slackware-current/slackbook/html/security-host.html

308 lines
9.4 KiB
HTML
Raw Permalink Normal View History

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="generator" content="HTML Tidy, see www.w3.org" />
<title>Host Access Control</title>
<meta name="GENERATOR" content="Modular DocBook HTML Stylesheet Version 1.7" />
<link rel="HOME" title="Slackware Linux Essentials" href="index.html" />
<link rel="UP" title="Security" href="security.html" />
<link rel="PREVIOUS" title="Security" href="security.html" />
<link rel="NEXT" title="Keeping Current" href="security-current.html" />
<link rel="STYLESHEET" type="text/css" href="docbook.css" />
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
</head>
<body class="SECT1" bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#840084"
alink="#0000FF">
<div class="NAVHEADER">
<table summary="Header navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<th colspan="3" align="center">Slackware Linux Essentials</th>
</tr>
<tr>
<td width="10%" align="left" valign="bottom"><a href="security.html"
accesskey="P">Prev</a></td>
<td width="80%" align="center" valign="bottom">Chapter 14 Security</td>
<td width="10%" align="right" valign="bottom"><a href="security-current.html"
accesskey="N">Next</a></td>
</tr>
</table>
<hr align="LEFT" width="100%" />
</div>
<div class="SECT1">
<h1 class="SECT1"><a id="SECURITY-HOST" name="SECURITY-HOST">14.2 Host Access
Control</a></h1>
<div class="SECT2">
<h2 class="SECT2"><a id="SECURITY-HOST-IPTABLES" name="SECURITY-HOST-IPTABLES">14.2.1 <tt
class="COMMAND">iptables</tt></a></h2>
<p><tt class="COMMAND">iptables</tt> is the packet filtering configuration program for
Linux 2.4 and above. The 2.4 kernel (2.4.5, to be exact) was first introduced into
Slackware (as an option) in version 8.0 and was made the default in Slackware 8.1. This
section only covers the basics of its usage and you should check <a
href="http://www.netfilter.org/" target="_top">http://www.netfilter.org/</a> for more
details. These commands can be entered into <tt
class="FILENAME">/etc/rc.d/rc.firewall</tt>, which has to be set as executable for these
rules to take effect at startup. Note that incorrect <tt class="COMMAND">iptables</tt>
commands can essentially lock you out of your own machine. Unless you are 100% confident
in your skills, always ensure you have local access to the machine.</p>
<p>The first thing most people should do is set the default policy for each inbound chain
to DROP:</p>
<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">iptables -P INPUT DROP</kbd>
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">iptables -P FORWARD DROP</kbd>
</pre>
</td>
</tr>
</table>
<p>When everything is denied, you can start allowing things. The first thing to allow is
any traffic for sessions which are already established:</p>
<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd
class="USERINPUT">iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT</kbd>
</pre>
</td>
</tr>
</table>
<p>So as not to break any applications that communicate using the loopback address, it is
usually wise to add a rule like this:</p>
<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd
class="USERINPUT">iptables -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT</kbd>
</pre>
</td>
</tr>
</table>
<p>This rules allows any traffic to and from 127.0.0.0/8 (127.0.0.0 - 127.255.255.255) on
the loopback (<tt class="FILENAME">lo</tt>) interface. When creating rules, it is a good
idea to be as specific as possible, to make sure that your rules do not inadvertently
allow anything evil. That said, rules that allow too little mean more rules and more
typing.</p>
<p>The next thing to do would be to allow access to specific services running on your
machine. If, for example, you wanted to run a web server on your machine, you would use a
rule similar to this:</p>
<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd
class="USERINPUT">iptables -A INPUT -p tcp --dport 80 -i ppp0 -j ACCEPT</kbd>
</pre>
</td>
</tr>
</table>
<p>This will allow access from any machine to port 80 on your machine via the <tt
class="FILENAME">ppp0</tt> interface. You may want to restrict access to this service so
that only certain machines can access it. This rule allows access to your web service
from <tt class="HOSTID">64.57.102.34</tt>:</p>
<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd
class="USERINPUT">iptables -A INPUT -p tcp -s 64.57.102.34 --dport 80 -i ppp0 -j ACCEPT</kbd>
</pre>
</td>
</tr>
</table>
<p>Allowing ICMP traffic can be useful for diagnostic purposes. To do this, you would use
a rule like this:</p>
<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd
class="USERINPUT">iptables -A INPUT -p icmp -j ACCEPT</kbd>
</pre>
</td>
</tr>
</table>
<p>Most people will also want to set up Network Address Translation (NAT) on their
gateway machine, so that other machines on their network can access the Internet through
it. You would use the following rule to do this:</p>
<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd
class="USERINPUT">iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE</kbd>
</pre>
</td>
</tr>
</table>
<p>You will also need to enable IP forwarding. You can do this temporarily, using the
following command:</p>
<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd
class="USERINPUT">echo 1 &#62; /proc/sys/net/ipv4/ip_forward</kbd>
</pre>
</td>
</tr>
</table>
<p>To enable IP forwarding on a more permanent basis (i.e. so that the change is kept
after a reboot), you will need to open the file <tt
class="FILENAME">/etc/rc.d/rc.inet2</tt> in your favorite editor and change the following
line:</p>
<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
<pre class="PROGRAMLISTING">
IPV4_FORWARD=0
</pre>
</td>
</tr>
</table>
<p>...to this:</p>
<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
<pre class="PROGRAMLISTING">
IPV4_FORWARD=1
</pre>
</td>
</tr>
</table>
<p>For more information on NAT, see the <a
href="http://www.netfilter.org/documentation/HOWTO/NAT-HOWTO.txt" target="_top">NAT
HOWTO</a>.</p>
</div>
<div class="SECT2">
<h2 class="SECT2"><a id="SECURITY-HOST-TCPWRAPPERS"
name="SECURITY-HOST-TCPWRAPPERS">14.2.2 <tt class="COMMAND">tcpwrappers</tt></a></h2>
<p><tt class="COMMAND">tcpwrappers</tt> controls access to daemons at the application
level, rather than at the IP level. This can provide an extra layer of security at times
when IP-level access controls (e.g. Netfilter) are not functioning correctly. For
example, if you recompile the kernel but forget to include iptables support, your IP
level protection will fail but tcpwrappers will still help protect your system.</p>
<p>Access to services protected by tcpwrappers can be controlled using <tt
class="FILENAME">/etc/hosts.allow</tt> and <tt class="FILENAME">/etc/hosts.deny</tt>.</p>
<p>The majority of people would have a single line in their <tt
class="FILENAME">/etc/hosts.deny</tt> file to deny access to all daemons by default. This
line would be:</p>
<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
<pre class="PROGRAMLISTING">
ALL : ALL
</pre>
</td>
</tr>
</table>
<p>When this is done, you can concentrate on allowing access to services for specified
hosts, domains, or IP ranges. This can be done in the <tt
class="FILENAME">/etc/hosts.allow</tt> file, which follows the same format.</p>
<p>A lot of people would start by accepting all connections from <tt
class="HOSTID">localhost</tt>. This can be achieved using:</p>
<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
<pre class="PROGRAMLISTING">
ALL : 127.0.0.1
</pre>
</td>
</tr>
</table>
<p>To allow access to SSHd from <tt class="HOSTID">192.168.0.0/24</tt>, you could use
either of the following rules:</p>
<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
<pre class="PROGRAMLISTING">
sshd : 192.168.0.0/24
sshd : 192.168.0.
</pre>
</td>
</tr>
</table>
<p>It is also possible to restrict access to hosts in certain domains. This can be done
using the following rule (note that this relies on the reverse DNS entry for the
connecting host being trustworthy, so I would recommand against its use on
Internet-connected hosts):</p>
<table border="0" bgcolor="#E0E0E0" width="100%">
<tr>
<td>
<pre class="PROGRAMLISTING">
sshd : .slackware.com
</pre>
</td>
</tr>
</table>
</div>
</div>
<div class="NAVFOOTER">
<hr align="LEFT" width="100%" />
<table summary="Footer navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<td width="33%" align="left" valign="top"><a href="security.html"
accesskey="P">Prev</a></td>
<td width="34%" align="center" valign="top"><a href="index.html"
accesskey="H">Home</a></td>
<td width="33%" align="right" valign="top"><a href="security-current.html"
accesskey="N">Next</a></td>
</tr>
<tr>
<td width="33%" align="left" valign="top">Security</td>
<td width="34%" align="center" valign="top"><a href="security.html"
accesskey="U">Up</a></td>
<td width="33%" align="right" valign="top">Keeping Current</td>
</tr>
</table>
</div>
</body>
</html>