- Timestamp:
- 09/11/2003 07:44:39 PM (21 years ago)
- Branches:
- 10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 12.0, 12.1, 6.0, 6.1, 6.2, 6.2.0, 6.2.0-rc1, 6.2.0-rc2, 6.3, 6.3-rc1, 6.3-rc2, 6.3-rc3, 7.10, 7.4, 7.5, 7.6, 7.6-blfs, 7.6-systemd, 7.7, 7.8, 7.9, 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, basic, bdubbs/svn, elogind, gnome, kde5-13430, kde5-14269, kde5-14686, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, krejzi/svn, lazarus, lxqt, nosym, perl-modules, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, systemd-11177, systemd-13485, trunk, upgradedb, v5_0, v5_0-pre1, v5_1, v5_1-pre1, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/test-20220226, xry111/xf86-video-removal
- Children:
- acfc391
- Parents:
- 945f944
- Location:
- postlfs/security/firewalling
- Files:
-
- 10 edited
Legend:
- Unmodified
- Added
- Removed
-
postlfs/security/firewalling/busybox.xml
r945f944 r1aacd4b5 22 22 into the script. 23 23 24 <screen>iptables -A INPUT -i ! ppp+-j ACCEPT25 iptables -A OUTPUT -o ! ppp+-j ACCEPT</screen></para>24 <screen>iptables -A INPUT -i ! ppp+ -j ACCEPT 25 iptables -A OUTPUT -o ! ppp+ -j ACCEPT</screen></para> 26 26 27 27 <para>If your daemons have to access the web themselves, like squid would need 28 28 to, you could open OUTPUT generally and restrict INPUT. 29 29 30 <screen>iptables -A INPUT 31 iptables -A OUTPUT 30 <screen>iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 31 iptables -A OUTPUT -j ACCEPT</screen></para> 32 32 33 33 <para>However, it is generally not advisable to leave OUTPUT unrestricted: you lose … … 40 40 Which ports you have to open depends on your needs: mostly you will find them 41 41 by looking for failed accesses in your log-files.</para> 42 43 < orderedlist numeration="arabic" spacing="compact">42 <itemizedlist spacing="compact"> 43 <!-- <orderedlist numeration="arabic" spacing="compact"> --> 44 44 <title>Have a look at the following examples:</title> 45 45 46 <listitem><para>Squid is caching the web:</para> 47 <para><screen>iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT 48 iptables -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED \ 49 -j ACCEPT</screen></para></listitem> 46 <listitem><para>Squid is caching the web: 47 <screen>iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT 48 iptables -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT</screen></para></listitem> 50 49 51 50 <listitem><para>Your caching name server (e.g., dnscache) does its 52 lookups via udp:</para> 53 <para><screen>iptables -A OUTPUT -p udp --dport 53 -j ACCEPT 54 iptables -A INPUT -p udp --sport 53 -m state --state ESTABLISHED \ 55 -j ACCEPT</screen></para></listitem> 51 lookups via udp: 52 <screen>iptables -A OUTPUT -p udp --dport 53 -j ACCEPT 53 iptables -A INPUT -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT</screen></para></listitem> 56 54 57 55 <listitem><para>Alternatively, if you want to be able to ping your box to ensure 58 it's still alive:</para> 59 <para><screen>iptables -A INPUT -p icmp -m icmp --icmp-type echo-request \ 60 -j ACCEPT 61 iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT</screen></para></listitem> 56 it's still alive: 57 <screen>iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT 58 iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT</screen></para></listitem> 62 59 63 60 <listitem><para><anchor id='postlfs-security-fw-BB-4' xreflabel="example no. 4"/>If you are … … 69 66 70 67 <para>To avoid these delays you could reject the requests 71 with a 'tcp-reset': </para>68 with a 'tcp-reset': 72 69 73 <para><screen>iptables -A INPUT -p tcp --dport 113 -j REJECT \ 74 --reject-with tcp-reset 75 iptables -A OUTPUT -p tcp --sport 113 -m state --state RELATED \ 76 -j ACCEPT</screen></para></listitem> 70 <screen>iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset 71 iptables -A OUTPUT -p tcp --sport 113 -m state --state RELATED -j ACCEPT</screen></para></listitem> 77 72 78 73 <listitem><para>To log and drop invalid packets, mostly harmless packets 79 that came in after netfilter's timeout, sometimes scans: </para>74 that came in after netfilter's timeout, sometimes scans: 80 75 81 < para><screen>iptables -I INPUT 1 -p tcp -m state --state INVALID -j LOG\82 --log-prefix"FIREWALL:INVALID"83 iptables -I INPUT 2 -p tcp -m state --state INVALID-j DROP</screen></para></listitem>76 <screen>iptables -I INPUT 1 -p tcp -m state --state INVALID -j LOG --log-prefix \ 77 "FIREWALL:INVALID" 78 iptables -I INPUT 2 -p tcp -m state --state INVALID -j DROP</screen></para></listitem> 84 79 85 80 <listitem><para>Anything coming from the outside should not have a 86 private address, this is a common attack called IP-spoofing: </para>81 private address, this is a common attack called IP-spoofing: 87 82 88 <para><screen>iptables -t nat -A PREROUTING -i ppp+ -s 10.0.0.0/8 -j DROP 89 iptables -t nat -A PREROUTING -i ppp+ -s 172.16.0.0/12 -j DROP 90 iptables -t nat -A PREROUTING -i ppp+ -s 192.168.0.0/16 -j DROP</screen></para></listitem> 83 <screen>iptables -t nat -A PREROUTING -i ppp+ -s 10.0.0.0/8 -j DROP 84 iptables -t nat -A PREROUTING -i ppp+ -s 172.16.0.0/12 -j DROP 85 iptables -t nat -A PREROUTING -i ppp+ -s 192.168.0.0/16 -j 86 DROP</screen></para></listitem> 91 87 92 88 <listitem><para>To simplify debugging and be fair to anyone who'd like to … … 95 91 96 92 <para>Obviously this must be done directly after logging as the very 97 last lines before the packets are dropped by policy: </para>93 last lines before the packets are dropped by policy: 98 94 99 < para><screen>iptables -A INPUT-j REJECT100 iptables -A OUTPUT -p icmp --icmp-type 3-j ACCEPT</screen></para></listitem>101 102 < /orderedlist>95 <screen>iptables -A INPUT -j REJECT 96 iptables -A OUTPUT -p icmp --icmp-type 3 -j ACCEPT</screen></para></listitem> 97 </itemizedlist> 98 <!--</orderedlist>--> 103 99 104 100 <para>These are only examples to show you some of the capabilities of the new … … 106 102 iptables. 107 103 There you will find more of them. The port-numbers you'll need for this 108 can be found in /etc/services, in case you didn't find them via "try'n'error"109 in your logfile.</para>104 can be found in <filename>/etc/services</filename>, in case you didn't 105 find them by trial and error in your logfile.</para> 110 106 111 107 <para>If you add any of your offered or accessed services such as the above, -
postlfs/security/firewalling/disclaimer.xml
r945f944 r1aacd4b5 2 2 <title>Disclaimer</title> 3 3 4 < para><emphasis>NEITHER THE AUTHOR NOR ANY OF THE LINUXFROMSCRATCH TEAM4 <!-- <para><emphasis>NEITHER THE AUTHOR NOR ANY OF THE LINUXFROMSCRATCH TEAM 5 5 ARE RESPONSIBLE FOR ANY DAMAGES INCURRED DUE TO ACTIONS TAKEN BASED ON THIS 6 DOCUMENT.</emphasis></para> 6 DOCUMENT.</emphasis></para> --> 7 7 8 8 <para>This document is meant as an introduction to how to setup a -
postlfs/security/firewalling/finale.xml
r945f944 r1aacd4b5 1 1 <sect2 id="postlfs-security-fw-finale" xreflabel="Conclusion"> 2 <title> Editor's Note</title>2 <title>Conclusion</title> 3 3 4 4 <para>Finally, I'd like to remind you of one fact we must not forget: … … 9 9 need of this hint!</para> 10 10 11 < para><literallayout>Be cautious!11 <!-- <para><literallayout>Be cautious! 12 12 13 13 Henning Rohde … … 19 19 20 20 <para>PPS: If any of these scripts fail, please tell me. I will try to trace 21 any faults.</para> 21 any faults.</para> --> 22 22 23 23 </sect2> -
postlfs/security/firewalling/intro.xml
r945f944 r1aacd4b5 50 50 should generally have only one role, that of protecting the intranet. 51 51 Although not completely riskless, the tasks of doing the routing 52 and eventually IP masquerading <footnote><para>rewriting IP-headers52 and eventually IP masquerading (rewriting IP-headers 53 53 of the packets it routes from clients with private IP-addresses onto 54 54 the internet so that they seem to come from the firewall 55 itself </para></footnote>are commonly considered harmless.</para></sect3>55 itself) are commonly considered harmless.</para></sect3> 56 56 57 57 <sect3><title><xref linkend="postlfs-security-fw-busybox"/></title> -
postlfs/security/firewalling/kernel.xml
r945f944 r1aacd4b5 4 4 <para>If you want your Linux-Box to do firewalling you must first ensure 5 5 that your kernel has been compiled with the relevant options turned on 6 < footnote><para>If you needed assistance howto configure, compile and install6 <!-- <footnote><para>If you needed assistance howto configure, compile and install 7 7 a new kernel, refer back to chapter VIII of the LinuxFromScratch book, 8 8 <ulink url="http://www.linuxfromscratch.org/view/3.1/chapter08/kernel.html">Installing a kernel</ulink> … … 10 10 <ulink url="http://www.linuxfromscratch.org/view/3.1/chapter08/lilo.html">Making the LFS system bootable</ulink> 11 11 ; note, that you'll need to reboot 12 to actually run your new kernel.</para></footnote> .</para>12 to actually run your new kernel.</para></footnote>-->.</para> 13 13 14 14 <para>How to configure your kernel, with enabling the options to be … … 17 17 that the modules need to be loaded at first.</para> 18 18 19 <screen>Network options menu 20 Network paket filtering: Y 21 Unix domain sockets: Y or M 22 TCP/IP networking: Y 23 IP: advanced router: Y 24 IP: verbose route monitoring: Y 25 IP: TCP Explicit Congestion Notification support: Y 26 IP: TCP syncookie support: Y 27 IP: Netfilter Configuration menu 28 Every option except: 29 ipchains (2.2-style) support 30 ipfwadm (2.0-style) support Y or M 31 Fast switching: N</screen> 32 33 <!-- 19 34 <table frame='none'> 20 35 <title>Essential config-options for a firewalling-enabled Kernel</title> … … 116 131 </tgroup> 117 132 118 </table> 133 </table> --> 119 134 120 135 </sect2> -
postlfs/security/firewalling/library.xml
r945f944 r1aacd4b5 6 6 <ulink url="http://www.netfilter.org/documentation/FAQ/netfilter-faq.html">FAQ</ulink> 7 7 <ulink url="http://www.netfilter.org/documentation/index.html#HOWTO">List of Netfilter-related HOWTO's</ulink> 8 <ulink url="http://www.linuxdoc.org/LDP/nag2/x-087-2-firewall.html" ></ulink>8 <ulink url="http://www.linuxdoc.org/LDP/nag2/x-087-2-firewall.html"/> 9 9 <ulink url="http://www.linuxdoc.org/HOWTO/Security-HOWTO.html"></ulink> 10 10 <ulink url="http://www.linuxdoc.org/HOWTO/Firewall-HOWTO.html"></ulink> -
postlfs/security/firewalling/masqrouter.xml
r945f944 r1aacd4b5 7 7 make sure that there are no servers running on it, especially not X11 et 8 8 al. And, as a general principle, the box itself should not access any untrusted 9 service <footnote><para>Think of a name server giving answers that make your9 service (Think of a name server giving answers that make your 10 10 bind crash, or, even worse, that implement a worm via a 11 buffer-overflow .</para></footnote>.</para>11 buffer-overflow).</para> 12 12 13 < para><screen><userinput>cat > /etc/rc.d/init.d/firewall << "EOF"</userinput>13 <screen><userinput><command>cat > /etc/rc.d/init.d/firewall << "EOF"</command> 14 14 #!/bin/sh 15 15 … … 78 78 # activate IP-Forwarding 79 79 echo 1 > /proc/sys/net/ipv4/ip_forward 80 < userinput>EOF</userinput></screen></para>80 <command>EOF</command></userinput></screen> 81 81 82 82 <para>With this script your intranet should be sufficiently -
postlfs/security/firewalling/persfw.xml
r945f944 r1aacd4b5 10 10 2.4 Packet Filtering HOWTO</ulink>:</para> 11 11 12 < para><screen><userinput>cat > /etc/rc.d/init.d/firewall << "EOF"</userinput>12 <screen><userinput><command>cat > /etc/rc.d/init.d/firewall << "EOF"</command> 13 13 #!/bin/sh 14 14 … … 47 47 48 48 # End $rc_base/init.d/firewall 49 < userinput>EOF</userinput></screen></para>49 <command>EOF</command></userinput></screen> 50 50 51 51 <para>His script is quite simple, it drops all traffic coming in into your -
postlfs/security/firewalling/status.xml
r945f944 r1aacd4b5 5 5 the order in which the rules take effect:</para> 6 6 7 < para><screen><userinput>cat > /etc/rc.d/init.d/firewall.status << "EOF"</userinput>7 <screen><userinput><command>cat > /etc/rc.d/init.d/firewall.status << "EOF"</command> 8 8 #!/bin/sh 9 9 … … 20 20 echo "iptables.filter:" 21 21 iptables -v -L -n --line-numbers 22 < userinput>EOF</userinput></screen></para>22 <command>EOF</command></userinput></screen> 23 23 </sect3> -
postlfs/security/firewalling/stop.xml
r945f944 r1aacd4b5 4 4 <para>If you need to turn firewalling off, this script will do it:</para> 5 5 6 < para><screen><userinput>cat > /etc/rc.d/init.d/firewall.stop << "EOF"</userinput>6 <screen><userinput><command>cat > /etc/rc.d/init.d/firewall.stop << "EOF"</command> 7 7 #!/bin/sh 8 8 … … 23 23 iptables -P FORWARD ACCEPT 24 24 iptables -P OUTPUT ACCEPT 25 < userinput>EOF</userinput></screen></para>25 <command>EOF</command></userinput></screen> 26 26 27 27 </sect3>
Note:
See TracChangeset
for help on using the changeset viewer.