diff options
Diffstat (limited to 'slackbook/html/security-host.html')
| -rw-r--r-- | slackbook/html/security-host.html | 307 |
1 files changed, 0 insertions, 307 deletions
diff --git a/slackbook/html/security-host.html b/slackbook/html/security-host.html deleted file mode 100644 index 55f33286..00000000 --- a/slackbook/html/security-host.html +++ /dev/null @@ -1,307 +0,0 @@ -<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" - "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> -<html xmlns="http://www.w3.org/1999/xhtml"> -<head> -<meta name="generator" content="HTML Tidy, see www.w3.org" /> -<title>Host Access Control</title> -<meta name="GENERATOR" content="Modular DocBook HTML Stylesheet Version 1.7" /> -<link rel="HOME" title="Slackware Linux Essentials" href="index.html" /> -<link rel="UP" title="Security" href="security.html" /> -<link rel="PREVIOUS" title="Security" href="security.html" /> -<link rel="NEXT" title="Keeping Current" href="security-current.html" /> -<link rel="STYLESHEET" type="text/css" href="docbook.css" /> -<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> -</head> -<body class="SECT1" bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#840084" -alink="#0000FF"> -<div class="NAVHEADER"> -<table summary="Header navigation table" width="100%" border="0" cellpadding="0" -cellspacing="0"> -<tr> -<th colspan="3" align="center">Slackware Linux Essentials</th> -</tr> - -<tr> -<td width="10%" align="left" valign="bottom"><a href="security.html" -accesskey="P">Prev</a></td> -<td width="80%" align="center" valign="bottom">Chapter 14 Security</td> -<td width="10%" align="right" valign="bottom"><a href="security-current.html" -accesskey="N">Next</a></td> -</tr> -</table> - -<hr align="LEFT" width="100%" /> -</div> - -<div class="SECT1"> -<h1 class="SECT1"><a id="SECURITY-HOST" name="SECURITY-HOST">14.2 Host Access -Control</a></h1> - -<div class="SECT2"> -<h2 class="SECT2"><a id="SECURITY-HOST-IPTABLES" name="SECURITY-HOST-IPTABLES">14.2.1 <tt -class="COMMAND">iptables</tt></a></h2> - -<p><tt class="COMMAND">iptables</tt> is the packet filtering configuration program for -Linux 2.4 and above. The 2.4 kernel (2.4.5, to be exact) was first introduced into -Slackware (as an option) in version 8.0 and was made the default in Slackware 8.1. This -section only covers the basics of its usage and you should check <a -href="http://www.netfilter.org/" target="_top">http://www.netfilter.org/</a> for more -details. These commands can be entered into <tt -class="FILENAME">/etc/rc.d/rc.firewall</tt>, which has to be set as executable for these -rules to take effect at startup. Note that incorrect <tt class="COMMAND">iptables</tt> -commands can essentially lock you out of your own machine. Unless you are 100% confident -in your skills, always ensure you have local access to the machine.</p> - -<p>The first thing most people should do is set the default policy for each inbound chain -to DROP:</p> - -<table border="0" bgcolor="#E0E0E0" width="100%"> -<tr> -<td> -<pre class="SCREEN"> -<samp class="PROMPT">#</samp> <kbd class="USERINPUT">iptables -P INPUT DROP</kbd> -<samp class="PROMPT">#</samp> <kbd class="USERINPUT">iptables -P FORWARD DROP</kbd> -</pre> -</td> -</tr> -</table> - -<p>When everything is denied, you can start allowing things. The first thing to allow is -any traffic for sessions which are already established:</p> - -<table border="0" bgcolor="#E0E0E0" width="100%"> -<tr> -<td> -<pre class="SCREEN"> -<samp class="PROMPT">#</samp> <kbd -class="USERINPUT">iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT</kbd> -</pre> -</td> -</tr> -</table> - -<p>So as not to break any applications that communicate using the loopback address, it is -usually wise to add a rule like this:</p> - -<table border="0" bgcolor="#E0E0E0" width="100%"> -<tr> -<td> -<pre class="SCREEN"> -<samp class="PROMPT">#</samp> <kbd -class="USERINPUT">iptables -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT</kbd> -</pre> -</td> -</tr> -</table> - -<p>This rules allows any traffic to and from 127.0.0.0/8 (127.0.0.0 - 127.255.255.255) on -the loopback (<tt class="FILENAME">lo</tt>) interface. When creating rules, it is a good -idea to be as specific as possible, to make sure that your rules do not inadvertently -allow anything evil. That said, rules that allow too little mean more rules and more -typing.</p> - -<p>The next thing to do would be to allow access to specific services running on your -machine. If, for example, you wanted to run a web server on your machine, you would use a -rule similar to this:</p> - -<table border="0" bgcolor="#E0E0E0" width="100%"> -<tr> -<td> -<pre class="SCREEN"> -<samp class="PROMPT">#</samp> <kbd -class="USERINPUT">iptables -A INPUT -p tcp --dport 80 -i ppp0 -j ACCEPT</kbd> -</pre> -</td> -</tr> -</table> - -<p>This will allow access from any machine to port 80 on your machine via the <tt -class="FILENAME">ppp0</tt> interface. You may want to restrict access to this service so -that only certain machines can access it. This rule allows access to your web service -from <tt class="HOSTID">64.57.102.34</tt>:</p> - -<table border="0" bgcolor="#E0E0E0" width="100%"> -<tr> -<td> -<pre class="SCREEN"> -<samp class="PROMPT">#</samp> <kbd -class="USERINPUT">iptables -A INPUT -p tcp -s 64.57.102.34 --dport 80 -i ppp0 -j ACCEPT</kbd> -</pre> -</td> -</tr> -</table> - -<p>Allowing ICMP traffic can be useful for diagnostic purposes. To do this, you would use -a rule like this:</p> - -<table border="0" bgcolor="#E0E0E0" width="100%"> -<tr> -<td> -<pre class="SCREEN"> -<samp class="PROMPT">#</samp> <kbd -class="USERINPUT">iptables -A INPUT -p icmp -j ACCEPT</kbd> -</pre> -</td> -</tr> -</table> - -<p>Most people will also want to set up Network Address Translation (NAT) on their -gateway machine, so that other machines on their network can access the Internet through -it. You would use the following rule to do this:</p> - -<table border="0" bgcolor="#E0E0E0" width="100%"> -<tr> -<td> -<pre class="SCREEN"> -<samp class="PROMPT">#</samp> <kbd -class="USERINPUT">iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE</kbd> -</pre> -</td> -</tr> -</table> - -<p>You will also need to enable IP forwarding. You can do this temporarily, using the -following command:</p> - -<table border="0" bgcolor="#E0E0E0" width="100%"> -<tr> -<td> -<pre class="SCREEN"> -<samp class="PROMPT">#</samp> <kbd -class="USERINPUT">echo 1 > /proc/sys/net/ipv4/ip_forward</kbd> -</pre> -</td> -</tr> -</table> - -<p>To enable IP forwarding on a more permanent basis (i.e. so that the change is kept -after a reboot), you will need to open the file <tt -class="FILENAME">/etc/rc.d/rc.inet2</tt> in your favorite editor and change the following -line:</p> - -<table border="0" bgcolor="#E0E0E0" width="100%"> -<tr> -<td> -<pre class="PROGRAMLISTING"> -IPV4_FORWARD=0 -</pre> -</td> -</tr> -</table> - -<p>...to this:</p> - -<table border="0" bgcolor="#E0E0E0" width="100%"> -<tr> -<td> -<pre class="PROGRAMLISTING"> -IPV4_FORWARD=1 -</pre> -</td> -</tr> -</table> - -<p>For more information on NAT, see the <a -href="http://www.netfilter.org/documentation/HOWTO/NAT-HOWTO.txt" target="_top">NAT -HOWTO</a>.</p> -</div> - -<div class="SECT2"> -<h2 class="SECT2"><a id="SECURITY-HOST-TCPWRAPPERS" -name="SECURITY-HOST-TCPWRAPPERS">14.2.2 <tt class="COMMAND">tcpwrappers</tt></a></h2> - -<p><tt class="COMMAND">tcpwrappers</tt> controls access to daemons at the application -level, rather than at the IP level. This can provide an extra layer of security at times -when IP-level access controls (e.g. Netfilter) are not functioning correctly. For -example, if you recompile the kernel but forget to include iptables support, your IP -level protection will fail but tcpwrappers will still help protect your system.</p> - -<p>Access to services protected by tcpwrappers can be controlled using <tt -class="FILENAME">/etc/hosts.allow</tt> and <tt class="FILENAME">/etc/hosts.deny</tt>.</p> - -<p>The majority of people would have a single line in their <tt -class="FILENAME">/etc/hosts.deny</tt> file to deny access to all daemons by default. This -line would be:</p> - -<table border="0" bgcolor="#E0E0E0" width="100%"> -<tr> -<td> -<pre class="PROGRAMLISTING"> -ALL : ALL -</pre> -</td> -</tr> -</table> - -<p>When this is done, you can concentrate on allowing access to services for specified -hosts, domains, or IP ranges. This can be done in the <tt -class="FILENAME">/etc/hosts.allow</tt> file, which follows the same format.</p> - -<p>A lot of people would start by accepting all connections from <tt -class="HOSTID">localhost</tt>. This can be achieved using:</p> - -<table border="0" bgcolor="#E0E0E0" width="100%"> -<tr> -<td> -<pre class="PROGRAMLISTING"> -ALL : 127.0.0.1 -</pre> -</td> -</tr> -</table> - -<p>To allow access to SSHd from <tt class="HOSTID">192.168.0.0/24</tt>, you could use -either of the following rules:</p> - -<table border="0" bgcolor="#E0E0E0" width="100%"> -<tr> -<td> -<pre class="PROGRAMLISTING"> -sshd : 192.168.0.0/24 -sshd : 192.168.0. -</pre> -</td> -</tr> -</table> - -<p>It is also possible to restrict access to hosts in certain domains. This can be done -using the following rule (note that this relies on the reverse DNS entry for the -connecting host being trustworthy, so I would recommand against its use on -Internet-connected hosts):</p> - -<table border="0" bgcolor="#E0E0E0" width="100%"> -<tr> -<td> -<pre class="PROGRAMLISTING"> -sshd : .slackware.com -</pre> -</td> -</tr> -</table> -</div> -</div> - -<div class="NAVFOOTER"> -<hr align="LEFT" width="100%" /> -<table summary="Footer navigation table" width="100%" border="0" cellpadding="0" -cellspacing="0"> -<tr> -<td width="33%" align="left" valign="top"><a href="security.html" -accesskey="P">Prev</a></td> -<td width="34%" align="center" valign="top"><a href="index.html" -accesskey="H">Home</a></td> -<td width="33%" align="right" valign="top"><a href="security-current.html" -accesskey="N">Next</a></td> -</tr> - -<tr> -<td width="33%" align="left" valign="top">Security</td> -<td width="34%" align="center" valign="top"><a href="security.html" -accesskey="U">Up</a></td> -<td width="33%" align="right" valign="top">Keeping Current</td> -</tr> -</table> -</div> -</body> -</html> - |