1 files changed, 307 insertions, 0 deletions

diff --git a/misc/slackbook/html/security-host.html b/misc/slackbook/html/security-host.html
new file mode 100644
index 00000000..55f33286
--- /dev/null
+++ b/misc/slackbook/html/security-host.html
@@ -0,0 +1,307 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<meta name="generator" content="HTML Tidy, see www.w3.org" />
+<title>Host Access Control</title>
+<meta name="GENERATOR" content="Modular DocBook HTML Stylesheet Version 1.7" />
+<link rel="HOME" title="Slackware Linux Essentials" href="index.html" />
+<link rel="UP" title="Security" href="security.html" />
+<link rel="PREVIOUS" title="Security" href="security.html" />
+<link rel="NEXT" title="Keeping Current" href="security-current.html" />
+<link rel="STYLESHEET" type="text/css" href="docbook.css" />
+<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
+</head>
+<body class="SECT1" bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#840084"
+alink="#0000FF">
+<div class="NAVHEADER">
+<table summary="Header navigation table" width="100%" border="0" cellpadding="0"
+cellspacing="0">
+<tr>
+<th colspan="3" align="center">Slackware Linux Essentials</th>
+</tr>
+
+<tr>
+<td width="10%" align="left" valign="bottom"><a href="security.html"
+accesskey="P">Prev</a></td>
+<td width="80%" align="center" valign="bottom">Chapter 14 Security</td>
+<td width="10%" align="right" valign="bottom"><a href="security-current.html"
+accesskey="N">Next</a></td>
+</tr>
+</table>
+
+<hr align="LEFT" width="100%" />
+</div>
+
+<div class="SECT1">
+<h1 class="SECT1"><a id="SECURITY-HOST" name="SECURITY-HOST">14.2 Host Access
+Control</a></h1>
+
+<div class="SECT2">
+<h2 class="SECT2"><a id="SECURITY-HOST-IPTABLES" name="SECURITY-HOST-IPTABLES">14.2.1 <tt
+class="COMMAND">iptables</tt></a></h2>
+
+<p><tt class="COMMAND">iptables</tt> is the packet filtering configuration program for
+Linux 2.4 and above. The 2.4 kernel (2.4.5, to be exact) was first introduced into
+Slackware (as an option) in version 8.0 and was made the default in Slackware 8.1. This
+section only covers the basics of its usage and you should check <a
+href="http://www.netfilter.org/" target="_top">http://www.netfilter.org/</a> for more
+details. These commands can be entered into <tt
+class="FILENAME">/etc/rc.d/rc.firewall</tt>, which has to be set as executable for these
+rules to take effect at startup. Note that incorrect <tt class="COMMAND">iptables</tt>
+commands can essentially lock you out of your own machine. Unless you are 100% confident
+in your skills, always ensure you have local access to the machine.</p>
+
+<p>The first thing most people should do is set the default policy for each inbound chain
+to DROP:</p>
+
+<table border="0" bgcolor="#E0E0E0" width="100%">
+<tr>
+<td>
+<pre class="SCREEN">
+<samp class="PROMPT">#</samp> <kbd class="USERINPUT">iptables -P INPUT DROP</kbd>
+<samp class="PROMPT">#</samp> <kbd class="USERINPUT">iptables -P FORWARD DROP</kbd>
+</pre>
+</td>
+</tr>
+</table>
+
+<p>When everything is denied, you can start allowing things. The first thing to allow is
+any traffic for sessions which are already established:</p>
+
+<table border="0" bgcolor="#E0E0E0" width="100%">
+<tr>
+<td>
+<pre class="SCREEN">
+<samp class="PROMPT">#</samp> <kbd
+class="USERINPUT">iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT</kbd>
+</pre>
+</td>
+</tr>
+</table>
+
+<p>So as not to break any applications that communicate using the loopback address, it is
+usually wise to add a rule like this:</p>
+
+<table border="0" bgcolor="#E0E0E0" width="100%">
+<tr>
+<td>
+<pre class="SCREEN">
+<samp class="PROMPT">#</samp> <kbd
+class="USERINPUT">iptables -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT</kbd>
+</pre>
+</td>
+</tr>
+</table>
+
+<p>This rules allows any traffic to and from 127.0.0.0/8 (127.0.0.0 - 127.255.255.255) on
+the loopback (<tt class="FILENAME">lo</tt>) interface. When creating rules, it is a good
+idea to be as specific as possible, to make sure that your rules do not inadvertently
+allow anything evil. That said, rules that allow too little mean more rules and more
+typing.</p>
+
+<p>The next thing to do would be to allow access to specific services running on your
+machine. If, for example, you wanted to run a web server on your machine, you would use a
+rule similar to this:</p>
+
+<table border="0" bgcolor="#E0E0E0" width="100%">
+<tr>
+<td>
+<pre class="SCREEN">
+<samp class="PROMPT">#</samp> <kbd
+class="USERINPUT">iptables -A INPUT -p tcp --dport 80 -i ppp0 -j ACCEPT</kbd>
+</pre>
+</td>
+</tr>
+</table>
+
+<p>This will allow access from any machine to port 80 on your machine via the <tt
+class="FILENAME">ppp0</tt> interface. You may want to restrict access to this service so
+that only certain machines can access it. This rule allows access to your web service
+from <tt class="HOSTID">64.57.102.34</tt>:</p>
+
+<table border="0" bgcolor="#E0E0E0" width="100%">
+<tr>
+<td>
+<pre class="SCREEN">
+<samp class="PROMPT">#</samp> <kbd
+class="USERINPUT">iptables -A INPUT -p tcp -s 64.57.102.34 --dport 80 -i ppp0 -j ACCEPT</kbd>
+</pre>
+</td>
+</tr>
+</table>
+
+<p>Allowing ICMP traffic can be useful for diagnostic purposes. To do this, you would use
+a rule like this:</p>
+
+<table border="0" bgcolor="#E0E0E0" width="100%">
+<tr>
+<td>
+<pre class="SCREEN">
+<samp class="PROMPT">#</samp> <kbd
+class="USERINPUT">iptables -A INPUT -p icmp -j ACCEPT</kbd>
+</pre>
+</td>
+</tr>
+</table>
+
+<p>Most people will also want to set up Network Address Translation (NAT) on their
+gateway machine, so that other machines on their network can access the Internet through
+it. You would use the following rule to do this:</p>
+
+<table border="0" bgcolor="#E0E0E0" width="100%">
+<tr>
+<td>
+<pre class="SCREEN">
+<samp class="PROMPT">#</samp> <kbd
+class="USERINPUT">iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE</kbd>
+</pre>
+</td>
+</tr>
+</table>
+
+<p>You will also need to enable IP forwarding. You can do this temporarily, using the
+following command:</p>
+
+<table border="0" bgcolor="#E0E0E0" width="100%">
+<tr>
+<td>
+<pre class="SCREEN">
+<samp class="PROMPT">#</samp> <kbd
+class="USERINPUT">echo 1 &#62; /proc/sys/net/ipv4/ip_forward</kbd>
+</pre>
+</td>
+</tr>
+</table>
+
+<p>To enable IP forwarding on a more permanent basis (i.e. so that the change is kept
+after a reboot), you will need to open the file <tt
+class="FILENAME">/etc/rc.d/rc.inet2</tt> in your favorite editor and change the following
+line:</p>
+
+<table border="0" bgcolor="#E0E0E0" width="100%">
+<tr>
+<td>
+<pre class="PROGRAMLISTING">
+IPV4_FORWARD=0
+</pre>
+</td>
+</tr>
+</table>
+
+<p>...to this:</p>
+
+<table border="0" bgcolor="#E0E0E0" width="100%">
+<tr>
+<td>
+<pre class="PROGRAMLISTING">
+IPV4_FORWARD=1
+</pre>
+</td>
+</tr>
+</table>
+
+<p>For more information on NAT, see the <a
+href="http://www.netfilter.org/documentation/HOWTO/NAT-HOWTO.txt" target="_top">NAT
+HOWTO</a>.</p>
+</div>
+
+<div class="SECT2">
+<h2 class="SECT2"><a id="SECURITY-HOST-TCPWRAPPERS"
+name="SECURITY-HOST-TCPWRAPPERS">14.2.2 <tt class="COMMAND">tcpwrappers</tt></a></h2>
+
+<p><tt class="COMMAND">tcpwrappers</tt> controls access to daemons at the application
+level, rather than at the IP level. This can provide an extra layer of security at times
+when IP-level access controls (e.g. Netfilter) are not functioning correctly. For
+example, if you recompile the kernel but forget to include iptables support, your IP
+level protection will fail but tcpwrappers will still help protect your system.</p>
+
+<p>Access to services protected by tcpwrappers can be controlled using <tt
+class="FILENAME">/etc/hosts.allow</tt> and <tt class="FILENAME">/etc/hosts.deny</tt>.</p>
+
+<p>The majority of people would have a single line in their <tt
+class="FILENAME">/etc/hosts.deny</tt> file to deny access to all daemons by default. This
+line would be:</p>
+
+<table border="0" bgcolor="#E0E0E0" width="100%">
+<tr>
+<td>
+<pre class="PROGRAMLISTING">
+ALL : ALL
+</pre>
+</td>
+</tr>
+</table>
+
+<p>When this is done, you can concentrate on allowing access to services for specified
+hosts, domains, or IP ranges. This can be done in the <tt
+class="FILENAME">/etc/hosts.allow</tt> file, which follows the same format.</p>
+
+<p>A lot of people would start by accepting all connections from <tt
+class="HOSTID">localhost</tt>. This can be achieved using:</p>
+
+<table border="0" bgcolor="#E0E0E0" width="100%">
+<tr>
+<td>
+<pre class="PROGRAMLISTING">
+ALL : 127.0.0.1
+</pre>
+</td>
+</tr>
+</table>
+
+<p>To allow access to SSHd from <tt class="HOSTID">192.168.0.0/24</tt>, you could use
+either of the following rules:</p>
+
+<table border="0" bgcolor="#E0E0E0" width="100%">
+<tr>
+<td>
+<pre class="PROGRAMLISTING">
+sshd : 192.168.0.0/24
+sshd : 192.168.0.
+</pre>
+</td>
+</tr>
+</table>
+
+<p>It is also possible to restrict access to hosts in certain domains. This can be done
+using the following rule (note that this relies on the reverse DNS entry for the
+connecting host being trustworthy, so I would recommand against its use on
+Internet-connected hosts):</p>
+
+<table border="0" bgcolor="#E0E0E0" width="100%">
+<tr>
+<td>
+<pre class="PROGRAMLISTING">
+sshd : .slackware.com
+</pre>
+</td>
+</tr>
+</table>
+</div>
+</div>
+
+<div class="NAVFOOTER">
+<hr align="LEFT" width="100%" />
+<table summary="Footer navigation table" width="100%" border="0" cellpadding="0"
+cellspacing="0">
+<tr>
+<td width="33%" align="left" valign="top"><a href="security.html"
+accesskey="P">Prev</a></td>
+<td width="34%" align="center" valign="top"><a href="index.html"
+accesskey="H">Home</a></td>
+<td width="33%" align="right" valign="top"><a href="security-current.html"
+accesskey="N">Next</a></td>
+</tr>
+
+<tr>
+<td width="33%" align="left" valign="top">Security</td>
+<td width="34%" align="center" valign="top"><a href="security.html"
+accesskey="U">Up</a></td>
+<td width="33%" align="right" valign="top">Keeping Current</td>
+</tr>
+</table>
+</div>
+</body>
+</html>
+