mirror of
git://slackware.nl/current.git
synced 2025-01-13 08:01:53 +01:00
5a12e7c134
Wed Aug 26 10:00:38 CDT 2009 Slackware 13.0 x86_64 is released as stable! Thanks to everyone who helped make this release possible -- see the RELEASE_NOTES for the credits. The ISOs are off to the replicator. This time it will be a 6 CD-ROM 32-bit set and a dual-sided 32-bit/64-bit x86/x86_64 DVD. We're taking pre-orders now at store.slackware.com. Please consider picking up a copy to help support the project. Once again, thanks to the entire Slackware community for all the help testing and fixing things and offering suggestions during this development cycle. As always, have fun and enjoy! -P.
307 lines
9.4 KiB
HTML
307 lines
9.4 KiB
HTML
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
|
|
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|
<html xmlns="http://www.w3.org/1999/xhtml">
|
|
<head>
|
|
<meta name="generator" content="HTML Tidy, see www.w3.org" />
|
|
<title>Host Access Control</title>
|
|
<meta name="GENERATOR" content="Modular DocBook HTML Stylesheet Version 1.7" />
|
|
<link rel="HOME" title="Slackware Linux Essentials" href="index.html" />
|
|
<link rel="UP" title="Security" href="security.html" />
|
|
<link rel="PREVIOUS" title="Security" href="security.html" />
|
|
<link rel="NEXT" title="Keeping Current" href="security-current.html" />
|
|
<link rel="STYLESHEET" type="text/css" href="docbook.css" />
|
|
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
|
|
</head>
|
|
<body class="SECT1" bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#840084"
|
|
alink="#0000FF">
|
|
<div class="NAVHEADER">
|
|
<table summary="Header navigation table" width="100%" border="0" cellpadding="0"
|
|
cellspacing="0">
|
|
<tr>
|
|
<th colspan="3" align="center">Slackware Linux Essentials</th>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td width="10%" align="left" valign="bottom"><a href="security.html"
|
|
accesskey="P">Prev</a></td>
|
|
<td width="80%" align="center" valign="bottom">Chapter 14 Security</td>
|
|
<td width="10%" align="right" valign="bottom"><a href="security-current.html"
|
|
accesskey="N">Next</a></td>
|
|
</tr>
|
|
</table>
|
|
|
|
<hr align="LEFT" width="100%" />
|
|
</div>
|
|
|
|
<div class="SECT1">
|
|
<h1 class="SECT1"><a id="SECURITY-HOST" name="SECURITY-HOST">14.2 Host Access
|
|
Control</a></h1>
|
|
|
|
<div class="SECT2">
|
|
<h2 class="SECT2"><a id="SECURITY-HOST-IPTABLES" name="SECURITY-HOST-IPTABLES">14.2.1 <tt
|
|
class="COMMAND">iptables</tt></a></h2>
|
|
|
|
<p><tt class="COMMAND">iptables</tt> is the packet filtering configuration program for
|
|
Linux 2.4 and above. The 2.4 kernel (2.4.5, to be exact) was first introduced into
|
|
Slackware (as an option) in version 8.0 and was made the default in Slackware 8.1. This
|
|
section only covers the basics of its usage and you should check <a
|
|
href="http://www.netfilter.org/" target="_top">http://www.netfilter.org/</a> for more
|
|
details. These commands can be entered into <tt
|
|
class="FILENAME">/etc/rc.d/rc.firewall</tt>, which has to be set as executable for these
|
|
rules to take effect at startup. Note that incorrect <tt class="COMMAND">iptables</tt>
|
|
commands can essentially lock you out of your own machine. Unless you are 100% confident
|
|
in your skills, always ensure you have local access to the machine.</p>
|
|
|
|
<p>The first thing most people should do is set the default policy for each inbound chain
|
|
to DROP:</p>
|
|
|
|
<table border="0" bgcolor="#E0E0E0" width="100%">
|
|
<tr>
|
|
<td>
|
|
<pre class="SCREEN">
|
|
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">iptables -P INPUT DROP</kbd>
|
|
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">iptables -P FORWARD DROP</kbd>
|
|
</pre>
|
|
</td>
|
|
</tr>
|
|
</table>
|
|
|
|
<p>When everything is denied, you can start allowing things. The first thing to allow is
|
|
any traffic for sessions which are already established:</p>
|
|
|
|
<table border="0" bgcolor="#E0E0E0" width="100%">
|
|
<tr>
|
|
<td>
|
|
<pre class="SCREEN">
|
|
<samp class="PROMPT">#</samp> <kbd
|
|
class="USERINPUT">iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT</kbd>
|
|
</pre>
|
|
</td>
|
|
</tr>
|
|
</table>
|
|
|
|
<p>So as not to break any applications that communicate using the loopback address, it is
|
|
usually wise to add a rule like this:</p>
|
|
|
|
<table border="0" bgcolor="#E0E0E0" width="100%">
|
|
<tr>
|
|
<td>
|
|
<pre class="SCREEN">
|
|
<samp class="PROMPT">#</samp> <kbd
|
|
class="USERINPUT">iptables -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT</kbd>
|
|
</pre>
|
|
</td>
|
|
</tr>
|
|
</table>
|
|
|
|
<p>This rules allows any traffic to and from 127.0.0.0/8 (127.0.0.0 - 127.255.255.255) on
|
|
the loopback (<tt class="FILENAME">lo</tt>) interface. When creating rules, it is a good
|
|
idea to be as specific as possible, to make sure that your rules do not inadvertently
|
|
allow anything evil. That said, rules that allow too little mean more rules and more
|
|
typing.</p>
|
|
|
|
<p>The next thing to do would be to allow access to specific services running on your
|
|
machine. If, for example, you wanted to run a web server on your machine, you would use a
|
|
rule similar to this:</p>
|
|
|
|
<table border="0" bgcolor="#E0E0E0" width="100%">
|
|
<tr>
|
|
<td>
|
|
<pre class="SCREEN">
|
|
<samp class="PROMPT">#</samp> <kbd
|
|
class="USERINPUT">iptables -A INPUT -p tcp --dport 80 -i ppp0 -j ACCEPT</kbd>
|
|
</pre>
|
|
</td>
|
|
</tr>
|
|
</table>
|
|
|
|
<p>This will allow access from any machine to port 80 on your machine via the <tt
|
|
class="FILENAME">ppp0</tt> interface. You may want to restrict access to this service so
|
|
that only certain machines can access it. This rule allows access to your web service
|
|
from <tt class="HOSTID">64.57.102.34</tt>:</p>
|
|
|
|
<table border="0" bgcolor="#E0E0E0" width="100%">
|
|
<tr>
|
|
<td>
|
|
<pre class="SCREEN">
|
|
<samp class="PROMPT">#</samp> <kbd
|
|
class="USERINPUT">iptables -A INPUT -p tcp -s 64.57.102.34 --dport 80 -i ppp0 -j ACCEPT</kbd>
|
|
</pre>
|
|
</td>
|
|
</tr>
|
|
</table>
|
|
|
|
<p>Allowing ICMP traffic can be useful for diagnostic purposes. To do this, you would use
|
|
a rule like this:</p>
|
|
|
|
<table border="0" bgcolor="#E0E0E0" width="100%">
|
|
<tr>
|
|
<td>
|
|
<pre class="SCREEN">
|
|
<samp class="PROMPT">#</samp> <kbd
|
|
class="USERINPUT">iptables -A INPUT -p icmp -j ACCEPT</kbd>
|
|
</pre>
|
|
</td>
|
|
</tr>
|
|
</table>
|
|
|
|
<p>Most people will also want to set up Network Address Translation (NAT) on their
|
|
gateway machine, so that other machines on their network can access the Internet through
|
|
it. You would use the following rule to do this:</p>
|
|
|
|
<table border="0" bgcolor="#E0E0E0" width="100%">
|
|
<tr>
|
|
<td>
|
|
<pre class="SCREEN">
|
|
<samp class="PROMPT">#</samp> <kbd
|
|
class="USERINPUT">iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE</kbd>
|
|
</pre>
|
|
</td>
|
|
</tr>
|
|
</table>
|
|
|
|
<p>You will also need to enable IP forwarding. You can do this temporarily, using the
|
|
following command:</p>
|
|
|
|
<table border="0" bgcolor="#E0E0E0" width="100%">
|
|
<tr>
|
|
<td>
|
|
<pre class="SCREEN">
|
|
<samp class="PROMPT">#</samp> <kbd
|
|
class="USERINPUT">echo 1 > /proc/sys/net/ipv4/ip_forward</kbd>
|
|
</pre>
|
|
</td>
|
|
</tr>
|
|
</table>
|
|
|
|
<p>To enable IP forwarding on a more permanent basis (i.e. so that the change is kept
|
|
after a reboot), you will need to open the file <tt
|
|
class="FILENAME">/etc/rc.d/rc.inet2</tt> in your favorite editor and change the following
|
|
line:</p>
|
|
|
|
<table border="0" bgcolor="#E0E0E0" width="100%">
|
|
<tr>
|
|
<td>
|
|
<pre class="PROGRAMLISTING">
|
|
IPV4_FORWARD=0
|
|
</pre>
|
|
</td>
|
|
</tr>
|
|
</table>
|
|
|
|
<p>...to this:</p>
|
|
|
|
<table border="0" bgcolor="#E0E0E0" width="100%">
|
|
<tr>
|
|
<td>
|
|
<pre class="PROGRAMLISTING">
|
|
IPV4_FORWARD=1
|
|
</pre>
|
|
</td>
|
|
</tr>
|
|
</table>
|
|
|
|
<p>For more information on NAT, see the <a
|
|
href="http://www.netfilter.org/documentation/HOWTO/NAT-HOWTO.txt" target="_top">NAT
|
|
HOWTO</a>.</p>
|
|
</div>
|
|
|
|
<div class="SECT2">
|
|
<h2 class="SECT2"><a id="SECURITY-HOST-TCPWRAPPERS"
|
|
name="SECURITY-HOST-TCPWRAPPERS">14.2.2 <tt class="COMMAND">tcpwrappers</tt></a></h2>
|
|
|
|
<p><tt class="COMMAND">tcpwrappers</tt> controls access to daemons at the application
|
|
level, rather than at the IP level. This can provide an extra layer of security at times
|
|
when IP-level access controls (e.g. Netfilter) are not functioning correctly. For
|
|
example, if you recompile the kernel but forget to include iptables support, your IP
|
|
level protection will fail but tcpwrappers will still help protect your system.</p>
|
|
|
|
<p>Access to services protected by tcpwrappers can be controlled using <tt
|
|
class="FILENAME">/etc/hosts.allow</tt> and <tt class="FILENAME">/etc/hosts.deny</tt>.</p>
|
|
|
|
<p>The majority of people would have a single line in their <tt
|
|
class="FILENAME">/etc/hosts.deny</tt> file to deny access to all daemons by default. This
|
|
line would be:</p>
|
|
|
|
<table border="0" bgcolor="#E0E0E0" width="100%">
|
|
<tr>
|
|
<td>
|
|
<pre class="PROGRAMLISTING">
|
|
ALL : ALL
|
|
</pre>
|
|
</td>
|
|
</tr>
|
|
</table>
|
|
|
|
<p>When this is done, you can concentrate on allowing access to services for specified
|
|
hosts, domains, or IP ranges. This can be done in the <tt
|
|
class="FILENAME">/etc/hosts.allow</tt> file, which follows the same format.</p>
|
|
|
|
<p>A lot of people would start by accepting all connections from <tt
|
|
class="HOSTID">localhost</tt>. This can be achieved using:</p>
|
|
|
|
<table border="0" bgcolor="#E0E0E0" width="100%">
|
|
<tr>
|
|
<td>
|
|
<pre class="PROGRAMLISTING">
|
|
ALL : 127.0.0.1
|
|
</pre>
|
|
</td>
|
|
</tr>
|
|
</table>
|
|
|
|
<p>To allow access to SSHd from <tt class="HOSTID">192.168.0.0/24</tt>, you could use
|
|
either of the following rules:</p>
|
|
|
|
<table border="0" bgcolor="#E0E0E0" width="100%">
|
|
<tr>
|
|
<td>
|
|
<pre class="PROGRAMLISTING">
|
|
sshd : 192.168.0.0/24
|
|
sshd : 192.168.0.
|
|
</pre>
|
|
</td>
|
|
</tr>
|
|
</table>
|
|
|
|
<p>It is also possible to restrict access to hosts in certain domains. This can be done
|
|
using the following rule (note that this relies on the reverse DNS entry for the
|
|
connecting host being trustworthy, so I would recommand against its use on
|
|
Internet-connected hosts):</p>
|
|
|
|
<table border="0" bgcolor="#E0E0E0" width="100%">
|
|
<tr>
|
|
<td>
|
|
<pre class="PROGRAMLISTING">
|
|
sshd : .slackware.com
|
|
</pre>
|
|
</td>
|
|
</tr>
|
|
</table>
|
|
</div>
|
|
</div>
|
|
|
|
<div class="NAVFOOTER">
|
|
<hr align="LEFT" width="100%" />
|
|
<table summary="Footer navigation table" width="100%" border="0" cellpadding="0"
|
|
cellspacing="0">
|
|
<tr>
|
|
<td width="33%" align="left" valign="top"><a href="security.html"
|
|
accesskey="P">Prev</a></td>
|
|
<td width="34%" align="center" valign="top"><a href="index.html"
|
|
accesskey="H">Home</a></td>
|
|
<td width="33%" align="right" valign="top"><a href="security-current.html"
|
|
accesskey="N">Next</a></td>
|
|
</tr>
|
|
|
|
<tr>
|
|
<td width="33%" align="left" valign="top">Security</td>
|
|
<td width="34%" align="center" valign="top"><a href="security.html"
|
|
accesskey="U">Up</a></td>
|
|
<td width="33%" align="right" valign="top">Keeping Current</td>
|
|
</tr>
|
|
</table>
|
|
</div>
|
|
</body>
|
|
</html>
|
|
|