_martians 192 193 # be verbose on dynamic ip-addresses (not needed in case of static IP) 194 echo 2 > /proc/sys/net/ipv4/ip_dynaddr 195 196 # disable Explicit Congestion Notification 197 # too many routers are still ignorant 198 echo 0 > /proc/sys/net/ipv4/tcp_ecn 199 200 # Set a known state 201 iptables -P INPUT DROP 202 iptables -P FORWARD DROP 203 iptables -P OUTPUT DROP 204 205 # These lines are here in case rules are already in place and the 206 # script is ever rerun on the fly. We want to remove all rules and 207 # pre-exisiting user defined chains before we implement new rules. 208 iptables -F 209 iptables -X 210 iptables -Z 211 212 iptables -t nat -F 213 214 # Allow local-only connections 299 215 iptables -A INPUT -i lo -j ACCEPT 300 216 301 # free output on any interface to any ip for any service217 # Free output on any interface to any ip for any service 302 218 # (equal to -P ACCEPT) 303 219 iptables -A OUTPUT -j ACCEPT 304 220 305 # permit answers on already established connections221 # Permit answers on already established connections 306 222 # and permit new connections related to established ones 307 # (e g active-ftp)223 # (e.g. port mode ftp) 308 224 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 309 225 310 # Log everything else :What's Windows' latest exploitable vulnerability?226 # Log everything else. What's Windows' latest exploitable vulnerability? 311 227 iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT " 312 228 313 # set a sane policy: everything not accepted > /dev/null 314 iptables -P INPUT DROP 315 iptables -P FORWARD DROP 316 iptables -P OUTPUT DROP 317 318 # be verbose on dynamic ip-addresses (not needed in case of static IP) 319 echo 2 > /proc/sys/net/ipv4/ip_dynaddr 320 321 # disable ExplicitCongestionNotification 322 # too many routers are still ignorant 323 echo 0 > /proc/sys/net/ipv4/tcp_ecn 324 325 # End $rc_base/init.d/firewall 229 # End $rc_base/rc.iptables 326 230 <command>EOF</command></userinput></screen> 327 231 328 <para> His script is quite simple, it drops all traffic coming in into your232 <para>This script is quite simple, it drops all traffic coming in into your 329 233 computer that wasn't initiated from your box, but as long as you are simply 330 234 surfing the Internet you are unlikely to exceed its limits.</para> 331 235 332 236 <para>If you frequently encounter certain delays at accessing ftp-servers, 333 please have a look at <xref linkend="fw-busybox"/> - 334 <xref linkend="fw-BB-4"/>.</para> 335 336 <para>Even if you have daemons or services running on your box, these 337 should be inaccessible everywhere but from your box itself. 237 take a look at <xref linkend="fw-BB-4"/>.</para> 238 239 <para>Even if you have daemons or services running on your system, these 240 will be inaccessible everywhere but from your computer itself. 338 241 If you want to allow access to services on your machine, such as ssh or 339 pinging, take a look at <xref linkend="fw-busybox"/>.</para> 340 341 </sect3> 342 242 ping, take a look at <xref linkend="fw-busybox"/>.</para> 243 244 </sect3> 343 245 344 246 <sect3 id="fw-masqRouter" xreflabel="Masquerading Router"> 345 247 <title>Masquerading Router</title> 346 248 347 <para>A true Firewall has two interfaces, one connected to an intranet, 348 in this example, <emphasis role="strong">eth0</emphasis>, and one 349 connected to the Internet, here, <emphasis role="strong">ppp0</emphasis>. 350 To provide the maximum security against the box itself being broken into, 351 make sure that there are no servers running on it, especially not 352 <application>X11</application> et 353 al. And, as a general principle, the box itself should not access any 354 untrusted service (Think of a name server giving answers that make your 355 bind crash, or, even worse, that implement a worm via a 356 buffer-overflow).</para> 357 358 <screen><userinput><command>cat > /etc/rc.d/init.d/firewall << "EOF"</command> 249 <para>A true Firewall has two interfaces, one connected to an intranet, in this 250 example <emphasis role="strong">eth0</emphasis>, and one connected to the 251 Internet, here <emphasis role="strong">ppp0</emphasis>. To provide the 252 maximum security for the firewall itself, make sure that there 253 are no unnecessary servers running on it such as <application>X11</application> et 254 al. As a general principle, the firewall itself should not access any 255 untrusted service (Think of a remote server giving answers that makes a daemin on 256 your system 257 crash, or, even worse, that implements a worm via a buffer-overflow).</para> 258 259 <screen><userinput><command>cat > /etc/rc.d/rc.iptables << "EOF"</command> 359 260 #!/bin/sh 360 261 361 # Begin $rc_base/ init.d/firewall262 # Begin $rc_base/rc.iptables 362 263 363 264 echo 364 echo "You're using the example -configfor a setup of a firewall"365 echo "from the firewalling-hint written for LinuxFromScratch."265 echo "You're using the example configuration for a setup of a firewall" 266 echo "from Beyond Linux From Scratch." 366 267 echo "This example is far from being complete, it is only meant" 367 268 echo "to be a reference." 368 269 echo "Firewall security is a complex issue, that exceeds the scope" 369 echo "of the quoted configuration rules."370 echo "You can find some quite comprehensiveinformation"270 echo "of the configuration rules below." 271 echo "You can find additional information" 371 272 echo "about firewalls in Chapter 4 of the BLFS book." 372 273 echo "http://www.linuxfromscratch.org/blfs" … … 386 287 modprobe ipt_REJECT 387 288 388 # allow local-only connections 289 # Enable broadcast echo Protection 290 echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 291 292 # Disable Source Routed Packets 293 echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route 294 295 # Enable TCP SYN Cookie Protection 296 echo 1 > /proc/sys/net/ipv4/tcp_syncookies 297 298 # Disable ICMP Redirect Acceptance 299 echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects 300 301 # Don¹t send Redirect Messages 302 echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects 303 304 # Drop Spoofed Packets coming in on an interface where responses 305 # would result in the reply going out a different interface. 306 echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter 307 308 # Log packets with impossible addresses. 309 echo 1 > /proc/sys/net/ipv4/conf/all/log_martians 310 311 # Be verbose on dynamic ip-addresses (not needed in case of static IP) 312 echo 2 > /proc/sys/net/ipv4/ip_dynaddr 313 314 # Disable Explicit Congestion Notification 315 # Too many routers are still ignorant 316 echo 0 > /proc/sys/net/ipv4/tcp_ecn 317 318 # Set a known state 319 iptables -P INPUT DROP 320 iptables -P FORWARD DROP 321 iptables -P OUTPUT DROP 322 323 # These lines are here in case rules are already in place and the 324 # script is ever rerun on the fly. We want to remove all rules and 325 # pre-exisiting user defined chains before we implement new rules. 326 iptables -F 327 iptables -X 328 iptables -Z 329 330 iptables -t nat -F 331 332 # Allow local connections 389 333 iptables -A INPUT -i lo -j ACCEPT 390 334 iptables -A OUTPUT -o lo -j ACCEPT 391 335 392 # allow forwarding336 # Allow forwarding if the initiated on the intranet 393 337 iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT 394 iptables -A FORWARD -m state --state NEW -i ! ppp+-j ACCEPT395 396 # do masquerading338 iptables -A FORWARD -i ! ppp+ -m state --state NEW -j ACCEPT 339 340 # Do masquerading 397 341 # (not needed if intranet is not using private ip-addresses) 398 342 iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE 399 343 400 344 # Log everything for debugging 401 # (last of all rules, but before DROP/REJECT)345 # (last of all rules, but before policy rules) 402 346 iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT " 403 347 iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD" 404 348 iptables -A OUTPUT -j LOG --log-prefix "FIREWALL:OUTPUT " 405 349 406 # set a sane policy 407 iptables -P INPUT DROP 408 iptables -P FORWARD DROP 409 iptables -P OUTPUT DROP 410 411 # be verbose on dynamic ip-addresses 412 # (not needed in case of static IP) 413 echo 2 > /proc/sys/net/ipv4/ip_dynaddr 414 415 # disable ExplicitCongestionNotification 416 echo 0 > /proc/sys/net/ipv4/tcp_ecn 417 418 # activate TCPsyncookies 419 echo 1 > /proc/sys/net/ipv4/tcp_syncookies 420 421 # activate Route-Verification = IP-Spoofing_protection 422 for f in /proc/sys/net/ipv4/conf/*/rp_filter; do 423 echo 1 > $f 424 done 425 426 # activate IP-Forwarding 350 # Enable IP Forwarding 427 351 echo 1 > /proc/sys/net/ipv4/ip_forward 428 352 <command>EOF</command></userinput></screen> 429 353 430 <para>With this script your intranet should be sufficiently secure against354 <para>With this script your intranet should be reasonably secure against 431 355 external attacks. No one should be able to setup a new connection to any 432 internal service and, if it's masqueraded, it's even invisible. Furthermore, 433 your firewall should be nearly immune because there are no services running 434 that a cracker could attack.</para> 435 436 <para>Note: if the interface you're connecting to the Internet 437 doesn't connect via ppp, you will need to change 438 <replaceable>ppp+</replaceable> to the name of the interface which you are 439 using. If you are using the same interface type to connect to both your 440 intranet and the Internet, you need to use the actual name of the 441 interface such as <emphasis role="strong">eth0</emphasis>, 442 on both interfaces.</para> 443 444 <para>If you need stronger security (e.g., against DOS, connection 445 highjacking, spoofing, etc.), have a look at the list of 446 <xref linkend="fw-library"/> at the end of this section.</para> 356 internal service and, if it's masqueraded, makes your intranet invisible to the 357 Internet. Furthermore, your firewall should be relatively safe because there 358 are no services running that a cracker could attack.</para> 359 360 <note><para>If the interface you're connecting to the Internet doesn't connect 361 via ppp, you will need to change <replaceable>ppp+</replaceable> to the name of 362 the interface, e.g. <emphasis role="strong">eth1</emphasis>, which you are using. 363 </para></note> 447 364 448 365 </sect3> … … 451 368 <title>BusyBox</title> 452 369 453 <para>This scenario isn't too different from (<xref linkend="fw-masqRouter"/>), 454 but in this case you want to offer some services to your intranet. 455 Examples of this can be when you want to admin your box from another host 456 on your intranet or use it as a proxy or a name server. Note: Outlining a true 457 concept of how to protect a server that offers services on the Internet 458 goes far beyond the scope of this document, 459 see <xref linkend="postlfs-security-fw-disclaimer"/>.</para> 460 461 <para>Be cautious. Every service you offer and have enabled makes your 462 setup more complex and your box less secure. You induce the risks of 370 <para>This scenario isn't too different from the <xref linkend="fw-masqRouter"/>, 371 but additionally offers some services to your intranet. 372 Examples of this can be when you want to administer your firewall from another host 373 on your intranet or use it as a proxy or a name server.</para> 374 375 <note><para>Outlining a true concept of how to protect a server that offers 376 services on the Internet goes far beyond the scope of this document. See the references 377 at the end of this section for more information.</para></note> 378 379 <para>Be cautious. Every service you have enabled makes your 380 setup more complex and your firewall less secure. You are exposed to the risks of 463 381 misconfigured services or running a service with an exploitable bug. A 464 382 firewall should generally not run any extra services. See the introduction to 465 <xref linkend="fw-masqRouter"/> for some more details.</para>466 467 <para>If the services you'd like to offer do not need to access the Internet468 themselves, like internal-only samba- or name-servers, it'squite383 the <xref linkend="fw-masqRouter"/> for some more details.</para> 384 385 <para>If you want to add services such as internal samba or name servers that do not 386 need to access the Internet themselves, the additional statements are quite 469 387 simple and should still be acceptable from a security standpoint. 470 Just add the following lines <emphasis>before</emphasis> the logging-rules471 into the script .</para>388 Just add the following lines 389 into the script <emphasis>before</emphasis> the logging rules.</para> 472 390 473 391 <screen>iptables -A INPUT -i ! ppp+ -j ACCEPT 474 392 iptables -A OUTPUT -o ! ppp+ -j ACCEPT</screen> 475 393 476 <para>If your daemons have to access the web themselves, like squid would need477 to,you could open OUTPUT generally and restrict INPUT.</para>478 479 <screen>iptables -A INPUT -m state --state ESTABLISHED,RELATED 394 <para>If daemons, such as squid, have to access the Internet themselves, 395 you could open OUTPUT generally and restrict INPUT.</para> 396 397 <screen>iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 480 398 iptables -A OUTPUT -j ACCEPT</screen> 481 399 482 400 <para>However, it is generally not advisable to leave OUTPUT unrestricted. You 483 lose any control over trojans who 'd like to "call home", and a bit of484 redundancy in case you've (mis-)configured a service so that it does broadcast401 lose any control over trojans who would like to "call home", and a bit of 402 redundancy in case you've (mis-)configured a service so that it broadcasts 485 403 its existence to the world.</para> 486 404 487 <para> If you prefer to have this protection, you mayrestrict INPUT and OUTPUT405 <para>To accomplish this, you should restrict INPUT and OUTPUT 488 406 on all ports except those that it's absolutely necessary to have open. 489 407 Which ports you have to open depends on your needs: mostly you will find them 490 by looking for failed accesses in your log -files.</para>491 <itemizedlist spacing="compact" >492 <!-- <orderedlist numeration="arabic" spacing="compact"> --> 408 by looking for failed accesses in your log files.</para> 409 <itemizedlist spacing="compact" role='iptables'> 410 493 411 <title>Have a look at the following examples:</title> 494 412 495 413 <listitem><para>Squid is caching the web:</para> 496 414 <screen>iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT 497 iptables -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED \498 -j ACCEPT</screen>499 </listitem> 500 501 <listitem><para>Your caching name server (e.g., dnscache) does its415 iptables -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED \ 416 -j ACCEPT</screen> 417 </listitem> 418 419 <listitem><para>Your caching name server (e.g., named) does its 502 420 lookups via udp:</para> 503 <screen>iptables -A OUTPUT -p udp --dport 53 -j ACCEPT 504 iptables -A INPUT -p udp --sport 53 -m state --state ESTABLISHED \ 505 -j ACCEPT</screen> 506 </listitem> 507 508 <listitem><para>Alternatively, if you want to be able to ping your box to 421 <screen>iptables -A OUTPUT -p udp --dport 53 -j ACCEPT</screen> 422 </listitem> 423 424 <listitem><para>You want to be able to ping your box to 509 425 ensure it's still alive:</para> 510 426 … … 513 429 </listitem> 514 430 515 <listitem><para><anchor id='fw-BB-4' xreflabel=" example no. 4"/>If you are516 frequently accessing ftp -servers or enjoy chatting, you might notice certain517 delays because some implementations of these daemons have the feature of 518 querying an identd on your box for logging usernames.519 Although there's really no harm in this, having an identd running is not 520 recommended because some implementations are known to be vulnerable.</para>431 <listitem><para><anchor id='fw-BB-4' xreflabel="BusyBox example number 4"/>If you are 432 frequently accessing ftp servers or enjoy chatting, you might notice certain 433 delays because some implementations of these daemons have the feature of 434 querying an identd on your system to obtain usernames. Although there's really 435 little harm in this, having an identd running is not recommended because many 436 security experts feel the service gives out too much additional information.</para> 521 437 522 438 <para>To avoid these delays you could reject the requests 523 439 with a 'tcp-reset':</para> 524 440 525 <screen>iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset 526 iptables -A OUTPUT -p tcp --sport 113 -m state --state RELATED -j ACCEPT</screen> 527 </listitem> 528 529 <listitem><para>To log and drop invalid packets (harmless packets 441 <screen>iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset</screen> 442 </listitem> 443 444 <listitem><para>To log and drop invalid packets (packets 530 445 that came in after netfilter's timeout or some types of network scans):</para> 531 446 532 <screen>iptables -I INPUT 1 -p tcp -m state --state INVALID -j LOG\533 --log-prefix "FIREWALL:INVALID"534 iptables -I INPUT 2-p tcp -m state --state INVALID -j DROP</screen></listitem>447 <screen>iptables -I INPUT -p tcp -m state --state INVALID \ 448 -j LOG --log-prefix "FIREWALL:INVALID" 449 iptables -I INPUT -p tcp -m state --state INVALID -j DROP</screen></listitem> 535 450 536 451 <listitem><para>Anything coming from the outside should not have a 537 private address, this is a common attack called IP-spoofing:</para> 538 539 <screen>iptables -t nat -A PREROUTING -i ppp+ -s 10.0.0.0/8 -j DROP 540 iptables -t nat -A PREROUTING -i ppp+ -s 172.16.0.0/12 -j DROP 541 iptables -t nat -A PREROUTING -i ppp+ -s 192.168.0.0/16 -j DROP</screen> 452 private address, this is a common attack called IP-spoofing: 453 454 <screen>iptables -A INPUT -i ppp+ -s 10.0.0.0/8 -j DROP 455 iptables -A INPUT -i ppp+ -s 172.16.0.0/12 -j DROP 456 iptables -A INPUT -i ppp+ -s 192.168.0.0/16 -j DROP</screen> 457 458 There are other addresses that you may also want to drop: 0.0.0.0/8, 459 127.0.0.0/8, 224.0.0.0/3 (multicast and experimental), 169.254.0.0/16 (Link 460 Local Networks), and 192.0.2.0/24 (IANA defined test network).</para> 461 </listitem> 462 463 <listitem><para>If your firewall is a DHCP client, you need to allow 464 those packets:</para> 465 466 <screen>iptables -A INPUT -i ppp0 -p udp -s 0.0.0.0 --sport 67 \ 467 -d 255.255.255.255 --dport 68 -j ACCEPT</screen> 542 468 </listitem> 543 469 544 470 <listitem><para>To simplify debugging and be fair to anyone who'd like to 545 access a service you have disabled, purposely or by mistake, you should REJECT471 access a service you have disabled, purposely or by mistake, you could REJECT 546 472 those packets that are dropped.</para> 547 473 … … 549 475 last lines before the packets are dropped by policy:</para> 550 476 551 <screen>iptables -A INPUT -j REJECT552 iptables -A OUTPUT -p icmp --icmp-type 3 -j ACCEPT</screen></listitem>477 <screen>iptables -A INPUT -j REJECT</screen> 478 </listitem> 553 479 </itemizedlist> 554 <!--</orderedlist>--> 555 556 <para>These are only examples to show you some of the capabilities of the new 557 firewall code in Linux-Kernel 2.4. Have a look at the man page of 558 iptables. 559 There you will find more of them. The port-numbers you'll need for this 560 can be found in <filename>/etc/services</filename>, in case you didn't 561 find them by trial and error in your log file.</para> 562 563 <para>If you add any of your offered or accessed services such as the above, 564 maybe even in FORWARD and for intranet-communication, and delete the 565 general clauses, you get an old fashioned packet filter.</para> 566 </sect3> 567 480 481 <para>These are only examples to show you some of the capabilities of the 482 firewall code in Linux. Have a look at the man page of iptables. 483 There you will find much more information. The port numbers needed for this can be 484 found in <filename>/etc/services</filename>, in case you didn't find them by 485 trial and error in your log file.</para> 486 487 </sect3> 568 488 </sect2> 569 489 … … 571 491 <title>Conclusion</title> 572 492 573 <para>Finally, I'd like to remind you of one fact we must not forget: 574 The effort spent attacking a system corresponds to the value the cracker 575 expects to gain from it. 576 If you are responsible for such valuable assets that you expect great 577 effort to be made by potential crackers, you hopefully won't be in the 578 need of this hint!</para> 579 580 <!-- <para><literallayout>Be cautious! 581 582 Henning Rohde 583 <email>Henning.Rohde@uni-bayreuth.de</email></literallayout></para> 584 585 <para>PS: And always do remember: 586 SecureIT is not a matter of a status-quo but one of never stopping 587 to take care!</para> 588 589 <para>PPS: If any of these scripts fail, please tell me. I will try to trace 590 any faults.</para> --> 493 <para>Finally, there is one fact you must not forget: The effort spent 494 attacking a system corresponds to the value the cracker expects to gain from 495 it. If you are responsible for valuable information, you need to spend the 496 time to protect it properly.</para> 591 497 592 498 </sect2> … … 625 531 </sect3> 626 532 627 <sect3 id="fw-status" xreflabel="/etc/rc.d/init.d/firewall.status">628 <title>firewall.status</title>629 630 <para>If you'd like to have a look at the chains your firewall consists of and631 the order in which the rules take effect:</para>632 633 <screen><userinput><command>cat > /etc/rc.d/init.d/firewall.status << "EOF"</command>634 #!/bin/sh635 636 # Begin $rc_base/init.d/firewall.status637 638 echo "iptables.mangling:"639 iptables -t mangle -v -L -n --line-numbers640 641 echo642 echo "iptables.nat:"643 iptables -t nat -v -L -n --line-numbers644 645 echo646 echo "iptables.filter:"647 iptables -v -L -n --line-numbers648 <command>EOF</command></userinput></screen>649 </sect3>650 651 <sect3 id="postlfs-security-fw-stop" xreflabel="/etc/rc.d/init.d/firewall.stop">652 <title>firewall.stop</title>653 654 <para>If you need to turn the firewall off, this script will do it:</para>655 656 <screen><userinput><command>cat > /etc/rc.d/init.d/firewall.stop << "EOF"</command>657 #!/bin/sh658 659 # Being $rc_base/init.d/firewall.stop660 661 # deactivate IP-Forwarding662 echo 0 > /proc/sys/net/ipv4/ip_forward663 664 iptables -Z665 iptables -F666 iptables -t nat -F PREROUTING667 iptables -t nat -F OUTPUT668 iptables -t nat -F POSTROUTING669 iptables -t mangle -F PREROUTING670 iptables -t mangle -F OUTPUT671 iptables -X672 iptables -P INPUT ACCEPT673 iptables -P FORWARD ACCEPT674 iptables -P OUTPUT ACCEPT675 <command>EOF</command></userinput></screen>676 </sect3>677 678 533 </sect2> 679 680 534 </sect1> 681 535 -
postlfs/security/iptables.xml
rf8962fe r0e3848e3 33 33 a firewall.</para> 34 34 35 <sect2 >35 <sect2 id='iptables-kernel'> 36 36 <title>Introduction to <application>iptables</application></title> 37 37 38 <para> To use a firewall, as well as installing39 <application>iptables</application>, you will need 40 to configure the relevant options into your kernel. This is discussed 41 in the next part of this chapter –42 <xref linkend="fw-kernel"/>.</para> 38 <para>A firewall in Linux is accomplished through a portion of the kernel 39 called netfilter. The interface to netfilter is <application>iptables</application>. 40 To use it, the appropriate kernel configuration parameters are found in 41 Device Drivers -> Networking Support -> Networking Options -> 42 Network Packet Filtering -> IP: Netfilter Configuration. 43 43 44 <para>If you intend to use <acronym>IP</acronym>v6 you might consider extending 45 the kernel by running <command>make patch-o-matic</command> in the top-level 46 source tree directory of <application>iptables</application>. If you are 47 going to do this, on a freshly untarred kernel, you need to run 48 <command>yes "" | make config && make dep</command> first because 49 otherwise the patch-o-matic command is likely to fail while setting up 50 some dependencies.</para> 44 <indexterm zone="iptables iptables-kernel"> 45 <primary sortas="d-iptables">Iptables</primary> 46 </indexterm> 51 47 52 <para>If you are going to patch the kernel, you need to do it before you 53 compile <application>iptables</application>, because during the compilation, 54 the kernel source tree is checked (if it is available at <filename 55 class="directory">/usr/src/linux-<replaceable>[version]</replaceable> 56 </filename>) to see which features are available. Support will only be compiled 57 into <application>iptables</application> for the features recognized at 58 compile-time. Applying a kernel patch may result in errors, often because the 59 hooks for the patches have changed or because the <command>runme</command> 60 script doesn't recognize that a patch has already been incorporated.</para> 61 62 <para>Note that for most people, patching the kernel is unnecessary. 63 With the later 2.4.x kernels, most functionality is already available 64 and those who need to patch it are generally those who need a specific 65 feature; if you don't know why you need to patch the kernel, you're 66 unlikely to need to!</para> 48 </para> 67 49 68 50 <sect3>
Note:
See TracChangeset
for help on using the changeset viewer.