Next Previous Contents

33. Security

33.1 TCP Wrappers

  1. Provides host based security.
  2. Configuration files: /etc/hosts.allow & /etc/hosts.deny.

  3. tcpd

  4. libwrap

  5. Options

  6. Example Setup

33.2 xinetd based security

  1. Overview

  2. Access Controls

33.3 IPCHAINS

  1. Overview

  2. Capabilities

  3. Examples
    # Set the default Policies to DENY
    ipchains -P input DENY
    ipchains -P output DENY
    ipchains -P forward DENY
    
    # Allow all incoming tcp connections on interface eth0 to port 80 (www)
    ipchains -A input -i eth0 -p tcp -s 0.0.0.0 1024: --destination-port 80 -j ACCEPT
    
    # We must also allow packets back out in order for the connection to work
    ipchains -A output -i eth0 -p tcp --source-port 80 -d 0.0.0.0 1024: -j ACCEPT
    
    # Allow outgoing connections to other web servers
    ipchains -A output -i eth0 -p tcp --source-port 1024: -d 0.0.0.0 80 -j ACCEPT
    ipchains -A output -i eth0 -p tcp --source-port 1024: -d 0.0.0.0 81 -j ACCEPT
    ipchains -A output -i eth0 -p tcp --source-port 1024: -d 0.0.0.0 443 -j ACCEPT
    
    # We must now allow TCP packets back in on ports >= 1024 to complete the connection.  However,
    # we don't want to allow any packet through with the SYN flag set since that would indicate
    # someone is trying to make a connection to us.
    ipchains -A input -i eth0 -p tcp ! -y -s 0.0.0.0 80 --destination-port 1024: -j ACCEPT
    ipchains -A input -i eth0 -p tcp ! -y -s 0.0.0.0 81 --destination-port 1024: -j ACCEPT
    ipchains -A input -i eth0 -p tcp ! -y -s 0.0.0.0 443 --destination-port 1024: -j ACCEPT
    
    # Allow external access to our DNS services.
    ipchains -A input -i eth0 -p udp  --destination-port 53 -j ACCEPT
    ipchains -A output -i eth0 -p udp --source-port 53 -j ACCEPT
    
    # If you leave out a source (-s) or destination(-d) address it's like specifying 0.0.0.0
    # for it.
    
    #
    # MASQUERADING
    #
    # In these examples, eth0 is the external interface on the firewall, and eth1 is the
    # internal interface.
    
    # Set Masquerade Timeouts
    # Set a 2 hour (7200 sec) time out for TCP session timeouts
    # Set a 15 second timeout for TCP/IP traffic after a FIN is received
    # Set a 3 minute (180 sec) time out for UDP traffic
    /sbin/ipchains -M -S 7200 15 180
    
    # Set up the Masquerading
    # Remember that the default policy is set to DENY above.  Otherwise we would set it here.
    /sbin/ipchains -A forward -i eth0 -s $INTERNAL_LAN -j MASQ
    

33.4 IPTABLES (Netfilter)

  1. Overview

  2. Capabilities

  3. Examples
    # Set the default Policies to DENY
    iptables -P INPUT DENY
    iptables -P OUTPUT DENY
    iptables -P FORWARD DENY
    
    # Allow all incoming tcp connections on interface eth0 to port 80 (www)
    iptables -A INPUT -i eth0 -p tcp -s 0.0.0.0 --sport 1024: --dport 80 -j ACCEPT
    
    # We must also allow packets back out in order for the connection to work since we aren't
    # using connection tracking
    iptables -A OUTPUT -o eth0 -p tcp --sport 80 -d 0.0.0.0 --dport 1024: -j ACCEPT
    
    # Allow outgoing connections to all ports, and use connection tracking so
    # we don't have to create rules to allow us to receive the packets coming back.
    iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED \
             -o eth0 -p tcp --sport 1024: -j ACCEPT
    iptables -A INPUT -m state --state ESTABLISHED,RELATED \
             -i eth0 -p tcp --dport 1024: -j ACCEPT
    
    # Allow external access to our DNS services, and keep state on the connection.
    iptables -A INPUT -m state --state NEW,ESTABLISHED,RELATED \
             -i eth0 -p udp  --dport 53 -j ACCEPT
    iptables -A OUTPUT -m state --state ESTABLISHED,RELATED \
             -o eth0 -p udp --sport 53 -j ACCEPT
    
    # Redirect all incoming traffic that hits port 8080 to port 80 on a web server
    # in our internal LAN
    iptables -t nat -A PREROUTING \
             -p tcp -i eth0 --dport 8080 \
             -j DNAT --to 192.168.1.10:80
    
    # Source NAT
    iptables -t nat -A POSTROUTING \
             -o eth0 -s 192.168.1.0/24 \
             -j SNAT --to-source $EXTERNAL_IP_ADDRESS
    
    # Allow ICMP echo requests, but limit them to 1 per second.  A burst of 3 will allow
    # a burst of up to 3 ICMP packets before the rate limiting kicks in.
    iptables -A INPUT -i eth0 -p icmp --icmp-type 8 \
             -m state --state NEW,ESTABLISHED \
             -m limit --limit 1/s --limit-burst 3 \
             -j ACCEPT
    
    iptables -A OUTPUT -o eth0 -p icmp -m state --state ESTABLISHED -j ACCEPT
    


Next Previous Contents