mirror of
git://slackware.nl/current.git
synced 2024-12-29 10:25:00 +01:00
308 lines
9.4 KiB
HTML
308 lines
9.4 KiB
HTML
|
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
|
||
|
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
||
|
<html xmlns="http://www.w3.org/1999/xhtml">
|
||
|
<head>
|
||
|
<meta name="generator" content="HTML Tidy, see www.w3.org" />
|
||
|
<title>Host Access Control</title>
|
||
|
<meta name="GENERATOR" content="Modular DocBook HTML Stylesheet Version 1.7" />
|
||
|
<link rel="HOME" title="Slackware Linux Essentials" href="index.html" />
|
||
|
<link rel="UP" title="Security" href="security.html" />
|
||
|
<link rel="PREVIOUS" title="Security" href="security.html" />
|
||
|
<link rel="NEXT" title="Keeping Current" href="security-current.html" />
|
||
|
<link rel="STYLESHEET" type="text/css" href="docbook.css" />
|
||
|
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
|
||
|
</head>
|
||
|
<body class="SECT1" bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#840084"
|
||
|
alink="#0000FF">
|
||
|
<div class="NAVHEADER">
|
||
|
<table summary="Header navigation table" width="100%" border="0" cellpadding="0"
|
||
|
cellspacing="0">
|
||
|
<tr>
|
||
|
<th colspan="3" align="center">Slackware Linux Essentials</th>
|
||
|
</tr>
|
||
|
|
||
|
<tr>
|
||
|
<td width="10%" align="left" valign="bottom"><a href="security.html"
|
||
|
accesskey="P">Prev</a></td>
|
||
|
<td width="80%" align="center" valign="bottom">Chapter 14 Security</td>
|
||
|
<td width="10%" align="right" valign="bottom"><a href="security-current.html"
|
||
|
accesskey="N">Next</a></td>
|
||
|
</tr>
|
||
|
</table>
|
||
|
|
||
|
<hr align="LEFT" width="100%" />
|
||
|
</div>
|
||
|
|
||
|
<div class="SECT1">
|
||
|
<h1 class="SECT1"><a id="SECURITY-HOST" name="SECURITY-HOST">14.2 Host Access
|
||
|
Control</a></h1>
|
||
|
|
||
|
<div class="SECT2">
|
||
|
<h2 class="SECT2"><a id="SECURITY-HOST-IPTABLES" name="SECURITY-HOST-IPTABLES">14.2.1 <tt
|
||
|
class="COMMAND">iptables</tt></a></h2>
|
||
|
|
||
|
<p><tt class="COMMAND">iptables</tt> is the packet filtering configuration program for
|
||
|
Linux 2.4 and above. The 2.4 kernel (2.4.5, to be exact) was first introduced into
|
||
|
Slackware (as an option) in version 8.0 and was made the default in Slackware 8.1. This
|
||
|
section only covers the basics of its usage and you should check <a
|
||
|
href="http://www.netfilter.org/" target="_top">http://www.netfilter.org/</a> for more
|
||
|
details. These commands can be entered into <tt
|
||
|
class="FILENAME">/etc/rc.d/rc.firewall</tt>, which has to be set as executable for these
|
||
|
rules to take effect at startup. Note that incorrect <tt class="COMMAND">iptables</tt>
|
||
|
commands can essentially lock you out of your own machine. Unless you are 100% confident
|
||
|
in your skills, always ensure you have local access to the machine.</p>
|
||
|
|
||
|
<p>The first thing most people should do is set the default policy for each inbound chain
|
||
|
to DROP:</p>
|
||
|
|
||
|
<table border="0" bgcolor="#E0E0E0" width="100%">
|
||
|
<tr>
|
||
|
<td>
|
||
|
<pre class="SCREEN">
|
||
|
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">iptables -P INPUT DROP</kbd>
|
||
|
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">iptables -P FORWARD DROP</kbd>
|
||
|
</pre>
|
||
|
</td>
|
||
|
</tr>
|
||
|
</table>
|
||
|
|
||
|
<p>When everything is denied, you can start allowing things. The first thing to allow is
|
||
|
any traffic for sessions which are already established:</p>
|
||
|
|
||
|
<table border="0" bgcolor="#E0E0E0" width="100%">
|
||
|
<tr>
|
||
|
<td>
|
||
|
<pre class="SCREEN">
|
||
|
<samp class="PROMPT">#</samp> <kbd
|
||
|
class="USERINPUT">iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT</kbd>
|
||
|
</pre>
|
||
|
</td>
|
||
|
</tr>
|
||
|
</table>
|
||
|
|
||
|
<p>So as not to break any applications that communicate using the loopback address, it is
|
||
|
usually wise to add a rule like this:</p>
|
||
|
|
||
|
<table border="0" bgcolor="#E0E0E0" width="100%">
|
||
|
<tr>
|
||
|
<td>
|
||
|
<pre class="SCREEN">
|
||
|
<samp class="PROMPT">#</samp> <kbd
|
||
|
class="USERINPUT">iptables -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT</kbd>
|
||
|
</pre>
|
||
|
</td>
|
||
|
</tr>
|
||
|
</table>
|
||
|
|
||
|
<p>This rules allows any traffic to and from 127.0.0.0/8 (127.0.0.0 - 127.255.255.255) on
|
||
|
the loopback (<tt class="FILENAME">lo</tt>) interface. When creating rules, it is a good
|
||
|
idea to be as specific as possible, to make sure that your rules do not inadvertently
|
||
|
allow anything evil. That said, rules that allow too little mean more rules and more
|
||
|
typing.</p>
|
||
|
|
||
|
<p>The next thing to do would be to allow access to specific services running on your
|
||
|
machine. If, for example, you wanted to run a web server on your machine, you would use a
|
||
|
rule similar to this:</p>
|
||
|
|
||
|
<table border="0" bgcolor="#E0E0E0" width="100%">
|
||
|
<tr>
|
||
|
<td>
|
||
|
<pre class="SCREEN">
|
||
|
<samp class="PROMPT">#</samp> <kbd
|
||
|
class="USERINPUT">iptables -A INPUT -p tcp --dport 80 -i ppp0 -j ACCEPT</kbd>
|
||
|
</pre>
|
||
|
</td>
|
||
|
</tr>
|
||
|
</table>
|
||
|
|
||
|
<p>This will allow access from any machine to port 80 on your machine via the <tt
|
||
|
class="FILENAME">ppp0</tt> interface. You may want to restrict access to this service so
|
||
|
that only certain machines can access it. This rule allows access to your web service
|
||
|
from <tt class="HOSTID">64.57.102.34</tt>:</p>
|
||
|
|
||
|
<table border="0" bgcolor="#E0E0E0" width="100%">
|
||
|
<tr>
|
||
|
<td>
|
||
|
<pre class="SCREEN">
|
||
|
<samp class="PROMPT">#</samp> <kbd
|
||
|
class="USERINPUT">iptables -A INPUT -p tcp -s 64.57.102.34 --dport 80 -i ppp0 -j ACCEPT</kbd>
|
||
|
</pre>
|
||
|
</td>
|
||
|
</tr>
|
||
|
</table>
|
||
|
|
||
|
<p>Allowing ICMP traffic can be useful for diagnostic purposes. To do this, you would use
|
||
|
a rule like this:</p>
|
||
|
|
||
|
<table border="0" bgcolor="#E0E0E0" width="100%">
|
||
|
<tr>
|
||
|
<td>
|
||
|
<pre class="SCREEN">
|
||
|
<samp class="PROMPT">#</samp> <kbd
|
||
|
class="USERINPUT">iptables -A INPUT -p icmp -j ACCEPT</kbd>
|
||
|
</pre>
|
||
|
</td>
|
||
|
</tr>
|
||
|
</table>
|
||
|
|
||
|
<p>Most people will also want to set up Network Address Translation (NAT) on their
|
||
|
gateway machine, so that other machines on their network can access the Internet through
|
||
|
it. You would use the following rule to do this:</p>
|
||
|
|
||
|
<table border="0" bgcolor="#E0E0E0" width="100%">
|
||
|
<tr>
|
||
|
<td>
|
||
|
<pre class="SCREEN">
|
||
|
<samp class="PROMPT">#</samp> <kbd
|
||
|
class="USERINPUT">iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE</kbd>
|
||
|
</pre>
|
||
|
</td>
|
||
|
</tr>
|
||
|
</table>
|
||
|
|
||
|
<p>You will also need to enable IP forwarding. You can do this temporarily, using the
|
||
|
following command:</p>
|
||
|
|
||
|
<table border="0" bgcolor="#E0E0E0" width="100%">
|
||
|
<tr>
|
||
|
<td>
|
||
|
<pre class="SCREEN">
|
||
|
<samp class="PROMPT">#</samp> <kbd
|
||
|
class="USERINPUT">echo 1 > /proc/sys/net/ipv4/ip_forward</kbd>
|
||
|
</pre>
|
||
|
</td>
|
||
|
</tr>
|
||
|
</table>
|
||
|
|
||
|
<p>To enable IP forwarding on a more permanent basis (i.e. so that the change is kept
|
||
|
after a reboot), you will need to open the file <tt
|
||
|
class="FILENAME">/etc/rc.d/rc.inet2</tt> in your favorite editor and change the following
|
||
|
line:</p>
|
||
|
|
||
|
<table border="0" bgcolor="#E0E0E0" width="100%">
|
||
|
<tr>
|
||
|
<td>
|
||
|
<pre class="PROGRAMLISTING">
|
||
|
IPV4_FORWARD=0
|
||
|
</pre>
|
||
|
</td>
|
||
|
</tr>
|
||
|
</table>
|
||
|
|
||
|
<p>...to this:</p>
|
||
|
|
||
|
<table border="0" bgcolor="#E0E0E0" width="100%">
|
||
|
<tr>
|
||
|
<td>
|
||
|
<pre class="PROGRAMLISTING">
|
||
|
IPV4_FORWARD=1
|
||
|
</pre>
|
||
|
</td>
|
||
|
</tr>
|
||
|
</table>
|
||
|
|
||
|
<p>For more information on NAT, see the <a
|
||
|
href="http://www.netfilter.org/documentation/HOWTO/NAT-HOWTO.txt" target="_top">NAT
|
||
|
HOWTO</a>.</p>
|
||
|
</div>
|
||
|
|
||
|
<div class="SECT2">
|
||
|
<h2 class="SECT2"><a id="SECURITY-HOST-TCPWRAPPERS"
|
||
|
name="SECURITY-HOST-TCPWRAPPERS">14.2.2 <tt class="COMMAND">tcpwrappers</tt></a></h2>
|
||
|
|
||
|
<p><tt class="COMMAND">tcpwrappers</tt> controls access to daemons at the application
|
||
|
level, rather than at the IP level. This can provide an extra layer of security at times
|
||
|
when IP-level access controls (e.g. Netfilter) are not functioning correctly. For
|
||
|
example, if you recompile the kernel but forget to include iptables support, your IP
|
||
|
level protection will fail but tcpwrappers will still help protect your system.</p>
|
||
|
|
||
|
<p>Access to services protected by tcpwrappers can be controlled using <tt
|
||
|
class="FILENAME">/etc/hosts.allow</tt> and <tt class="FILENAME">/etc/hosts.deny</tt>.</p>
|
||
|
|
||
|
<p>The majority of people would have a single line in their <tt
|
||
|
class="FILENAME">/etc/hosts.deny</tt> file to deny access to all daemons by default. This
|
||
|
line would be:</p>
|
||
|
|
||
|
<table border="0" bgcolor="#E0E0E0" width="100%">
|
||
|
<tr>
|
||
|
<td>
|
||
|
<pre class="PROGRAMLISTING">
|
||
|
ALL : ALL
|
||
|
</pre>
|
||
|
</td>
|
||
|
</tr>
|
||
|
</table>
|
||
|
|
||
|
<p>When this is done, you can concentrate on allowing access to services for specified
|
||
|
hosts, domains, or IP ranges. This can be done in the <tt
|
||
|
class="FILENAME">/etc/hosts.allow</tt> file, which follows the same format.</p>
|
||
|
|
||
|
<p>A lot of people would start by accepting all connections from <tt
|
||
|
class="HOSTID">localhost</tt>. This can be achieved using:</p>
|
||
|
|
||
|
<table border="0" bgcolor="#E0E0E0" width="100%">
|
||
|
<tr>
|
||
|
<td>
|
||
|
<pre class="PROGRAMLISTING">
|
||
|
ALL : 127.0.0.1
|
||
|
</pre>
|
||
|
</td>
|
||
|
</tr>
|
||
|
</table>
|
||
|
|
||
|
<p>To allow access to SSHd from <tt class="HOSTID">192.168.0.0/24</tt>, you could use
|
||
|
either of the following rules:</p>
|
||
|
|
||
|
<table border="0" bgcolor="#E0E0E0" width="100%">
|
||
|
<tr>
|
||
|
<td>
|
||
|
<pre class="PROGRAMLISTING">
|
||
|
sshd : 192.168.0.0/24
|
||
|
sshd : 192.168.0.
|
||
|
</pre>
|
||
|
</td>
|
||
|
</tr>
|
||
|
</table>
|
||
|
|
||
|
<p>It is also possible to restrict access to hosts in certain domains. This can be done
|
||
|
using the following rule (note that this relies on the reverse DNS entry for the
|
||
|
connecting host being trustworthy, so I would recommand against its use on
|
||
|
Internet-connected hosts):</p>
|
||
|
|
||
|
<table border="0" bgcolor="#E0E0E0" width="100%">
|
||
|
<tr>
|
||
|
<td>
|
||
|
<pre class="PROGRAMLISTING">
|
||
|
sshd : .slackware.com
|
||
|
</pre>
|
||
|
</td>
|
||
|
</tr>
|
||
|
</table>
|
||
|
</div>
|
||
|
</div>
|
||
|
|
||
|
<div class="NAVFOOTER">
|
||
|
<hr align="LEFT" width="100%" />
|
||
|
<table summary="Footer navigation table" width="100%" border="0" cellpadding="0"
|
||
|
cellspacing="0">
|
||
|
<tr>
|
||
|
<td width="33%" align="left" valign="top"><a href="security.html"
|
||
|
accesskey="P">Prev</a></td>
|
||
|
<td width="34%" align="center" valign="top"><a href="index.html"
|
||
|
accesskey="H">Home</a></td>
|
||
|
<td width="33%" align="right" valign="top"><a href="security-current.html"
|
||
|
accesskey="N">Next</a></td>
|
||
|
</tr>
|
||
|
|
||
|
<tr>
|
||
|
<td width="33%" align="left" valign="top">Security</td>
|
||
|
<td width="34%" align="center" valign="top"><a href="security.html"
|
||
|
accesskey="U">Up</a></td>
|
||
|
<td width="33%" align="right" valign="top">Keeping Current</td>
|
||
|
</tr>
|
||
|
</table>
|
||
|
</div>
|
||
|
</body>
|
||
|
</html>
|
||
|
|