Changeset b4b71892 for postlfs/security/firewalling.xml
- Timestamp:
- 06/10/2004 05:47:11 AM (20 years ago)
- Branches:
- 10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 12.0, 12.1, 6.0, 6.1, 6.2, 6.2.0, 6.2.0-rc1, 6.2.0-rc2, 6.3, 6.3-rc1, 6.3-rc2, 6.3-rc3, 7.10, 7.4, 7.5, 7.6, 7.6-blfs, 7.6-systemd, 7.7, 7.8, 7.9, 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, basic, bdubbs/svn, elogind, gnome, kde5-13430, kde5-14269, kde5-14686, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, krejzi/svn, lazarus, lxqt, nosym, perl-modules, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, systemd-11177, systemd-13485, trunk, upgradedb, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/test-20220226, xry111/xf86-video-removal
- Children:
- cf43c83
- Parents:
- f8d632a
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
postlfs/security/firewalling.xml
rf8d632a rb4b71892 1 <?xml version="1.0" encoding="ISO-8859-1"?> 2 <!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" 3 "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [ 4 <!ENTITY % general-entities SYSTEM "../../general.ent"> 5 %general-entities; 6 ]> 7 1 8 <sect1 id="postlfs-security-fw-firewall" xreflabel="Firewalling"> 2 9 <?dbhtml filename="firewall.html"?> … … 6 13 have already installed iptables as described in the previous section.</para> 7 14 8 &postlfs-security-fw-intro; 9 &postlfs-security-fw-disclaimer; 10 &postlfs-security-fw-kernel; 11 &postlfs-security-fw-writing; 12 &postlfs-security-fw-finale; 13 &postlfs-security-fw-extrainfo; 14 15 16 <sect2 id="postlfs-security-fw-intro" xreflabel="Firewalling Introduction"> 17 <title>Introduction to Firewall Creation</title> 18 19 <para>The general purpose of a firewall is to protect a network 20 against malicious access by using a single machine as a firewall. 21 This does imply that the firewall is to be considered a single point 22 of failure, but it can make the administrator's life a lot easier.</para> 23 24 <para>In a perfect world where you knew that every daemon or service 25 on every machine was perfectly configured and was immune to, e.g., 26 buffer-overflows and any other imaginable problem regarding its 27 security, and where you trusted every user accessing your services 28 to aim no harm, you wouldn't need to have a firewall! 29 In the real world however, daemons may be misconfigured, 30 exploits against essential services are freely available, you 31 may wish to choose which services are accessible by certain machines, 32 you may wish to limit which machines or applications are allowed 33 to have Internet access, or you may simply not trust some of your 34 apps or users. 35 In these situations you might benefit by using a firewall.</para> 36 37 <para>Don't assume however, that having a firewall makes careful 38 configuration redundant, or that it makes any negligent 39 misconfiguration harmless. It also doesn't prevent anyone from exploiting a 40 service you intentionally offer but haven't recently updated or patched 41 after an exploit went public. Despite having a firewall, you need to 42 keep applications and daemons on your system well-configured and 43 up-to-date; a firewall is not a cure-all!</para> 44 45 </sect2> 46 47 <sect2> 48 <title>Meaning of the word firewall.</title> 49 50 <para>The word firewall can have several different meanings.</para> 51 52 <sect3><title><xref linkend="postlfs-security-fw-persFw"/></title> 53 54 <para>This is a setup or program, for Windows commercially sold by 55 companies such as Symantec, of which they claim or pretend that it 56 secures a home or desktop-pc with Internet access. This topic is 57 highly relevant for users who do not know the methods their computers 58 might be accessed via the Internet or how to disable them, 59 especially if they are always online and connected via 60 broadband links.</para></sect3> 61 62 <sect3><title><xref linkend="postlfs-security-fw-masqRouter"/></title> 63 <para>This is a box placed between the Internet and an intranet. 64 To minimize the risk of compromising the firewall itself it 65 should generally have only one role, that of protecting the intranet. 66 Although not completely risk free, the tasks of doing the routing 67 and eventually IP masquerading (rewriting IP-headers 68 of the packets it routes from clients with private IP-addresses onto 69 the Internet so that they seem to come from the firewall 70 itself) are commonly considered harmless.</para></sect3> 71 72 <sect3><title><xref linkend="postlfs-security-fw-busybox"/></title> 73 <para>This is often an old box you may have retired and nearly forgotten, 74 performing masquerading or routing functions, but offering a bunch of 75 services, e.g., web-cache, mail, etc. This may be very commonly used 76 for home networks, but can definitely not be considered as secure 77 anymore because the combining of server and router on one machine raises 78 the complexity of the setup.</para></sect3> 79 80 <sect3><title>Firewall with a demilitarized zone [not further described 81 here]</title> 82 <para>This box performs masquerading or routing, but grants public access to 83 some branch of your network which, because of public IP's and a physically 84 separated structure, is neither considered to be part of the inter- nor 85 intranet. These servers are those which must be easily accessible 86 from both the inter- and intranet. The firewall protects 87 them all.</para></sect3> 88 89 <sect3><title>Packetfilter / partly accessible net [partly described 90 here, see <xref linkend="postlfs-security-fw-busybox"/>]</title> 91 <para>Doing routing or masquerading, but permitting only selected 92 services to be accessible, sometimes only by selected internal users or boxes; 93 mostly used in highly secure business contexts, sometimes by distrusting 94 employers. This was the common configuration of a firewall at the time of 95 the Linux 2.2 kernel. It's still possible to configure a firewall this way, 96 but it makes the rules quite complex and lengthy.</para></sect3> 97 98 </sect2> 99 100 <sect2 id="postlfs-security-fw-disclaimer" xreflabel="Disclaimer"> 101 <title>Disclaimer</title> 102 103 <!-- <para><emphasis>NEITHER THE AUTHOR NOR ANY OF THE LINUXFROMSCRATCH TEAM 104 ARE RESPONSIBLE FOR ANY DAMAGES INCURRED DUE TO ACTIONS TAKEN BASED ON THIS 105 DOCUMENT.</emphasis></para> --> 106 107 <para>This document is meant as an introduction to how to setup a firewall. It 108 is not a complete guide to securing systems. Firewalling is a complex issue 109 that requires careful configuration. The scripts quoted here are simply 110 intended to give examples as to how a firewall works, they are not intended to 111 fit into any imaginable configuration and may not prevent any imaginable 112 attack.</para> 113 114 <para>The purpose of this text is simply to give you a hint on how to get 115 started with a firewall.</para> 116 117 <para>Customization of these scripts for your specific situation will 118 be necessary for an optimal configuration, but you should make a serious 119 study of the iptables documentation and creating firewalls in general before hacking 120 away. Have a look at the list of <xref linkend="postlfs-security-fw-library"/> at the end 121 of this section for more details. Here you will find a list of URLs that 122 contain quite comprehensive information about building your own firewall.</para> 123 124 </sect2> 125 126 127 <sect2 id="postlfs-security-fw-kernel" xreflabel="getting a firewalling-enabled Kernel"> 128 <title>Getting a firewall enabled Kernel</title> 129 130 <para>If you want your Linux-Box to have a firewall, you must first ensure 131 that your kernel has been compiled with the relevant options turned on. 132 <!-- <footnote><para>If you needed assistance how to configure, compile and install 133 a new kernel, refer back to chapter VIII of the LinuxFromScratch book, 134 <ulink url="http://www.linuxfromscratch.org/view/3.1/chapter08/kernel.html">Installing a kernel</ulink> 135 and eventually 136 <ulink url="http://www.linuxfromscratch.org/view/3.1/chapter08/lilo.html">Making the LFS system bootable</ulink> 137 ; note, that you'll need to reboot 138 to actually run your new kernel.</para></footnote>--> 139 </para> 140 141 <para>How to configure your kernel, with enabling the options to be 142 either compiled into the kernel or as modules, depends on your personal 143 preferences and experience. Note, that for the quoted scripts it is assumed 144 that the modules need to be loaded at first.</para> 145 146 <screen>Network options menu 147 Network packet filtering: Y 148 Unix domain sockets: Y or M 149 TCP/IP networking: Y 150 IP: advanced router: Y 151 IP: verbose route monitoring: Y 152 IP: TCP Explicit Congestion Notification support: Y 153 IP: TCP syncookie support: Y 154 IP: Netfilter Configuration menu 155 Every option except: Y or M 156 ipchains (2.2-style) support N 157 ipfwadm (2.0-style) support N 158 Fast switching: N</screen> 159 160 <!-- 161 <table frame='none'> 162 <title>Essential config-options for a firewall enabled Kernel</title> 163 164 <tgroup cols='5'> 165 <colspec colnum='1' colwidth='8*' align='center'/> 166 <colspec colnum='2' colwidth='19*' align='left'/> 167 <colspec colnum='3' colwidth='11*' align='center'/> 168 <colspec colnum='4' colwidth='1*' align='center'/> 169 <colspec colnum='5' colwidth='14*' align='left'/> 170 171 <tbody> 172 173 <row> 174 <entry><emphasis><userinput>Networking options:</userinput></emphasis></entry> 175 <entry><userinput>Network packet filtering</userinput></entry> 176 <entry></entry> 177 <entry>=</entry> 178 <entry>CONFIG_NETFILTER</entry> 179 </row> 180 181 <row> 182 <entry></entry> 183 <entry><userinput>Unix domain sockets</userinput></entry> 184 <entry></entry> 185 <entry>=</entry> 186 <entry>CONFIG_UNIX</entry> 187 </row> 188 189 <row> 190 <entry></entry> 191 <entry><userinput>IP: TCP/IP networking</userinput></entry> 192 <entry></entry> 193 <entry>=</entry> 194 <entry>CONFIG_INET</entry> 195 </row> 196 197 <row> 198 <entry></entry> 199 <entry><userinput>IP: advanced router</userinput></entry> 200 <entry></entry> 201 <entry>=</entry> 202 <entry>CONFIG_IP_ADVANCED_ROUTER</entry> 203 </row> 204 205 <row> 206 <entry></entry> 207 <entry><userinput>IP: verbose route monitoring</userinput></entry> 208 <entry></entry> 209 <entry>=</entry> 210 <entry>CONFIG_IP_ROUTE_VERBOSE</entry> 211 </row> 212 213 <row> 214 <entry></entry> 215 <entry><userinput>IP: TCP Explicit Congestion Notification support</userinput></entry> 216 <entry></entry> 217 <entry>=</entry> 218 <entry>CONFIG_INET_ECN</entry> 219 </row> 220 221 <row> 222 <entry></entry> 223 <entry><userinput>IP: TCP syncookie support</userinput></entry> 224 <entry></entry> 225 <entry>=</entry> 226 <entry>CONFIG_SYN_COOKIES</entry> 227 </row> 228 229 <row> 230 <entry></entry> 231 <entry align='center'> 232 <emphasis><userinput>IP: Netfilter Configuration:</userinput></emphasis></entry> 233 <entry align='left'><userinput>every option</userinput></entry> 234 <entry>=</entry> 235 <entry>CONFIG_IP_NF_*</entry> 236 </row> 237 238 <row> 239 <entry></entry> 240 <entry align='right'><emphasis>WITHOUT:</emphasis></entry> 241 <entry align='left'><literallayout><userinput>ipchains (2.2-style) support 242 ipfw-adm (2.0-style) support</userinput></literallayout></entry> 243 <entry>w\</entry> 244 <entry>CONFIG_IP_NF_COMPAT_*</entry> 245 </row> 246 247 <row> 248 <entry></entry> 249 <entry><userinput>Fast switching</userinput></entry> 250 <entry>Make sure to disable it because it would setup a bypass around 251 your firewall rules.</entry> 252 <entry>w\</entry> 253 <entry>CONFIG_NET_FASTROUTE</entry> 254 </row> 255 256 </tbody> 257 258 </tgroup> 259 260 </table> --> 261 262 </sect2> 263 264 265 <sect2 id="postlfs-security-fw-writing" xreflabel="writing the firewalling-setup-scripts"> 266 <title>Now you can start to build your Firewall</title> 267 268 269 <sect3 id="postlfs-security-fw-persFw" xreflabel="Personal Firewall"> 270 <title>Personal Firewall</title> 271 272 <para>A Personal Firewall is supposed to let you access all the services 273 offered on the Internet, but keep your box secure and your data private.</para> 274 275 <para>Below is a slightly modified version of Rusty Russell's recommendation 276 from the <ulink 277 url="http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html">Linux 278 2.4 Packet Filtering HOWTO</ulink>:</para> 279 280 <screen><userinput><command>cat > /etc/rc.d/init.d/firewall << "EOF"</command> 281 #!/bin/sh 282 283 # Begin $rc_base/init.d/firewall 284 285 # Insert connection-tracking modules (not needed if built into the kernel). 286 modprobe ip_tables 287 modprobe iptable_filter 288 modprobe ip_conntrack 289 modprobe ip_conntrack_ftp 290 modprobe ipt_state 291 modprobe ipt_LOG 292 293 # allow local-only connections 294 iptables -A INPUT -i lo -j ACCEPT 295 # free output on any interface to any ip for any service (equal to -P ACCEPT) 296 iptables -A OUTPUT -j ACCEPT 297 298 # permit answers on already established connections 299 # and permit new connections related to established ones (eg active-ftp) 300 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 301 302 # Log everything else: What's Windows' latest exploitable vulnerability? 303 iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT " 304 305 # set a sane policy: everything not accepted > /dev/null 306 iptables -P INPUT DROP 307 iptables -P FORWARD DROP 308 iptables -P OUTPUT DROP 309 310 # be verbose on dynamic ip-addresses (not needed in case of static IP) 311 echo 2 > /proc/sys/net/ipv4/ip_dynaddr 312 313 # disable ExplicitCongestionNotification - too many routers are still ignorant 314 echo 0 > /proc/sys/net/ipv4/tcp_ecn 315 316 # End $rc_base/init.d/firewall 317 <command>EOF</command></userinput></screen> 318 319 <para>His script is quite simple, it drops all traffic coming in into your 320 computer that wasn't initiated from your box, but as long as you are simply 321 surfing the Internet you are unlikely to exceed its limits.</para> 322 323 <para>If you frequently encounter certain delays at accessing ftp-servers, 324 please have a look at <xref linkend="postlfs-security-fw-busybox"/> - 325 <xref linkend="postlfs-security-fw-BB-4"/>.</para> 326 327 <para>Even if you have daemons or services running on your box, these 328 should be inaccessible everywhere but from your box itself. 329 If you want to allow access to services on your machine, such as ssh or pinging, 330 take a look at <xref linkend="postlfs-security-fw-busybox"/>.</para> 331 332 </sect3> 333 334 335 <sect3 id="postlfs-security-fw-masqRouter" xreflabel="Masquerading Router"> 336 <title>Masquerading Router</title> 337 338 <para>A true Firewall has two interfaces, one connected to an intranet, 339 in this example, <emphasis role="strong">eth0</emphasis>, and one 340 connected to the Internet, here, <emphasis role="strong">ppp0</emphasis>. 341 To provide the maximum security against the box itself being broken into, 342 make sure that there are no servers running on it, especially not 343 <application>X11</application> et 344 al. And, as a general principle, the box itself should not access any untrusted 345 service (Think of a name server giving answers that make your 346 bind crash, or, even worse, that implement a worm via a 347 buffer-overflow).</para> 348 349 <screen><userinput><command>cat > /etc/rc.d/init.d/firewall << "EOF"</command> 350 #!/bin/sh 351 352 # Begin $rc_base/init.d/firewall 353 354 echo 355 echo "You're using the example-config for a setup of a firewall" 356 echo "from the firewalling-hint written for LinuxFromScratch." 357 echo "This example is far from being complete, it is only meant" 358 echo "to be a reference." 359 echo "Firewall security is a complex issue, that exceeds the scope" 360 echo "of the quoted configuration rules." 361 echo "You can find some quite comprehensive information" 362 echo "about firewalls in Chapter 4 of the BLFS book." 363 echo "http://www.linuxfromscratch.org/blfs" 364 echo 365 366 # Insert iptables modules (not needed if built into the kernel). 367 368 modprobe ip_tables 369 modprobe iptable_filter 370 modprobe ip_conntrack 371 modprobe ip_conntrack_ftp 372 modprobe ipt_state 373 modprobe iptable_nat 374 modprobe ip_nat_ftp 375 modprobe ipt_MASQUERADE 376 modprobe ipt_LOG 377 modprobe ipt_REJECT 378 379 # allow local-only connections 380 iptables -A INPUT -i lo -j ACCEPT 381 iptables -A OUTPUT -o lo -j ACCEPT 382 383 # allow forwarding 384 iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT 385 iptables -A FORWARD -m state --state NEW -i ! ppp+ -j ACCEPT 386 387 # do masquerading (not needed if intranet is not using private ip-addresses) 388 iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE 389 390 # Log everything for debugging (last of all rules, but before DROP/REJECT) 391 iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT " 392 iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD" 393 iptables -A OUTPUT -j LOG --log-prefix "FIREWALL:OUTPUT " 394 395 # set a sane policy 396 iptables -P INPUT DROP 397 iptables -P FORWARD DROP 398 iptables -P OUTPUT DROP 399 400 # be verbose on dynamic ip-addresses (not needed in case of static IP) 401 echo 2 > /proc/sys/net/ipv4/ip_dynaddr 402 403 # disable ExplicitCongestionNotification 404 echo 0 > /proc/sys/net/ipv4/tcp_ecn 405 406 # activate TCPsyncookies 407 echo 1 > /proc/sys/net/ipv4/tcp_syncookies 408 409 # activate Route-Verification = IP-Spoofing_protection 410 for f in /proc/sys/net/ipv4/conf/*/rp_filter; do 411 echo 1 > $f 412 done 413 414 # activate IP-Forwarding 415 echo 1 > /proc/sys/net/ipv4/ip_forward 416 <command>EOF</command></userinput></screen> 417 418 <para>With this script your intranet should be sufficiently secure against 419 external attacks. No one should be able to setup a new connection to any 420 internal service and, if it's masqueraded, it's even invisible. Furthermore, 421 your firewall should be nearly immune because there are no services running 422 that a cracker could attack.</para> 423 424 <para>Note: if the interface you're connecting to the Internet 425 doesn't connect via ppp, you will need to change 426 <replaceable>ppp+</replaceable> to the name of the interface which you are 427 using. If you are using the same interface type to connect to both your 428 intranet and the Internet, you need to use the actual name of the 429 interface such as <emphasis role="strong">eth0</emphasis>, 430 on both interfaces.</para> 431 432 <para>If you need stronger security (e.g., against DOS, connection 433 highjacking, spoofing, etc.), have a look at the list of 434 <xref linkend="postlfs-security-fw-library"/> at the end of this section.</para> 435 436 </sect3> 437 438 <sect3 id="postlfs-security-fw-busybox" xreflabel="BusyBox"> 439 <title>BusyBox</title> 440 441 <para>This scenario isn't too different from (<xref linkend="postlfs-security-fw-masqRouter"/>), 442 but in this case you want to offer some services to your intranet. 443 Examples of this can be when you want to admin your box from another host 444 on your intranet or use it as a proxy or a name server. Note: Outlining a true 445 concept of how to protect a server that offers services on the Internet 446 goes far beyond the scope of this document, 447 see <xref linkend="postlfs-security-fw-disclaimer"/>.</para> 448 449 <para>Be cautious. Every service you offer and have enabled makes your 450 setup more complex and your box less secure. You induce the risks of 451 misconfigured services or running a service with an exploitable bug. A firewall 452 should generally not run any extra services. See the introduction to 453 <xref linkend="postlfs-security-fw-masqRouter"/> for some more details.</para> 454 455 <para>If the services you'd like to offer do not need to access the Internet 456 themselves, like internal-only samba- or name-servers, it's quite 457 simple and should still be acceptable from a security standpoint. 458 Just add the following lines <emphasis>before</emphasis> the logging-rules 459 into the script.</para> 460 461 <screen>iptables -A INPUT -i ! ppp+ -j ACCEPT 462 iptables -A OUTPUT -o ! ppp+ -j ACCEPT</screen> 463 464 <para>If your daemons have to access the web themselves, like squid would need 465 to, you could open OUTPUT generally and restrict INPUT.</para> 466 467 <screen>iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 468 iptables -A OUTPUT -j ACCEPT</screen> 469 470 <para>However, it is generally not advisable to leave OUTPUT unrestricted. You lose 471 any control over trojans who'd like to "call home", and a bit of redundancy in case 472 you've (mis-)configured a service so that it does broadcast its existence to the 473 world.</para> 474 475 <para>If you prefer to have this protection, you may restrict INPUT and OUTPUT 476 on all ports except those that it's absolutely necessary to have open. 477 Which ports you have to open depends on your needs: mostly you will find them 478 by looking for failed accesses in your log-files.</para> 479 <itemizedlist spacing="compact"> 480 <!-- <orderedlist numeration="arabic" spacing="compact"> --> 481 <title>Have a look at the following examples:</title> 482 483 <listitem><para>Squid is caching the web:</para> 484 <screen>iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT 485 iptables -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT</screen></listitem> 486 487 <listitem><para>Your caching name server (e.g., dnscache) does its 488 lookups via udp:</para> 489 <screen>iptables -A OUTPUT -p udp --dport 53 -j ACCEPT 490 iptables -A INPUT -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT</screen></listitem> 491 492 <listitem><para>Alternatively, if you want to be able to ping your box to ensure 493 it's still alive:</para> 494 <screen>iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT 495 iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT</screen></listitem> 496 497 <listitem><para><anchor id='postlfs-security-fw-BB-4' xreflabel="example no. 4"/>If you are 498 frequently accessing ftp-servers or enjoy chatting, you might notice certain 499 delays because some implementations of these daemons have the feature of 500 querying an identd on your box for logging usernames. 501 Although there's really no harm in this, having an identd running is not 502 recommended because some implementations are known to be vulnerable.</para> 503 504 <para>To avoid these delays you could reject the requests 505 with a 'tcp-reset':</para> 506 507 <screen>iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset 508 iptables -A OUTPUT -p tcp --sport 113 -m state --state RELATED -j ACCEPT</screen></listitem> 509 510 <listitem><para>To log and drop invalid packets (harmless packets 511 that came in after netfilter's timeout or some types of network scans):</para> 512 513 <screen>iptables -I INPUT 1 -p tcp -m state --state INVALID -j LOG --log-prefix \ 514 "FIREWALL:INVALID" 515 iptables -I INPUT 2 -p tcp -m state --state INVALID -j DROP</screen></listitem> 516 517 <listitem><para>Anything coming from the outside should not have a 518 private address, this is a common attack called IP-spoofing:</para> 519 520 <screen>iptables -t nat -A PREROUTING -i ppp+ -s 10.0.0.0/8 -j DROP 521 iptables -t nat -A PREROUTING -i ppp+ -s 172.16.0.0/12 -j DROP 522 iptables -t nat -A PREROUTING -i ppp+ -s 192.168.0.0/16 -j DROP</screen></listitem> 523 524 <listitem><para>To simplify debugging and be fair to anyone who'd like to 525 access a service you have disabled, purposely or by mistake, you should REJECT 526 those packets that are dropped.</para> 527 528 <para>Obviously this must be done directly after logging as the very 529 last lines before the packets are dropped by policy:</para> 530 531 <screen>iptables -A INPUT -j REJECT 532 iptables -A OUTPUT -p icmp --icmp-type 3 -j ACCEPT</screen></listitem> 533 </itemizedlist> 534 <!--</orderedlist>--> 535 536 <para>These are only examples to show you some of the capabilities of the new 537 firewall code in Linux-Kernel 2.4. Have a look at the man page of 538 iptables. 539 There you will find more of them. The port-numbers you'll need for this 540 can be found in <filename>/etc/services</filename>, in case you didn't 541 find them by trial and error in your log file.</para> 542 543 <para>If you add any of your offered or accessed services such as the above, 544 maybe even in FORWARD and for intranet-communication, and delete the 545 general clauses, you get an old fashioned packet filter.</para> 546 547 548 </sect3> 549 550 </sect2> 551 552 553 <sect2 id="postlfs-security-fw-finale" xreflabel="Conclusion"> 554 <title>Conclusion</title> 555 556 <para>Finally, I'd like to remind you of one fact we must not forget: 557 The effort spent attacking a system corresponds to the value the cracker 558 expects to gain from it. 559 If you are responsible for such valuable assets that you expect great 560 effort to be made by potential crackers, you hopefully won't be in the 561 need of this hint!</para> 562 563 <!-- <para><literallayout>Be cautious! 564 565 Henning Rohde 566 <email>Henning.Rohde@uni-bayreuth.de</email></literallayout></para> 567 568 <para>PS: And always do remember: 569 SecureIT is not a matter of a status-quo but one of never stopping 570 to take care!</para> 571 572 <para>PPS: If any of these scripts fail, please tell me. I will try to trace 573 any faults.</para> --> 574 575 </sect2> 576 577 578 <sect2 id="postlfs-security-fw-extra" xreflabel="Extra Information"> 579 <title>Extra Information</title> 580 581 <sect3 id="postlfs-security-fw-library" xreflabel="Links for further reading"> 582 <title>Where to start with further reading on firewalls.</title> 583 584 <para><blockquote><literallayout> 585 <ulink url="http://www.netfilter.org/">www.netfilter.org - Homepage of the netfilter/iptables project</ulink> 586 <ulink url="http://www.netfilter.org/documentation/FAQ/netfilter-faq.html">Netfilter related FAQ</ulink> 587 <ulink url="http://www.netfilter.org/documentation/index.html#HOWTO">Netfilter related HOWTO's</ulink> 588 <ulink url="http://en.tldp.org/LDP/nag2/x-087-2-firewall.html">en.tldp.org/LDP/nag2/x-087-2-firewall.html</ulink> 589 <ulink url="http://en.tldp.org/HOWTO/Security-HOWTO.html">en.tldp.org/HOWTO/Security-HOWTO.html</ulink> 590 <ulink url="http://en.tldp.org/HOWTO/Firewall-HOWTO.html">en.tldp.org/HOWTO/Firewall-HOWTO.html</ulink> 591 <ulink url="http://www-106.ibm.com/developerworks/security/library/s-fire.html">www.ibm.com/developerworks/security/library/s-fire.html</ulink> 592 <ulink url="http://www-106.ibm.com/developerworks/security/library/s-fire2.html">www.ibm.com/developerworks/security/library/s-fire2.html</ulink> 593 <ulink url="http://www.interhack.net/pubs/fw-faq/">www.interhack.net/pubs/fw-faq/</ulink> 594 <ulink url="http://www.linuxsecurity.com/docs/">www.linuxsecurity.com/docs/</ulink> 595 <ulink url="http://www.little-idiot.de/firewall">www.little-idiot.de/firewall (German & outdated, but very comprehensive)</ulink> 596 <ulink url="http://www.linuxgazette.com/issue65/stumpel.html">www.linuxgazette.com/issue65/stumpel.html</ulink> 597 <ulink url="http://linux.oreillynet.com/pub/a/linux/2000/03/10/netadmin/ddos.html">linux.oreillynet.com/pub/a/linux/2000/03/10/netadmin/ddos.html</ulink> 598 <ulink url="http://staff.washington.edu/dittrich/misc/ddos">staff.washington.edu/dittrich/misc/ddos</ulink> 599 <ulink url="http://www.e-infomax.com/ipmasq">www.e-infomax.com/ipmasq</ulink> 600 <ulink url="http://www.circlemud.org/~jelson/writings/security/index.htm">www.circlemud.org/~jelson/writings/security/index.htm</ulink> 601 <ulink url="http://www.securityfocus.com">www.securityfocus.com</ulink> 602 <ulink url="http://www.cert.org/tech_tips/">www.cert.org - tech_tips</ulink> 603 <ulink url="http://security.ittoolbox.com/">security.ittoolbox.com</ulink> 604 <ulink url="http://www.linux-firewall-tools.com/linux/">www.linux-firewall-tools.com/linux/</ulink> 605 <ulink url="http://logi.cc/linux/athome-firewall.php3">logi.cc/linux/athome-firewall.php3</ulink> 606 <ulink url="http://www.insecure.org/reading.html">www.insecure.org/reading.html</ulink> 607 <ulink url="http://www.robertgraham.com/pubs/firewall-seen.html">www.robertgraham.com/pubs/firewall-seen.html</ulink> 608 </literallayout></blockquote></para> 609 610 <!-- <para>If a link proves to be dead or if you think I missed one, 611 please mail!</para> --> 612 613 </sect3> 614 615 <sect3 id="postlfs-security-fw-status" xreflabel="/etc/rc.d/init.d/firewall.status"> 616 <title>firewall.status</title> 617 618 <para>If you'd like to have a look at the chains your firewall consists of and 619 the order in which the rules take effect:</para> 620 621 <screen><userinput><command>cat > /etc/rc.d/init.d/firewall.status << "EOF"</command> 622 #!/bin/sh 623 624 # Begin $rc_base/init.d/firewall.status 625 626 echo "iptables.mangling:" 627 iptables -t mangle -v -L -n --line-numbers 628 629 echo 630 echo "iptables.nat:" 631 iptables -t nat -v -L -n --line-numbers 632 633 echo 634 echo "iptables.filter:" 635 iptables -v -L -n --line-numbers 636 <command>EOF</command></userinput></screen> 637 </sect3> 638 639 <sect3 id="postlfs-security-fw-stop" xreflabel="/etc/rc.d/init.d/firewall.stop"> 640 <title>firewall.stop</title> 641 642 <para>If you need to turn the firewall off, this script will do it:</para> 643 644 <screen><userinput><command>cat > /etc/rc.d/init.d/firewall.stop << "EOF"</command> 645 #!/bin/sh 646 647 # Being $rc_base/init.d/firewall.stop 648 649 # deactivate IP-Forwarding 650 echo 0 > /proc/sys/net/ipv4/ip_forward 651 652 iptables -Z 653 iptables -F 654 iptables -t nat -F PREROUTING 655 iptables -t nat -F OUTPUT 656 iptables -t nat -F POSTROUTING 657 iptables -t mangle -F PREROUTING 658 iptables -t mangle -F OUTPUT 659 iptables -X 660 iptables -P INPUT ACCEPT 661 iptables -P FORWARD ACCEPT 662 iptables -P OUTPUT ACCEPT 663 <command>EOF</command></userinput></screen> 664 665 </sect3> 666 667 </sect2> 15 668 </sect1> 16 669
Note:
See TracChangeset
for help on using the changeset viewer.