summaryrefslogblamecommitdiffstats
path: root/slackbook/html/security-host.html
blob: 55f33286a0ad4addde215434d1c1d16306f812b3 (plain) (tree) 
5a12e7c13



















































































































































































































































































































1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307



















































































































































































































































































































                                                                                             
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="generator" content="HTML Tidy, see www.w3.org" />
<title>Host Access Control</title>
<meta name="GENERATOR" content="Modular DocBook HTML Stylesheet Version 1.7" />
<link rel="HOME" title="Slackware Linux Essentials" href="index.html" />
<link rel="UP" title="Security" href="security.html" />
<link rel="PREVIOUS" title="Security" href="security.html" />
<link rel="NEXT" title="Keeping Current" href="security-current.html" />
<link rel="STYLESHEET" type="text/css" href="docbook.css" />
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
</head>
<body class="SECT1" bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#840084"
alink="#0000FF">
<div class="NAVHEADER">
<table summary="Header navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<th colspan="3" align="center">Slackware Linux Essentials</th>
</tr>

<tr>
<td width="10%" align="left" valign="bottom"><a href="security.html"
accesskey="P">Prev</a></td>
<td width="80%" align="center" valign="bottom">Chapter 14 Security</td>
<td width="10%" align="right" valign="bottom"><a href="security-current.html"
accesskey="N">Next</a></td>
</tr>
</table>

<hr align="LEFT" width="100%" />
</div>

<div class="SECT1">
<h1 class="SECT1"><a id="SECURITY-HOST" name="SECURITY-HOST">14.2 Host Access
Control</a></h1>

<div class="SECT2">
<h2 class="SECT2"><a id="SECURITY-HOST-IPTABLES" name="SECURITY-HOST-IPTABLES">14.2.1 <tt
class="COMMAND">iptables</tt></a></h2>

<p><tt class="COMMAND">iptables</tt> is the packet filtering configuration program for
Linux 2.4 and above. The 2.4 kernel (2.4.5, to be exact) was first introduced into
Slackware (as an option) in version 8.0 and was made the default in Slackware 8.1. This
section only covers the basics of its usage and you should check <a
href="http://www.netfilter.org/" target="_top">http://www.netfilter.org/</a> for more
details. These commands can be entered into <tt
class="FILENAME">/etc/rc.d/rc.firewall</tt>, which has to be set as executable for these
rules to take effect at startup. Note that incorrect <tt class="COMMAND">iptables</tt>
commands can essentially lock you out of your own machine. Unless you are 100% confident
in your skills, always ensure you have local access to the machine.</p>

<p>The first thing most people should do is set the default policy for each inbound chain
to DROP:</p>

<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">iptables -P INPUT DROP</kbd>
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">iptables -P FORWARD DROP</kbd>
</pre>
</td>
</tr>
</table>

<p>When everything is denied, you can start allowing things. The first thing to allow is
any traffic for sessions which are already established:</p>

<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd
class="USERINPUT">iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT</kbd>
</pre>
</td>
</tr>
</table>

<p>So as not to break any applications that communicate using the loopback address, it is
usually wise to add a rule like this:</p>

<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd
class="USERINPUT">iptables -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT</kbd>
</pre>
</td>
</tr>
</table>

<p>This rules allows any traffic to and from 127.0.0.0/8 (127.0.0.0 - 127.255.255.255) on
the loopback (<tt class="FILENAME">lo</tt>) interface. When creating rules, it is a good
idea to be as specific as possible, to make sure that your rules do not inadvertently
allow anything evil. That said, rules that allow too little mean more rules and more
typing.</p>

<p>The next thing to do would be to allow access to specific services running on your
machine. If, for example, you wanted to run a web server on your machine, you would use a
rule similar to this:</p>

<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd
class="USERINPUT">iptables -A INPUT -p tcp --dport 80 -i ppp0 -j ACCEPT</kbd>
</pre>
</td>
</tr>
</table>

<p>This will allow access from any machine to port 80 on your machine via the <tt
class="FILENAME">ppp0</tt> interface. You may want to restrict access to this service so
that only certain machines can access it. This rule allows access to your web service
from <tt class="HOSTID">64.57.102.34</tt>:</p>

<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd
class="USERINPUT">iptables -A INPUT -p tcp -s 64.57.102.34 --dport 80 -i ppp0 -j ACCEPT</kbd>
</pre>
</td>
</tr>
</table>

<p>Allowing ICMP traffic can be useful for diagnostic purposes. To do this, you would use
a rule like this:</p>

<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd
class="USERINPUT">iptables -A INPUT -p icmp -j ACCEPT</kbd>
</pre>
</td>
</tr>
</table>

<p>Most people will also want to set up Network Address Translation (NAT) on their
gateway machine, so that other machines on their network can access the Internet through
it. You would use the following rule to do this:</p>

<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd
class="USERINPUT">iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE</kbd>
</pre>
</td>
</tr>
</table>

<p>You will also need to enable IP forwarding. You can do this temporarily, using the
following command:</p>

<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd
class="USERINPUT">echo 1 &#62; /proc/sys/net/ipv4/ip_forward</kbd>
</pre>
</td>
</tr>
</table>

<p>To enable IP forwarding on a more permanent basis (i.e. so that the change is kept
after a reboot), you will need to open the file <tt
class="FILENAME">/etc/rc.d/rc.inet2</tt> in your favorite editor and change the following
line:</p>

<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
<pre class="PROGRAMLISTING">
IPV4_FORWARD=0
</pre>
</td>
</tr>
</table>

<p>...to this:</p>

<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
<pre class="PROGRAMLISTING">
IPV4_FORWARD=1
</pre>
</td>
</tr>
</table>

<p>For more information on NAT, see the <a
href="http://www.netfilter.org/documentation/HOWTO/NAT-HOWTO.txt" target="_top">NAT
HOWTO</a>.</p>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="SECURITY-HOST-TCPWRAPPERS"
name="SECURITY-HOST-TCPWRAPPERS">14.2.2 <tt class="COMMAND">tcpwrappers</tt></a></h2>

<p><tt class="COMMAND">tcpwrappers</tt> controls access to daemons at the application
level, rather than at the IP level. This can provide an extra layer of security at times
when IP-level access controls (e.g. Netfilter) are not functioning correctly. For
example, if you recompile the kernel but forget to include iptables support, your IP
level protection will fail but tcpwrappers will still help protect your system.</p>

<p>Access to services protected by tcpwrappers can be controlled using <tt
class="FILENAME">/etc/hosts.allow</tt> and <tt class="FILENAME">/etc/hosts.deny</tt>.</p>

<p>The majority of people would have a single line in their <tt
class="FILENAME">/etc/hosts.deny</tt> file to deny access to all daemons by default. This
line would be:</p>

<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
<pre class="PROGRAMLISTING">
ALL : ALL
</pre>
</td>
</tr>
</table>

<p>When this is done, you can concentrate on allowing access to services for specified
hosts, domains, or IP ranges. This can be done in the <tt
class="FILENAME">/etc/hosts.allow</tt> file, which follows the same format.</p>

<p>A lot of people would start by accepting all connections from <tt
class="HOSTID">localhost</tt>. This can be achieved using:</p>

<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
<pre class="PROGRAMLISTING">
ALL : 127.0.0.1
</pre>
</td>
</tr>
</table>

<p>To allow access to SSHd from <tt class="HOSTID">192.168.0.0/24</tt>, you could use
either of the following rules:</p>

<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
<pre class="PROGRAMLISTING">
sshd : 192.168.0.0/24
sshd : 192.168.0.
</pre>
</td>
</tr>
</table>

<p>It is also possible to restrict access to hosts in certain domains. This can be done
using the following rule (note that this relies on the reverse DNS entry for the
connecting host being trustworthy, so I would recommand against its use on
Internet-connected hosts):</p>

<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
<pre class="PROGRAMLISTING">
sshd : .slackware.com
</pre>
</td>
</tr>
</table>
</div>
</div>

<div class="NAVFOOTER">
<hr align="LEFT" width="100%" />
<table summary="Footer navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<td width="33%" align="left" valign="top"><a href="security.html"
accesskey="P">Prev</a></td>
<td width="34%" align="center" valign="top"><a href="index.html"
accesskey="H">Home</a></td>
<td width="33%" align="right" valign="top"><a href="security-current.html"
accesskey="N">Next</a></td>
</tr>

<tr>
<td width="33%" align="left" valign="top">Security</td>
<td width="34%" align="center" valign="top"><a href="security.html"
accesskey="U">Up</a></td>
<td width="33%" align="right" valign="top">Keeping Current</td>
</tr>
</table>
</div>
</body>
</html>
generated by cgit v1.2.3 (git 2.26.2) at 2024-04-20 01:30:51 +0000