From 39366733c3fe943363566756e2e152c45a1b3cb2 Mon Sep 17 00:00:00 2001 From: Patrick J Volkerding Date: Fri, 25 May 2018 23:29:36 +0000 Subject: Fri May 25 23:29:36 UTC 2018 patches/packages/glibc-zoneinfo-2018e-noarch-2_slack14.2.txz: Rebuilt. Handle removal of US/Pacific-New timezone. If we see that the machine is using this, it will be automatically switched to US/Pacific. --- slackbook/html/security-host.html | 307 -------------------------------------- 1 file changed, 307 deletions(-) delete mode 100644 slackbook/html/security-host.html (limited to 'slackbook/html/security-host.html') diff --git a/slackbook/html/security-host.html b/slackbook/html/security-host.html deleted file mode 100644 index 55f33286a..000000000 --- a/slackbook/html/security-host.html +++ /dev/null @@ -1,307 +0,0 @@ - - - - -Host Access Control - - - - - - - - - -
- - - - - - - - - - -
Slackware Linux Essentials
PrevChapter 14 SecurityNext
- -
-
- -
-

14.2 Host Access -Control

- -
-

14.2.1 iptables

- -

iptables is the packet filtering configuration program for -Linux 2.4 and above. The 2.4 kernel (2.4.5, to be exact) was first introduced into -Slackware (as an option) in version 8.0 and was made the default in Slackware 8.1. This -section only covers the basics of its usage and you should check http://www.netfilter.org/ for more -details. These commands can be entered into /etc/rc.d/rc.firewall, which has to be set as executable for these -rules to take effect at startup. Note that incorrect iptables -commands can essentially lock you out of your own machine. Unless you are 100% confident -in your skills, always ensure you have local access to the machine.

- -

The first thing most people should do is set the default policy for each inbound chain -to DROP:

- - - - - -
-
-# iptables -P INPUT DROP
-# iptables -P FORWARD DROP
-
-
- -

When everything is denied, you can start allowing things. The first thing to allow is -any traffic for sessions which are already established:

- - - - - -
-
-# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-
-
- -

So as not to break any applications that communicate using the loopback address, it is -usually wise to add a rule like this:

- - - - - -
-
-# iptables -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT
-
-
- -

This rules allows any traffic to and from 127.0.0.0/8 (127.0.0.0 - 127.255.255.255) on -the loopback (lo) interface. When creating rules, it is a good -idea to be as specific as possible, to make sure that your rules do not inadvertently -allow anything evil. That said, rules that allow too little mean more rules and more -typing.

- -

The next thing to do would be to allow access to specific services running on your -machine. If, for example, you wanted to run a web server on your machine, you would use a -rule similar to this:

- - - - - -
-
-# iptables -A INPUT -p tcp --dport 80 -i ppp0 -j ACCEPT
-
-
- -

This will allow access from any machine to port 80 on your machine via the ppp0 interface. You may want to restrict access to this service so -that only certain machines can access it. This rule allows access to your web service -from 64.57.102.34:

- - - - - -
-
-# iptables -A INPUT -p tcp -s 64.57.102.34 --dport 80 -i ppp0 -j ACCEPT
-
-
- -

Allowing ICMP traffic can be useful for diagnostic purposes. To do this, you would use -a rule like this:

- - - - - -
-
-# iptables -A INPUT -p icmp -j ACCEPT
-
-
- -

Most people will also want to set up Network Address Translation (NAT) on their -gateway machine, so that other machines on their network can access the Internet through -it. You would use the following rule to do this:

- - - - - -
-
-# iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
-
-
- -

You will also need to enable IP forwarding. You can do this temporarily, using the -following command:

- - - - - -
-
-# echo 1 > /proc/sys/net/ipv4/ip_forward
-
-
- -

To enable IP forwarding on a more permanent basis (i.e. so that the change is kept -after a reboot), you will need to open the file /etc/rc.d/rc.inet2 in your favorite editor and change the following -line:

- - - - - -
-
-IPV4_FORWARD=0
-
-
- -

...to this:

- - - - - -
-
-IPV4_FORWARD=1
-
-
- -

For more information on NAT, see the NAT -HOWTO.

-
- -
-

14.2.2 tcpwrappers

- -

tcpwrappers controls access to daemons at the application -level, rather than at the IP level. This can provide an extra layer of security at times -when IP-level access controls (e.g. Netfilter) are not functioning correctly. For -example, if you recompile the kernel but forget to include iptables support, your IP -level protection will fail but tcpwrappers will still help protect your system.

- -

Access to services protected by tcpwrappers can be controlled using /etc/hosts.allow and /etc/hosts.deny.

- -

The majority of people would have a single line in their /etc/hosts.deny file to deny access to all daemons by default. This -line would be:

- - - - - -
-
-ALL : ALL
-
-
- -

When this is done, you can concentrate on allowing access to services for specified -hosts, domains, or IP ranges. This can be done in the /etc/hosts.allow file, which follows the same format.

- -

A lot of people would start by accepting all connections from localhost. This can be achieved using:

- - - - - -
-
-ALL : 127.0.0.1
-
-
- -

To allow access to SSHd from 192.168.0.0/24, you could use -either of the following rules:

- - - - - -
-
-sshd : 192.168.0.0/24
-sshd : 192.168.0.
-
-
- -

It is also possible to restrict access to hosts in certain domains. This can be done -using the following rule (note that this relies on the reverse DNS entry for the -connecting host being trustworthy, so I would recommand against its use on -Internet-connected hosts):

- - - - - -
-
-sshd : .slackware.com
-
-
-
-
- -
-
- - - - - - - - - - - - -
PrevHomeNext
SecurityUpKeeping Current
-
- - - -- cgit v1.2.3