summaryrefslogtreecommitdiffstats
path: root/slackbook/html/security-host.html
diff options
context:
space:
mode:
author Patrick J Volkerding <volkerdi@slackware.com>2010-05-19 08:58:23 +0000
committer Eric Hameleers <alien@slackware.com>2018-05-31 22:43:05 +0200
commitb76270bf9e6dd375e495fec92140a79a79415d27 (patch)
tree3dbed78b2279bf9f14207a16dc634b90995cbd40 /slackbook/html/security-host.html
parent5a12e7c134274dba706667107d10d231517d3e05 (diff)
downloadcurrent-b76270bf9e6dd375e495fec92140a79a79415d27.tar.gz
current-b76270bf9e6dd375e495fec92140a79a79415d27.tar.xz
Slackware 13.1slackware-13.1
Wed May 19 08:58:23 UTC 2010 Slackware 13.1 x86_64 stable is released! Lots of thanks are due -- see the RELEASE_NOTES and the rest of the ChangeLog for credits. The ISOs are on their way to replication, a 6 CD-ROM 32-bit set and a dual-sided 32-bit/64-bit x86/x86_64 DVD. We are taking pre-orders now at store.slackware.com, and offering a discount if you sign up for a subscription. Consider picking up a copy to help support the project. Thanks again to the Slackware community for testing, contributing, and generally holding us to a high level of quality. :-) Enjoy!
Diffstat (limited to 'slackbook/html/security-host.html')
-rw-r--r--slackbook/html/security-host.html307
1 files changed, 0 insertions, 307 deletions
diff --git a/slackbook/html/security-host.html b/slackbook/html/security-host.html
deleted file mode 100644
index 55f33286a..000000000
--- a/slackbook/html/security-host.html
+++ /dev/null
@@ -1,307 +0,0 @@
-<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
- "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml">
-<head>
-<meta name="generator" content="HTML Tidy, see www.w3.org" />
-<title>Host Access Control</title>
-<meta name="GENERATOR" content="Modular DocBook HTML Stylesheet Version 1.7" />
-<link rel="HOME" title="Slackware Linux Essentials" href="index.html" />
-<link rel="UP" title="Security" href="security.html" />
-<link rel="PREVIOUS" title="Security" href="security.html" />
-<link rel="NEXT" title="Keeping Current" href="security-current.html" />
-<link rel="STYLESHEET" type="text/css" href="docbook.css" />
-<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
-</head>
-<body class="SECT1" bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#840084"
-alink="#0000FF">
-<div class="NAVHEADER">
-<table summary="Header navigation table" width="100%" border="0" cellpadding="0"
-cellspacing="0">
-<tr>
-<th colspan="3" align="center">Slackware Linux Essentials</th>
-</tr>
-
-<tr>
-<td width="10%" align="left" valign="bottom"><a href="security.html"
-accesskey="P">Prev</a></td>
-<td width="80%" align="center" valign="bottom">Chapter 14 Security</td>
-<td width="10%" align="right" valign="bottom"><a href="security-current.html"
-accesskey="N">Next</a></td>
-</tr>
-</table>
-
-<hr align="LEFT" width="100%" />
-</div>
-
-<div class="SECT1">
-<h1 class="SECT1"><a id="SECURITY-HOST" name="SECURITY-HOST">14.2 Host Access
-Control</a></h1>
-
-<div class="SECT2">
-<h2 class="SECT2"><a id="SECURITY-HOST-IPTABLES" name="SECURITY-HOST-IPTABLES">14.2.1 <tt
-class="COMMAND">iptables</tt></a></h2>
-
-<p><tt class="COMMAND">iptables</tt> is the packet filtering configuration program for
-Linux 2.4 and above. The 2.4 kernel (2.4.5, to be exact) was first introduced into
-Slackware (as an option) in version 8.0 and was made the default in Slackware 8.1. This
-section only covers the basics of its usage and you should check <a
-href="http://www.netfilter.org/" target="_top">http://www.netfilter.org/</a> for more
-details. These commands can be entered into <tt
-class="FILENAME">/etc/rc.d/rc.firewall</tt>, which has to be set as executable for these
-rules to take effect at startup. Note that incorrect <tt class="COMMAND">iptables</tt>
-commands can essentially lock you out of your own machine. Unless you are 100% confident
-in your skills, always ensure you have local access to the machine.</p>
-
-<p>The first thing most people should do is set the default policy for each inbound chain
-to DROP:</p>
-
-<table border="0" bgcolor="#E0E0E0" width="100%">
-<tr>
-<td>
-<pre class="SCREEN">
-<samp class="PROMPT">#</samp> <kbd class="USERINPUT">iptables -P INPUT DROP</kbd>
-<samp class="PROMPT">#</samp> <kbd class="USERINPUT">iptables -P FORWARD DROP</kbd>
-</pre>
-</td>
-</tr>
-</table>
-
-<p>When everything is denied, you can start allowing things. The first thing to allow is
-any traffic for sessions which are already established:</p>
-
-<table border="0" bgcolor="#E0E0E0" width="100%">
-<tr>
-<td>
-<pre class="SCREEN">
-<samp class="PROMPT">#</samp> <kbd
-class="USERINPUT">iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT</kbd>
-</pre>
-</td>
-</tr>
-</table>
-
-<p>So as not to break any applications that communicate using the loopback address, it is
-usually wise to add a rule like this:</p>
-
-<table border="0" bgcolor="#E0E0E0" width="100%">
-<tr>
-<td>
-<pre class="SCREEN">
-<samp class="PROMPT">#</samp> <kbd
-class="USERINPUT">iptables -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT</kbd>
-</pre>
-</td>
-</tr>
-</table>
-
-<p>This rules allows any traffic to and from 127.0.0.0/8 (127.0.0.0 - 127.255.255.255) on
-the loopback (<tt class="FILENAME">lo</tt>) interface. When creating rules, it is a good
-idea to be as specific as possible, to make sure that your rules do not inadvertently
-allow anything evil. That said, rules that allow too little mean more rules and more
-typing.</p>
-
-<p>The next thing to do would be to allow access to specific services running on your
-machine. If, for example, you wanted to run a web server on your machine, you would use a
-rule similar to this:</p>
-
-<table border="0" bgcolor="#E0E0E0" width="100%">
-<tr>
-<td>
-<pre class="SCREEN">
-<samp class="PROMPT">#</samp> <kbd
-class="USERINPUT">iptables -A INPUT -p tcp --dport 80 -i ppp0 -j ACCEPT</kbd>
-</pre>
-</td>
-</tr>
-</table>
-
-<p>This will allow access from any machine to port 80 on your machine via the <tt
-class="FILENAME">ppp0</tt> interface. You may want to restrict access to this service so
-that only certain machines can access it. This rule allows access to your web service
-from <tt class="HOSTID">64.57.102.34</tt>:</p>
-
-<table border="0" bgcolor="#E0E0E0" width="100%">
-<tr>
-<td>
-<pre class="SCREEN">
-<samp class="PROMPT">#</samp> <kbd
-class="USERINPUT">iptables -A INPUT -p tcp -s 64.57.102.34 --dport 80 -i ppp0 -j ACCEPT</kbd>
-</pre>
-</td>
-</tr>
-</table>
-
-<p>Allowing ICMP traffic can be useful for diagnostic purposes. To do this, you would use
-a rule like this:</p>
-
-<table border="0" bgcolor="#E0E0E0" width="100%">
-<tr>
-<td>
-<pre class="SCREEN">
-<samp class="PROMPT">#</samp> <kbd
-class="USERINPUT">iptables -A INPUT -p icmp -j ACCEPT</kbd>
-</pre>
-</td>
-</tr>
-</table>
-
-<p>Most people will also want to set up Network Address Translation (NAT) on their
-gateway machine, so that other machines on their network can access the Internet through
-it. You would use the following rule to do this:</p>
-
-<table border="0" bgcolor="#E0E0E0" width="100%">
-<tr>
-<td>
-<pre class="SCREEN">
-<samp class="PROMPT">#</samp> <kbd
-class="USERINPUT">iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE</kbd>
-</pre>
-</td>
-</tr>
-</table>
-
-<p>You will also need to enable IP forwarding. You can do this temporarily, using the
-following command:</p>
-
-<table border="0" bgcolor="#E0E0E0" width="100%">
-<tr>
-<td>
-<pre class="SCREEN">
-<samp class="PROMPT">#</samp> <kbd
-class="USERINPUT">echo 1 &#62; /proc/sys/net/ipv4/ip_forward</kbd>
-</pre>
-</td>
-</tr>
-</table>
-
-<p>To enable IP forwarding on a more permanent basis (i.e. so that the change is kept
-after a reboot), you will need to open the file <tt
-class="FILENAME">/etc/rc.d/rc.inet2</tt> in your favorite editor and change the following
-line:</p>
-
-<table border="0" bgcolor="#E0E0E0" width="100%">
-<tr>
-<td>
-<pre class="PROGRAMLISTING">
-IPV4_FORWARD=0
-</pre>
-</td>
-</tr>
-</table>
-
-<p>...to this:</p>
-
-<table border="0" bgcolor="#E0E0E0" width="100%">
-<tr>
-<td>
-<pre class="PROGRAMLISTING">
-IPV4_FORWARD=1
-</pre>
-</td>
-</tr>
-</table>
-
-<p>For more information on NAT, see the <a
-href="http://www.netfilter.org/documentation/HOWTO/NAT-HOWTO.txt" target="_top">NAT
-HOWTO</a>.</p>
-</div>
-
-<div class="SECT2">
-<h2 class="SECT2"><a id="SECURITY-HOST-TCPWRAPPERS"
-name="SECURITY-HOST-TCPWRAPPERS">14.2.2 <tt class="COMMAND">tcpwrappers</tt></a></h2>
-
-<p><tt class="COMMAND">tcpwrappers</tt> controls access to daemons at the application
-level, rather than at the IP level. This can provide an extra layer of security at times
-when IP-level access controls (e.g. Netfilter) are not functioning correctly. For
-example, if you recompile the kernel but forget to include iptables support, your IP
-level protection will fail but tcpwrappers will still help protect your system.</p>
-
-<p>Access to services protected by tcpwrappers can be controlled using <tt
-class="FILENAME">/etc/hosts.allow</tt> and <tt class="FILENAME">/etc/hosts.deny</tt>.</p>
-
-<p>The majority of people would have a single line in their <tt
-class="FILENAME">/etc/hosts.deny</tt> file to deny access to all daemons by default. This
-line would be:</p>
-
-<table border="0" bgcolor="#E0E0E0" width="100%">
-<tr>
-<td>
-<pre class="PROGRAMLISTING">
-ALL : ALL
-</pre>
-</td>
-</tr>
-</table>
-
-<p>When this is done, you can concentrate on allowing access to services for specified
-hosts, domains, or IP ranges. This can be done in the <tt
-class="FILENAME">/etc/hosts.allow</tt> file, which follows the same format.</p>
-
-<p>A lot of people would start by accepting all connections from <tt
-class="HOSTID">localhost</tt>. This can be achieved using:</p>
-
-<table border="0" bgcolor="#E0E0E0" width="100%">
-<tr>
-<td>
-<pre class="PROGRAMLISTING">
-ALL : 127.0.0.1
-</pre>
-</td>
-</tr>
-</table>
-
-<p>To allow access to SSHd from <tt class="HOSTID">192.168.0.0/24</tt>, you could use
-either of the following rules:</p>
-
-<table border="0" bgcolor="#E0E0E0" width="100%">
-<tr>
-<td>
-<pre class="PROGRAMLISTING">
-sshd : 192.168.0.0/24
-sshd : 192.168.0.
-</pre>
-</td>
-</tr>
-</table>
-
-<p>It is also possible to restrict access to hosts in certain domains. This can be done
-using the following rule (note that this relies on the reverse DNS entry for the
-connecting host being trustworthy, so I would recommand against its use on
-Internet-connected hosts):</p>
-
-<table border="0" bgcolor="#E0E0E0" width="100%">
-<tr>
-<td>
-<pre class="PROGRAMLISTING">
-sshd : .slackware.com
-</pre>
-</td>
-</tr>
-</table>
-</div>
-</div>
-
-<div class="NAVFOOTER">
-<hr align="LEFT" width="100%" />
-<table summary="Footer navigation table" width="100%" border="0" cellpadding="0"
-cellspacing="0">
-<tr>
-<td width="33%" align="left" valign="top"><a href="security.html"
-accesskey="P">Prev</a></td>
-<td width="34%" align="center" valign="top"><a href="index.html"
-accesskey="H">Home</a></td>
-<td width="33%" align="right" valign="top"><a href="security-current.html"
-accesskey="N">Next</a></td>
-</tr>
-
-<tr>
-<td width="33%" align="left" valign="top">Security</td>
-<td width="34%" align="center" valign="top"><a href="security.html"
-accesskey="U">Up</a></td>
-<td width="33%" align="right" valign="top">Keeping Current</td>
-</tr>
-</table>
-</div>
-</body>
-</html>
-