Changeset 1aacd4b5 for postlfs/security/firewalling/busybox.xml
- Timestamp:
- 09/11/2003 07:44:39 PM (21 years ago)
- Branches:
- 10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 12.0, 12.1, 6.0, 6.1, 6.2, 6.2.0, 6.2.0-rc1, 6.2.0-rc2, 6.3, 6.3-rc1, 6.3-rc2, 6.3-rc3, 7.10, 7.4, 7.5, 7.6, 7.6-blfs, 7.6-systemd, 7.7, 7.8, 7.9, 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, basic, bdubbs/svn, elogind, gnome, kde5-13430, kde5-14269, kde5-14686, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, krejzi/svn, lazarus, lxqt, nosym, perl-modules, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, systemd-11177, systemd-13485, trunk, upgradedb, v5_0, v5_0-pre1, v5_1, v5_1-pre1, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/test-20220226, xry111/xf86-video-removal
- Children:
- acfc391
- Parents:
- 945f944
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
postlfs/security/firewalling/busybox.xml
r945f944 r1aacd4b5 22 22 into the script. 23 23 24 <screen>iptables -A INPUT -i ! ppp+-j ACCEPT25 iptables -A OUTPUT -o ! ppp+-j ACCEPT</screen></para>24 <screen>iptables -A INPUT -i ! ppp+ -j ACCEPT 25 iptables -A OUTPUT -o ! ppp+ -j ACCEPT</screen></para> 26 26 27 27 <para>If your daemons have to access the web themselves, like squid would need 28 28 to, you could open OUTPUT generally and restrict INPUT. 29 29 30 <screen>iptables -A INPUT 31 iptables -A OUTPUT 30 <screen>iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 31 iptables -A OUTPUT -j ACCEPT</screen></para> 32 32 33 33 <para>However, it is generally not advisable to leave OUTPUT unrestricted: you lose … … 40 40 Which ports you have to open depends on your needs: mostly you will find them 41 41 by looking for failed accesses in your log-files.</para> 42 43 < orderedlist numeration="arabic" spacing="compact">42 <itemizedlist spacing="compact"> 43 <!-- <orderedlist numeration="arabic" spacing="compact"> --> 44 44 <title>Have a look at the following examples:</title> 45 45 46 <listitem><para>Squid is caching the web:</para> 47 <para><screen>iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT 48 iptables -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED \ 49 -j ACCEPT</screen></para></listitem> 46 <listitem><para>Squid is caching the web: 47 <screen>iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT 48 iptables -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT</screen></para></listitem> 50 49 51 50 <listitem><para>Your caching name server (e.g., dnscache) does its 52 lookups via udp:</para> 53 <para><screen>iptables -A OUTPUT -p udp --dport 53 -j ACCEPT 54 iptables -A INPUT -p udp --sport 53 -m state --state ESTABLISHED \ 55 -j ACCEPT</screen></para></listitem> 51 lookups via udp: 52 <screen>iptables -A OUTPUT -p udp --dport 53 -j ACCEPT 53 iptables -A INPUT -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT</screen></para></listitem> 56 54 57 55 <listitem><para>Alternatively, if you want to be able to ping your box to ensure 58 it's still alive:</para> 59 <para><screen>iptables -A INPUT -p icmp -m icmp --icmp-type echo-request \ 60 -j ACCEPT 61 iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT</screen></para></listitem> 56 it's still alive: 57 <screen>iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT 58 iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT</screen></para></listitem> 62 59 63 60 <listitem><para><anchor id='postlfs-security-fw-BB-4' xreflabel="example no. 4"/>If you are … … 69 66 70 67 <para>To avoid these delays you could reject the requests 71 with a 'tcp-reset': </para>68 with a 'tcp-reset': 72 69 73 <para><screen>iptables -A INPUT -p tcp --dport 113 -j REJECT \ 74 --reject-with tcp-reset 75 iptables -A OUTPUT -p tcp --sport 113 -m state --state RELATED \ 76 -j ACCEPT</screen></para></listitem> 70 <screen>iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset 71 iptables -A OUTPUT -p tcp --sport 113 -m state --state RELATED -j ACCEPT</screen></para></listitem> 77 72 78 73 <listitem><para>To log and drop invalid packets, mostly harmless packets 79 that came in after netfilter's timeout, sometimes scans: </para>74 that came in after netfilter's timeout, sometimes scans: 80 75 81 < para><screen>iptables -I INPUT 1 -p tcp -m state --state INVALID -j LOG\82 --log-prefix"FIREWALL:INVALID"83 iptables -I INPUT 2 -p tcp -m state --state INVALID-j DROP</screen></para></listitem>76 <screen>iptables -I INPUT 1 -p tcp -m state --state INVALID -j LOG --log-prefix \ 77 "FIREWALL:INVALID" 78 iptables -I INPUT 2 -p tcp -m state --state INVALID -j DROP</screen></para></listitem> 84 79 85 80 <listitem><para>Anything coming from the outside should not have a 86 private address, this is a common attack called IP-spoofing: </para>81 private address, this is a common attack called IP-spoofing: 87 82 88 <para><screen>iptables -t nat -A PREROUTING -i ppp+ -s 10.0.0.0/8 -j DROP 89 iptables -t nat -A PREROUTING -i ppp+ -s 172.16.0.0/12 -j DROP 90 iptables -t nat -A PREROUTING -i ppp+ -s 192.168.0.0/16 -j DROP</screen></para></listitem> 83 <screen>iptables -t nat -A PREROUTING -i ppp+ -s 10.0.0.0/8 -j DROP 84 iptables -t nat -A PREROUTING -i ppp+ -s 172.16.0.0/12 -j DROP 85 iptables -t nat -A PREROUTING -i ppp+ -s 192.168.0.0/16 -j 86 DROP</screen></para></listitem> 91 87 92 88 <listitem><para>To simplify debugging and be fair to anyone who'd like to … … 95 91 96 92 <para>Obviously this must be done directly after logging as the very 97 last lines before the packets are dropped by policy: </para>93 last lines before the packets are dropped by policy: 98 94 99 < para><screen>iptables -A INPUT-j REJECT100 iptables -A OUTPUT -p icmp --icmp-type 3-j ACCEPT</screen></para></listitem>101 102 < /orderedlist>95 <screen>iptables -A INPUT -j REJECT 96 iptables -A OUTPUT -p icmp --icmp-type 3 -j ACCEPT</screen></para></listitem> 97 </itemizedlist> 98 <!--</orderedlist>--> 103 99 104 100 <para>These are only examples to show you some of the capabilities of the new … … 106 102 iptables. 107 103 There you will find more of them. The port-numbers you'll need for this 108 can be found in /etc/services, in case you didn't find them via "try'n'error"109 in your logfile.</para>104 can be found in <filename>/etc/services</filename>, in case you didn't 105 find them by trial and error in your logfile.</para> 110 106 111 107 <para>If you add any of your offered or accessed services such as the above,
Note:
See TracChangeset
for help on using the changeset viewer.