Changeset 14c0be2f for postlfs/security/iptables.xml
- Timestamp:
- 10/25/2019 06:28:45 AM (5 years ago)
- Branches:
- 10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 12.0, 12.1, 9.1, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, lazarus, lxqt, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, trunk, upgradedb, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/test-20220226, xry111/xf86-video-removal
- Children:
- 3d5a675
- Parents:
- 6914a417
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
postlfs/security/iptables.xml
r6914a417 r14c0be2f 13 13 ]> 14 14 15 <sect1 id="iptables" xreflabel=" Iptables-&iptables-version;">15 <sect1 id="iptables" xreflabel="iptables-&iptables-version;"> 16 16 <?dbhtml filename="iptables.html"?> 17 17 … … 21 21 </sect1info> 22 22 23 <title> Iptables-&iptables-version;</title>23 <title>iptables-&iptables-version;</title> 24 24 25 25 <indexterm zone="iptables"> 26 <primary sortas="a- Iptables">Iptables</primary>26 <primary sortas="a-iptables">iptables</primary> 27 27 </indexterm> 28 28 29 29 <sect2 role="package"> 30 <title>Introduction to Iptables</title> 31 32 <para> 33 The next part of this chapter deals with firewalls. The principal 34 firewall tool for Linux is <application>Iptables</application>. You will 35 need to install <application>Iptables</application> if you intend on using 36 any form of a firewall. 30 <title>Introduction to iptables</title> 31 32 <para> 33 <application>iptables</application> is a userspace command line program 34 used to configure Linux 2.4 and later kernel packet filtering ruleset. 37 35 </para> 38 36 … … 73 71 </itemizedlist> 74 72 75 <bridgehead renderas="sect3"> Iptables Dependencies</bridgehead>73 <bridgehead renderas="sect3">iptables Dependencies</bridgehead> 76 74 77 75 <bridgehead renderas="sect4">Optional</bridgehead> 78 76 <para role="optional"> 79 < ulink url="http://www.netfilter.org/projects/nftables/index.html">nftables</ulink>77 <xref linkend="nftables"/> 80 78 </para> 81 79 … … 90 88 91 89 <para> 92 A firewall in Linux is accomplished through a portion of the 93 kernel called netfilter. The interface to netfilter is 94 <application>Iptables</application>. To use it, the appropriate 95 kernel configuration parameters are found in: 90 A firewall in Linux is accomplished through the netfilter interface. To 91 use <application>iptables</application> to configure netfilter, the 92 following kernel configuration parameters are required: 96 93 </para> 97 94 98 95 <screen><literal>[*] Networking support ---> [CONFIG_NET] 99 96 Networking Options ---> 100 [*] Network packet filtering framework (Netfilter) ---> [CONFIG_NETFILTER]</literal></screen> 97 [*] Network packet filtering framework (Netfilter) ---> [CONFIG_NETFILTER] 98 Core Netfilter Configuration ---></literal></screen> 99 100 <para> 101 Include any connection tracking protocols that will be used, as well as 102 any protocols that you wish to use for match suppport under the 103 "Core Netfilter Configuration" section. 104 </para> 101 105 102 106 <indexterm zone="iptables iptables-kernel"> 103 <primary sortas="d-iptables"> Iptables</primary>107 <primary sortas="d-iptables">iptables</primary> 104 108 </indexterm> 105 109 … … 107 111 108 112 <sect2 role="installation"> 109 <title>Installation of Iptables</title>113 <title>Installation of iptables</title> 110 114 111 115 <note> … … 119 123 at the <application>Linux</application> source code. Note that if you 120 124 upgrade the kernel version, you may also need to recompile 121 <application>Iptables</application> and that the BLFS team has not tested 122 using the raw kernel headers. 123 </para> 124 125 <para> 126 For some non-x86 architectures, the raw kernel headers may be 127 required. In that case, modify the <parameter>KERNEL_DIR=</parameter> 128 parameter to point at the <application>Linux</application> source 129 code. 125 <application>iptables</application> and that the BLFS team has not 126 tested using the raw kernel headers. 130 127 </para> 131 128 </note> 132 129 133 130 <para> 134 Install <application> Iptables</application> by running the following131 Install <application>iptables</application> by running the following 135 132 commands: 136 133 </para> … … 143 140 make</userinput></screen> 144 141 145 <para>This package does not come with a test suite.</para> 146 147 <para>Now, as the <systemitem class="username">root</systemitem> user:</para> 142 <para> 143 This package does not come with a test suite. 144 </para> 145 146 <para> 147 Now, as the <systemitem class="username">root</systemitem> user: 148 </para> 148 149 149 150 <screen role="root"><userinput>make install && … … 163 164 <para> 164 165 <parameter>--disable-nftables</parameter>: This switch disables building 165 nftables compat. Omit this switch if you have installed nftables. 166 nftables compat. Omit this switch if you have installed 167 <xref linkend="nftables"/>. 166 168 </para> 167 169 … … 174 176 <para> 175 177 <parameter>--with-xtlibdir=/lib/xtables</parameter>: Ensure all 176 <application> Iptables</application> modules are installed in the178 <application>iptables</application> modules are installed in the 177 179 <filename class="directory">/lib/xtables</filename> directory. 178 180 </para> … … 191 193 192 194 <sect2 role="configuration"> 193 <title>Configuring Iptables</title> 194 195 <para> 196 Introductory instructions for configuring your firewall are 197 presented in the next section: <xref linkend="fw-firewall"/> 198 </para> 195 <title>Configuring iptables</title> 196 197 <note> 198 <para> 199 If you intend to use <xref linkend="firewalld"/> to configure your 200 firewall rules, you should not use the example configurations provided 201 here, nor should you enable the 202 <phrase revision="sysv">bootscript</phrase> 203 <phrase revision="systemd">systemd unit</phrase>. 204 </para> 205 </note> 206 207 <note> 208 <para> 209 In the follwoing example configurations, <emphasis 210 role="strong">LAN1</emphasis> is used for the internal LAN interface, 211 and <emphasis role="strong">WAN1</emphasis> is used for the external 212 interace connected to the internet. You will need to replace these 213 values with appropriate interface names for your system. 214 </para> 215 </note> 216 217 <sect3 id="fw-persFw-ipt" 218 xreflabel="Creating a Personal Firewall With iptables"> 219 <title>Personal Firewall</title> 220 221 <para> 222 A Personal Firewall is designed to let you access all the 223 services offered on the Internet, but keep your box secure and 224 your data private. 225 </para> 226 227 <para> 228 Below is a slightly modified version of Rusty Russell's 229 recommendation from the <ulink 230 url="http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html"> 231 Linux 2.4 Packet Filtering HOWTO</ulink>. It is still applicable 232 to the Linux 3.x kernels. 233 </para> 234 235 <screen role="root" revision="sysv"><?dbfo keep-together="auto"?><userinput>cat > /etc/rc.d/rc.iptables << "EOF" 236 <literal>#!/bin/sh 237 238 # Begin rc.iptables 239 240 # Insert connection-tracking modules 241 # (not needed if built into the kernel) 242 modprobe nf_conntrack 243 modprobe xt_LOG 244 245 # Enable broadcast echo Protection 246 echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 247 248 # Disable Source Routed Packets 249 echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route 250 echo 0 > /proc/sys/net/ipv4/conf/default/accept_source_route 251 252 # Enable TCP SYN Cookie Protection 253 echo 1 > /proc/sys/net/ipv4/tcp_syncookies 254 255 # Disable ICMP Redirect Acceptance 256 echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects 257 258 # Do not send Redirect Messages 259 echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects 260 echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects 261 262 # Drop Spoofed Packets coming in on an interface, where responses 263 # would result in the reply going out a different interface. 264 echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter 265 echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter 266 267 # Log packets with impossible addresses. 268 echo 1 > /proc/sys/net/ipv4/conf/all/log_martians 269 echo 1 > /proc/sys/net/ipv4/conf/default/log_martians 270 271 # be verbose on dynamic ip-addresses (not needed in case of static IP) 272 echo 2 > /proc/sys/net/ipv4/ip_dynaddr 273 274 # disable Explicit Congestion Notification 275 # too many routers are still ignorant 276 echo 0 > /proc/sys/net/ipv4/tcp_ecn 277 278 # Set a known state 279 iptables -P INPUT DROP 280 iptables -P FORWARD DROP 281 iptables -P OUTPUT DROP 282 283 # These lines are here in case rules are already in place and the 284 # script is ever rerun on the fly. We want to remove all rules and 285 # pre-existing user defined chains before we implement new rules. 286 iptables -F 287 iptables -X 288 iptables -Z 289 290 iptables -t nat -F 291 292 # Allow local-only connections 293 iptables -A INPUT -i lo -j ACCEPT 294 295 # Free output on any interface to any ip for any service 296 # (equal to -P ACCEPT) 297 iptables -A OUTPUT -j ACCEPT 298 299 # Permit answers on already established connections 300 # and permit new connections related to established ones 301 # (e.g. port mode ftp) 302 iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT 303 304 # Log everything else. What's Windows' latest exploitable vulnerability? 305 iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT " 306 307 # End $rc_base/rc.iptables</literal> 308 EOF 309 chmod 700 /etc/rc.d/rc.iptables</userinput></screen> 310 311 <screen role="root" revision="systemd"><?dbfo keep-together="auto"?><userinput>install -v -dm755 /etc/systemd/scripts 312 313 cat > /etc/systemd/scripts/iptables << "EOF" 314 <literal>#!/bin/sh 315 316 # Begin /etc/systemd/scripts/iptables 317 318 # Insert connection-tracking modules 319 # (not needed if built into the kernel) 320 modprobe nf_conntrack 321 modprobe xt_LOG 322 323 # Enable broadcast echo Protection 324 echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 325 326 # Disable Source Routed Packets 327 echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route 328 echo 0 > /proc/sys/net/ipv4/conf/default/accept_source_route 329 330 # Enable TCP SYN Cookie Protection 331 echo 1 > /proc/sys/net/ipv4/tcp_syncookies 332 333 # Disable ICMP Redirect Acceptance 334 echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects 335 336 # Do not send Redirect Messages 337 echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects 338 echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects 339 340 # Drop Spoofed Packets coming in on an interface, where responses 341 # would result in the reply going out a different interface. 342 echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter 343 echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter 344 345 # Log packets with impossible addresses. 346 echo 1 > /proc/sys/net/ipv4/conf/all/log_martians 347 echo 1 > /proc/sys/net/ipv4/conf/default/log_martians 348 349 # be verbose on dynamic ip-addresses (not needed in case of static IP) 350 echo 2 > /proc/sys/net/ipv4/ip_dynaddr 351 352 # disable Explicit Congestion Notification 353 # too many routers are still ignorant 354 echo 0 > /proc/sys/net/ipv4/tcp_ecn 355 356 # Set a known state 357 iptables -P INPUT DROP 358 iptables -P FORWARD DROP 359 iptables -P OUTPUT DROP 360 361 # These lines are here in case rules are already in place and the 362 # script is ever rerun on the fly. We want to remove all rules and 363 # pre-existing user defined chains before we implement new rules. 364 iptables -F 365 iptables -X 366 iptables -Z 367 368 iptables -t nat -F 369 370 # Allow local-only connections 371 iptables -A INPUT -i lo -j ACCEPT 372 373 # Free output on any interface to any ip for any service 374 # (equal to -P ACCEPT) 375 iptables -A OUTPUT -j ACCEPT 376 377 # Permit answers on already established connections 378 # and permit new connections related to established ones 379 # (e.g. port mode ftp) 380 iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT 381 382 # Log everything else. What's Windows' latest exploitable vulnerability? 383 iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT " 384 385 # End /etc/systemd/scripts/iptables</literal> 386 EOF 387 chmod 700 /etc/systemd/scripts/iptables</userinput></screen> 388 389 <para> 390 This script is quite simple, it drops all traffic coming 391 into your computer that wasn't initiated from your computer, but 392 as long as you are simply surfing the Internet you are unlikely 393 to exceed its limits. 394 </para> 395 396 <para> 397 If you frequently encounter certain delays at accessing 398 FTP servers, take a look at <xref linkend="fw-BB-4-ipt"/>. 399 </para> 400 401 <para> 402 Even if you have daemons or services running on your system, 403 these will be inaccessible everywhere but from your computer itself. 404 If you want to allow access to services on your machine, such as 405 <command>ssh</command> or <command>ping</command>, take a look at 406 <xref linkend="fw-busybox-ipt"/>. 407 </para> 408 409 </sect3> 410 411 <sect3 id="fw-masqRouter-ipt" 412 xreflabel="Creating a Masquerading Router With iptables"> 413 <title>Masquerading Router</title> 414 415 <para> 416 A network Firewall has two interfaces, one connected to an 417 intranet, in this example <emphasis role="strong">LAN1</emphasis>, 418 and one connected to the Internet, here <emphasis 419 role="strong">WAN1</emphasis>. To provide the maximum security 420 for the firewall itself, make sure that there are no unnecessary 421 servers running on it such as <application>X11</application> et al. 422 As a general principle, the firewall itself should not access 423 any untrusted service (think of a remote server giving answers that 424 makes a daemon on your system crash, or even worse, that implements 425 a worm via a buffer-overflow). 426 </para> 427 428 <screen role="root" revision="sysv"><?dbfo keep-together="auto"?><userinput>cat > /etc/rc.d/rc.iptables << "EOF" 429 <literal>#!/bin/sh 430 431 # Begin rc.iptables 432 433 echo 434 echo "You're using the example configuration for a setup of a firewall" 435 echo "from Beyond Linux From Scratch." 436 echo "This example is far from being complete, it is only meant" 437 echo "to be a reference." 438 echo "Firewall security is a complex issue, that exceeds the scope" 439 echo "of the configuration rules below." 440 echo "You can find additional information" 441 echo "about firewalls in Chapter 4 of the BLFS book." 442 echo "http://www.&lfs-domainname;/blfs" 443 echo 444 445 # Insert iptables modules (not needed if built into the kernel). 446 447 modprobe nf_conntrack 448 modprobe nf_conntrack_ftp 449 modprobe xt_conntrack 450 modprobe xt_LOG 451 modprobe xt_state 452 453 # Enable broadcast echo Protection 454 echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 455 456 # Disable Source Routed Packets 457 echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route 458 459 # Enable TCP SYN Cookie Protection 460 echo 1 > /proc/sys/net/ipv4/tcp_syncookies 461 462 # Disable ICMP Redirect Acceptance 463 echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects 464 465 # Don't send Redirect Messages 466 echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects 467 468 # Drop Spoofed Packets coming in on an interface where responses 469 # would result in the reply going out a different interface. 470 echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter 471 472 # Log packets with impossible addresses. 473 echo 1 > /proc/sys/net/ipv4/conf/all/log_martians 474 475 # Be verbose on dynamic ip-addresses (not needed in case of static IP) 476 echo 2 > /proc/sys/net/ipv4/ip_dynaddr 477 478 # Disable Explicit Congestion Notification 479 # Too many routers are still ignorant 480 echo 0 > /proc/sys/net/ipv4/tcp_ecn 481 482 # Set a known state 483 iptables -P INPUT DROP 484 iptables -P FORWARD DROP 485 iptables -P OUTPUT DROP 486 487 # These lines are here in case rules are already in place and the 488 # script is ever rerun on the fly. We want to remove all rules and 489 # pre-existing user defined chains before we implement new rules. 490 iptables -F 491 iptables -X 492 iptables -Z 493 494 iptables -t nat -F 495 496 # Allow local connections 497 iptables -A INPUT -i lo -j ACCEPT 498 iptables -A OUTPUT -o lo -j ACCEPT 499 500 # Allow forwarding if the initiated on the intranet 501 iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT 502 iptables -A FORWARD ! -i WAN1 -m conntrack --ctstate NEW -j ACCEPT 503 504 # Do masquerading 505 # (not needed if intranet is not using private ip-addresses) 506 iptables -t nat -A POSTROUTING -o WAN1 -j MASQUERADE 507 508 # Log everything for debugging 509 # (last of all rules, but before policy rules) 510 iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT " 511 iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD " 512 iptables -A OUTPUT -j LOG --log-prefix "FIREWALL:OUTPUT " 513 514 # Enable IP Forwarding 515 echo 1 > /proc/sys/net/ipv4/ip_forward</literal> 516 EOF 517 chmod 700 /etc/rc.d/rc.iptables</userinput></screen> 518 519 <screen role="root" revision="systemd"><?dbfo keep-together="auto"?><userinput>install -v -dm755 /etc/systemd/scripts 520 521 cat > /etc/systemd/scripts/iptables << "EOF" 522 <literal>#!/bin/sh 523 524 # Begin /etc/systemd/scripts/iptables 525 526 echo 527 echo "You're using the example configuration for a setup of a firewall" 528 echo "from Beyond Linux From Scratch." 529 echo "This example is far from being complete, it is only meant" 530 echo "to be a reference." 531 echo "Firewall security is a complex issue, that exceeds the scope" 532 echo "of the configuration rules below." 533 534 echo "You can find additional information" 535 echo "about firewalls in Chapter 4 of the BLFS book." 536 echo "http://www.&lfs-domainname;/blfs" 537 echo 538 539 # Insert iptables modules (not needed if built into the kernel). 540 541 modprobe nf_conntrack 542 modprobe nf_conntrack_ftp 543 modprobe xt_conntrack 544 modprobe xt_LOG 545 modprobe xt_state 546 547 # Enable broadcast echo Protection 548 echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 549 550 # Disable Source Routed Packets 551 echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route 552 553 # Enable TCP SYN Cookie Protection 554 echo 1 > /proc/sys/net/ipv4/tcp_syncookies 555 556 # Disable ICMP Redirect Acceptance 557 echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects 558 559 # Don't send Redirect Messages 560 echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects 561 562 # Drop Spoofed Packets coming in on an interface where responses 563 # would result in the reply going out a different interface. 564 echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter 565 566 # Log packets with impossible addresses. 567 echo 1 > /proc/sys/net/ipv4/conf/all/log_martians 568 569 # Be verbose on dynamic ip-addresses (not needed in case of static IP) 570 echo 2 > /proc/sys/net/ipv4/ip_dynaddr 571 572 # Disable Explicit Congestion Notification 573 # Too many routers are still ignorant 574 echo 0 > /proc/sys/net/ipv4/tcp_ecn 575 576 # Set a known state 577 iptables -P INPUT DROP 578 iptables -P FORWARD DROP 579 iptables -P OUTPUT DROP 580 581 # These lines are here in case rules are already in place and the 582 # script is ever rerun on the fly. We want to remove all rules and 583 # pre-existing user defined chains before we implement new rules. 584 iptables -F 585 iptables -X 586 iptables -Z 587 588 iptables -t nat -F 589 590 # Allow local connections 591 iptables -A INPUT -i lo -j ACCEPT 592 iptables -A OUTPUT -o lo -j ACCEPT 593 594 # Allow forwarding if the initiated on the intranet 595 iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT 596 iptables -A FORWARD ! -i WAN1 -m conntrack --ctstate NEW -j ACCEPT 597 598 # Do masquerading 599 # (not needed if intranet is not using private ip-addresses) 600 iptables -t nat -A POSTROUTING -o WAN1 -j MASQUERADE 601 602 # Log everything for debugging 603 # (last of all rules, but before policy rules) 604 iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT " 605 iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD " 606 iptables -A OUTPUT -j LOG --log-prefix "FIREWALL:OUTPUT " 607 608 # Enable IP Forwarding 609 echo 1 > /proc/sys/net/ipv4/ip_forward 610 611 # The following sections allow inbound packets for specific examples 612 # Uncomment the example lines and adjust as necessary 613 614 # Allow ping on the external interface 615 #iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT 616 #iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT 617 618 # Reject ident packets with TCP reset to avoid delays with FTP or IRC 619 #iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset 620 621 # Allow HTTP and HTTPS to 192.168.0.2 622 #iptables -A PREROUTING -t nat -i WAN1 -p tcp --dport 80 -j DNAT --to 192.168.0.2 623 #iptables -A PREROUTING -t nat -i WAN1 -p tcp --dport 443 -j DNAT --to 192.168.0.2 624 #iptables -A FORWARD -p tcp -d 192.168.0.2 --dport 80 -j ACCEPT 625 #iptables -A FORWARD -p tcp -d 192.168.0.2 --dport 443 -j ACCEPT 626 627 # End /etc/systemd/scripts/iptables</literal> 628 EOF 629 chmod 700 /etc/systemd/scripts/iptables</userinput></screen> 630 631 <para> 632 With this script your intranet should be reasonably secure 633 against external attacks. No one should be able to setup a new 634 connection to any internal service and, if it's masqueraded, 635 makes your intranet invisible to the Internet. Furthermore, your 636 firewall should be relatively safe because there are no services 637 running that a cracker could attack. 638 </para> 639 640 </sect3> 641 642 <sect3 id="fw-busybox-ipt" xreflabel="Creating a BusyBox With iptables"> 643 <title>BusyBox</title> 644 645 <para> 646 This scenario isn't too different from the <xref 647 linkend="fw-masqRouter-ipt"/>, but additionally offers some 648 services to your intranet. Examples of this can be when 649 you want to administer your firewall from another host on 650 your intranet or use it as a proxy or a name server. 651 </para> 652 653 <note> 654 <para> 655 Outlining specifically how to protect a server that 656 offers services on the Internet goes far beyond the scope of 657 this document. See the references in <xref linkend="fw-extra-info"/> 658 for more information. 659 </para> 660 </note> 661 662 <para> 663 Be cautious. Every service you have enabled makes your 664 setup more complex and your firewall less secure. You are 665 exposed to the risks of misconfigured services or running 666 a service with an exploitable bug. A firewall should generally 667 not run any extra services. See the introduction to the 668 <xref linkend="fw-masqRouter-ipt"/> for some more details. 669 </para> 670 671 <para> 672 If you want to add services such as internal Samba or 673 name servers that do not need to access the Internet themselves, 674 the additional statements are quite simple and should still be 675 acceptable from a security standpoint. Just add the following lines 676 into the script <emphasis>before</emphasis> the logging rules. 677 </para> 678 679 <screen><literal>iptables -A INPUT -i ! WAN1 -j ACCEPT 680 iptables -A OUTPUT -o ! WAN1 -j ACCEPT</literal></screen> 681 682 <para> 683 If daemons, such as squid, have to access the Internet 684 themselves, you could open OUTPUT generally and restrict 685 INPUT. 686 </para> 687 688 <screen><literal>iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT 689 iptables -A OUTPUT -j ACCEPT</literal></screen> 690 691 <para> 692 However, it is generally not advisable to leave OUTPUT 693 unrestricted. You lose any control over trojans who would like 694 to "call home", and a bit of redundancy in case you've 695 (mis-)configured a service so that it broadcasts its existence 696 to the world. 697 </para> 698 699 <para> 700 To accomplish this, you should restrict INPUT and OUTPUT 701 on all ports except those that it's absolutely necessary to have 702 open. Which ports you have to open depends on your needs: mostly 703 you will find them by looking for failed accesses in your log 704 files. 705 </para> 706 707 <itemizedlist spacing="compact" role='iptables'> 708 <title>Have a Look at the Following Examples:</title> 709 <listitem> 710 <para> 711 Squid is caching the web: 712 </para> 713 714 <screen><literal>iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT 715 iptables -A INPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED \ 716 -j ACCEPT</literal></screen> 717 718 </listitem> 719 <listitem> 720 <para> 721 Your caching name server (e.g., named) does its lookups via UDP: 722 </para> 723 724 <screen><literal>iptables -A OUTPUT -p udp --dport 53 -j ACCEPT</literal></screen> 725 726 </listitem> 727 <listitem> 728 <para> 729 You want to be able to ping your computer to ensure it's still 730 alive: 731 </para> 732 733 <screen><literal>iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT 734 iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT</literal></screen> 735 736 </listitem> 737 <listitem> 738 <para id='fw-BB-4-ipt' xreflabel="BusyBox with iptable example number 4"> 739 If you are frequently accessing FTP servers or enjoy chatting, you 740 might notice delays because some implementations of these daemons 741 query an identd daemon on your system to obtain usernames. Although 742 there's really little harm in this, having an identd running is not 743 recommended because many security experts feel the service gives 744 out too much additional information. 745 </para> 746 747 <para> 748 To avoid these delays you could reject the requests with a 749 'tcp-reset' response: 750 </para> 751 752 <screen><literal>iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset</literal></screen> 753 754 </listitem> 755 <listitem> 756 <para> 757 To log and drop invalid packets (packets 758 that came in after netfilter's timeout or some types of 759 network scans) insert these rules at the top of the chain: 760 </para> 761 762 <screen><literal>iptables -I INPUT 0 -p tcp -m conntrack --ctstate INVALID \ 763 -j LOG --log-prefix "FIREWALL:INVALID " 764 iptables -I INPUT 1 -p tcp -m conntrack --ctstate INVALID -j DROP</literal></screen> 765 766 </listitem> 767 <listitem> 768 <para> 769 Anything coming from the outside should not have a 770 private address, this is a common attack called IP-spoofing: 771 </para> 772 773 <screen><literal>iptables -A INPUT -i WAN1 -s 10.0.0.0/8 -j DROP 774 iptables -A INPUT -i WAN1 -s 172.16.0.0/12 -j DROP 775 iptables -A INPUT -i WAN1 -s 192.168.0.0/16 -j DROP</literal></screen> 776 777 <para> 778 There are other addresses that you may also want to drop: 779 0.0.0.0/8, 127.0.0.0/8, 224.0.0.0/3 (multicast and 780 experimental), 169.254.0.0/16 (Link Local Networks), and 781 192.0.2.0/24 (IANA defined test network). 782 </para> 783 </listitem> 784 <listitem> 785 <para> 786 If your firewall is a DHCP client, you need to allow those packets: 787 </para> 788 789 <screen><literal>iptables -A INPUT -i WAN1 -p udp -s 0.0.0.0 --sport 67 \ 790 -d 255.255.255.255 --dport 68 -j ACCEPT</literal></screen> 791 792 </listitem> 793 <listitem> 794 <para> 795 To simplify debugging and be fair to anyone who'd like 796 to access a service you have disabled, purposely or by mistake, 797 you could REJECT those packets that are dropped. 798 </para> 799 800 <para> 801 Obviously this must be done directly after logging as the very 802 last lines before the packets are dropped by policy: 803 </para> 804 805 <screen><literal>iptables -A INPUT -j REJECT</literal></screen> 806 807 </listitem> 808 </itemizedlist> 809 810 <para> 811 These are only examples to show you some of the capabilities 812 of the firewall code in Linux. Have a look at the man page of iptables. 813 There you will find much more information. The port numbers needed for 814 this can be found in <filename>/etc/services</filename>, in case you 815 didn't find them by trial and error in your log file. 816 </para> 817 818 </sect3> 199 819 200 820 <sect3 id="iptables-init">
Note:
See TracChangeset
for help on using the changeset viewer.