Why Security?
The FBI is not your best friend, they don't know you didn't do it.
It's really time consuming backing up.
It's even more time consuming restoring from your back up every other day. (every ten minutes if you run IIS, I'll show you the logs.)
Expect to DOSed into oblivion every time you start to win at quake3.
It's embarassing to have your love letters posted on usenet.
How do I practice good security?
You can...
side note: Because redundancy is good. To protect less flexible/safe machines behind the firewall.
Why Linux?
Well duh. Linux is powerfull and power is....ya know.
Why teach iptables and not ipchains?
What are we looking to filter out?
That's easy. The bad stuff. Basiclly all incoming packets that we didn't somehow request or ask for.
What are we looking to let through?
What are TCP/UDP ports, IP Address, and MAC address?
OSI Layer | Name of data | Human Representation | Role or meaning |
Tangable end of OSI spectrum (touch the wire or the card) | |||
1 | Binary | 10101010111001100110 | voltages/lights on network wire. |
2 | MAC | 0012:33F9:2902 | Unique address burned into card. |
3 | IP | 192.168.100.200 | Logical Topolgy of Internet. |
4 | TCP/UDP port | 80, 21, 22 | represent specific applications. |
5 | N/A | N/A | inter application talk |
6 | N/A | N/A | file formats, data storage |
7 | N/A | N/A | application itself |
Abstract end of OSI spectrum (orginizational ideas.) | |||
The three that concern us are the MAC (psudo-random number)and IP (Logical Topolgy) addresses and the TCP/UDP port (number corrilates to program type.) The first two are dictated, at least in part, by a central authority. The port is flexable and can be changed to anything so long as the applications on the two computers allow it to be changed.
What software do I need?
You need a 2.4 series or better linux kernel with netfilter compiled into it.
Most distrabutions will come with such a kernel.
I am not going into making your own kernel here, but if you know how,
select the following module from make menuconfig...
networking options -> network packet filtering
and go into the
networking options -> IP netfilter configuration
menu and select the modules that interest you, like the NAT module.
You will also need the iptables software. If your system came with 2.4.x or better you already have it.
How do I start?
You should start by setting up NAT also known as: ipmasq.
What is NAT?
Network Adress Translation is a kinda like a router in that it fowards packets from one interface or network card to another. It uses fake or unrouteable adresses on the side hidden from the internet. All the packets that travel through the NAT box appear to come from it to the outside world. It's likely the main reason that people aren't scrambling to move to a new IP version to run the Internet. We can now use alot less real addresses.
How do I set up NAT?
If you don't use NAT you can ignore this.
NAT is alot simpler to set up with 2.4 and IPTABLES than it was in 2.2 or 2.0. The offical word is that NAT was a cheap hack in those kernels.
You need to switch to root. First you need to insert or load the modules so the kernel understands what iptables is telling it.
"modprobe iptable_nat"
This loads the iptable_nat.o ip_conntrak.o and ip_tables.o modulesinto the kernel.
Now we neet to set up a rule to call our kernel module.
"iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE"
The "eth0" part of this should represent the outgoing or ISP facing interface.
now we must phone the kernel and say "hey this is A-OK" We do this by writing plain old boring text to the phony or virtual file system in proc.
"echo 1 > /proc/sys/net/ipv4/ip_forward"
If you look around in that directory "ls -a /proc/sys/net/ipv4" you will notice alot of very cool information and settings. The proc filesystem is definatly our friend.
Congrats NAT is set up.
What now?
So glad you asked. :) Next we should start blocking traffic we didn't ask for.
What aren't you telling me?
Alot. I think this is a good question to ask somtimes, great for disarming the dishonest. There are some useful proc options that are set correctly by default.
"/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects"
"/bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses"
This one will only work inside a script.
"for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
/bin/echo "1" > ${interface}
done"
This one is only OK if you are not running NAT
"/bin/echo "0" > /proc/sys/net/ipv4/ip_forward"
Were any proc options usefull?
One option that didn't show up by default in the kernel was
"/bin/echo "1" > /proc/sys/net/ipv4/conf/all/log_martians"
This logs spoofed packet attempts. Just be warned this may cause strange side effects if you and your ISP are using reserved IP address from the same subnet like 192.168.x.x or 10.x.x.x.
What about this IP Tables we heard so much about?
Lets flush all iptables rules, so we know where we are starting.
"iptables -F"
And lets zero out our counters...
"iptables -Z"
And lets kill user defined chains too...
Now lets be insanly parinoid and shut all incomming and outgoing packets off.
"iptables -P INPUT DROP"
"iptables -P OUTPUT DROP"
Non-NAT people could also shut off forwarding packets with a "iptables -P FORWARD DROP"
Experimenting with this is a bit strange. At this stage you can't ping the NAT box but you can ssh through it. Weird. If you have a dedicated NAT only box you might want to stop here.
Lets unbreak loopback allow everything on the loopback device. Lots of legitimate things use it.
"iptables -A INPUT -i lo -j ACCEPT"
"iptables -A OUTPUT -o lo -j ACCEPT"
OK Lets let our first port through. DNS lookups are important. :)
"iptables -A INPUT -i eth0 -p udp --dport 53 -j ACCEPT"
"iptables -A OUTPUT -o eth0 -p udp --dport 53 -j ACCEPT"
And Lets let the web through, both ways. too...
"iptables -A INPUT -i eth0 -p tcp --sport 80 -j ACCEPT"
"iptables -A OUTPUT -o eth0 -p tcp --sport 80 -j ACCEPT"
And last but not least ssh
"iptables -A INPUT -i eth0 -p tcp --sport 22 -j ACCEPT"
"iptables -A OUTPUT -o eth0 -p tcp --sport 22 -j ACCEPT"
Sources...
http://netfilter.filewatcher.org/unreliable-guides/NAT-HOWTO/NAT-HOWTO.linuxdoc.html
http://packetstormsecurity.org/UNIX/firewall/ipchains/netfilter/netfilter-HOWTO.html
http://www.cs.princeton.edu/~jns/security/iptables/