Changeset a4acd463 for postlfs/security
- Timestamp:
- 10/14/2003 04:25:20 PM (21 years ago)
- Branches:
- 10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 12.0, 12.1, 6.0, 6.1, 6.2, 6.2.0, 6.2.0-rc1, 6.2.0-rc2, 6.3, 6.3-rc1, 6.3-rc2, 6.3-rc3, 7.10, 7.4, 7.5, 7.6, 7.6-blfs, 7.6-systemd, 7.7, 7.8, 7.9, 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, basic, bdubbs/svn, elogind, gnome, kde5-13430, kde5-14269, kde5-14686, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, krejzi/svn, lazarus, lxqt, nosym, perl-modules, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, systemd-11177, systemd-13485, trunk, upgradedb, v5_0, v5_1, v5_1-pre1, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/test-20220226, xry111/xf86-video-removal
- Children:
- 9dc71fc
- Parents:
- 27d830e
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
postlfs/security/firewalling/busybox.xml
r27d830e ra4acd463 20 20 simple and should still be acceptable from a security standpoint. 21 21 Just add the following lines <emphasis>before</emphasis> the logging-rules 22 into the script. 22 into the script.</para> 23 23 24 24 <screen>iptables -A INPUT -i ! ppp+ -j ACCEPT 25 iptables -A OUTPUT -o ! ppp+ -j ACCEPT</screen> </para>25 iptables -A OUTPUT -o ! ppp+ -j ACCEPT</screen> 26 26 27 27 <para>If your daemons have to access the web themselves, like squid would need 28 to, you could open OUTPUT generally and restrict INPUT. 28 to, you could open OUTPUT generally and restrict INPUT.</para> 29 29 30 30 <screen>iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 31 iptables -A OUTPUT -j ACCEPT</screen> </para>31 iptables -A OUTPUT -j ACCEPT</screen> 32 32 33 33 <para>However, it is generally not advisable to leave OUTPUT unrestricted: you lose … … 44 44 <title>Have a look at the following examples:</title> 45 45 46 <listitem><para>Squid is caching the web: 46 <listitem><para>Squid is caching the web:</para> 47 47 <screen>iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT 48 iptables -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT</screen></ para></listitem>48 iptables -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT</screen></listitem> 49 49 50 50 <listitem><para>Your caching name server (e.g., dnscache) does its 51 lookups via udp: 51 lookups via udp:</para> 52 52 <screen>iptables -A OUTPUT -p udp --dport 53 -j ACCEPT 53 iptables -A INPUT -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT</screen></ para></listitem>53 iptables -A INPUT -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT</screen></listitem> 54 54 55 55 <listitem><para>Alternatively, if you want to be able to ping your box to ensure 56 it's still alive: 56 it's still alive:</para> 57 57 <screen>iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT 58 iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT</screen></ para></listitem>58 iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT</screen></listitem> 59 59 60 60 <listitem><para><anchor id='postlfs-security-fw-BB-4' xreflabel="example no. 4"/>If you are … … 66 66 67 67 <para>To avoid these delays you could reject the requests 68 with a 'tcp-reset': 68 with a 'tcp-reset':</para> 69 69 70 70 <screen>iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset 71 iptables -A OUTPUT -p tcp --sport 113 -m state --state RELATED -j ACCEPT</screen></ para></listitem>71 iptables -A OUTPUT -p tcp --sport 113 -m state --state RELATED -j ACCEPT</screen></listitem> 72 72 73 73 <listitem><para>To log and drop invalid packets, mostly harmless packets 74 that came in after netfilter's timeout, sometimes scans: 74 that came in after netfilter's timeout, sometimes scans:</para> 75 75 76 76 <screen>iptables -I INPUT 1 -p tcp -m state --state INVALID -j LOG --log-prefix \ 77 77 "FIREWALL:INVALID" 78 iptables -I INPUT 2 -p tcp -m state --state INVALID -j DROP</screen></ para></listitem>78 iptables -I INPUT 2 -p tcp -m state --state INVALID -j DROP</screen></listitem> 79 79 80 80 <listitem><para>Anything coming from the outside should not have a 81 private address, this is a common attack called IP-spoofing: 81 private address, this is a common attack called IP-spoofing:</para> 82 82 83 83 <screen>iptables -t nat -A PREROUTING -i ppp+ -s 10.0.0.0/8 -j DROP 84 84 iptables -t nat -A PREROUTING -i ppp+ -s 172.16.0.0/12 -j DROP 85 iptables -t nat -A PREROUTING -i ppp+ -s 192.168.0.0/16 -j DROP</screen></ para></listitem>85 iptables -t nat -A PREROUTING -i ppp+ -s 192.168.0.0/16 -j DROP</screen></listitem> 86 86 87 87 <listitem><para>To simplify debugging and be fair to anyone who'd like to … … 90 90 91 91 <para>Obviously this must be done directly after logging as the very 92 last lines before the packets are dropped by policy: 92 last lines before the packets are dropped by policy:</para> 93 93 94 94 <screen>iptables -A INPUT -j REJECT 95 iptables -A OUTPUT -p icmp --icmp-type 3 -j ACCEPT</screen></ para></listitem>95 iptables -A OUTPUT -p icmp --icmp-type 3 -j ACCEPT</screen></listitem> 96 96 </itemizedlist> 97 97 <!--</orderedlist>-->
Note:
See TracChangeset
for help on using the changeset viewer.