Why Security?

The FBI is not your best friend, they don't know you didn't do it.
It's really time consuming backing up.
It's even more time consuming restoring from your back up every other day. (every ten minutes if you run IIS, I'll show you the logs.)
Expect to DOSed into oblivion every time you start to win at quake3.
It's embarassing to have your love letters posted on usenet.

How do I practice good security?

You can...

Make all remotly accesable programs unexplotable.
*Do all vendor/distro patches avaible. "rpm -U *" "apt-get update;apt-get upgrade"
*Run a vendor/distro where patches are avaible quickly and easily(debian,ximian on anything for desktops)
*review, understand and amend configuration of remotly accesable programs "cat /etc/*"
*limit program permisions, and their ability to do damage "find / -perm +4000"
You make all remotly accesable programs unreachable.
*Shut off programs not being used "netstat -a"
*Limit network access to programs at the kernel level. (firewalling)
Why Firewall?

Because you are a geek.(at least the potential is there.)
Geeks are power users.
Power is attractive to the oppisite sex.

side note: Because redundancy is good. To protect less flexible/safe machines behind the firewall.

Why Linux?

Well duh. Linux is powerfull and power is....ya know.

Why teach iptables and not ipchains?

*IP chains is 2.2 kernels and widely documented/used. So why no use it? Becaus e iptables (front end to the netfilter 2.4 kernel code.) is much more flexible. I found many specific reasons, but these stood out.
*Firewalling code is too intrusive and dosn't belong in the kernel. (Want to become a kernel hacker that Linus favors? Find somthing to move out of the kernel, without sacrificing meaningful speed, security or features.)
*Now anyone can write user space programs to use as filters without doing kernel work.
*There are more points in the kernel networking process at which you can work with packets.
*Now filtering can be done with MAC (Media Access Control) hardware addressing as well as IP (Internet Protocol) addressing and protocol type/port addressing. (a blessing for small high risk networks.)
*Sorting through dropped packets is now possible. Setting up counters is also possible
*Full support for Network Address Translation(NAT) filtering at all points in packet entry/exit (also known as: IPmasq or IP masquerade.)

What are we looking to filter out?

That's easy. The bad stuff. Basiclly all incoming packets that we didn't somehow request or ask for.

What are we looking to let through?

*Outgoing packets. Possibly specifying legitimate machines by IP or MAC address.
*You don't want to stop yourself from ssh/scping (Secure SHell/ Secure a CoPy) into your own machine. You want to allow any machine to come in on port 22.(If you can find the #^@&*$ thing with the ISP (Internet Service provider) changing your IP address all the time. PS: look into dyndns.org)
*If you are building the website of the century, you proably want people to be able to get though to apache on port 80.
*If you are building the ftp site of the millenium, you probably want to let any machine through on port 21.

What are TCP/UDP ports, IP Address, and MAC address?

OSI LayerName of dataHuman Representation Role or meaning
Tangable end of OSI spectrum (touch the wire or the card)
1Binary10101010111001100110voltages/lights on network wire.
2MAC0012:33F9:2902Unique address burned into card.
3IP192.168.100.200Logical Topolgy of Internet.
4TCP/UDP port80, 21, 22represent specific applications.
5N/AN/Ainter application talk
6N/AN/Afile formats, data storage
7N/AN/Aapplication itself
Abstract end of OSI spectrum (orginizational ideas.)

The three that concern us are the MAC (psudo-random number)and IP (Logical Topolgy) addresses and the TCP/UDP port (number corrilates to program type.) The first two are dictated, at least in part, by a central authority. The port is flexable and can be changed to anything so long as the applications on the two computers allow it to be changed.

What software do I need?

You need a 2.4 series or better linux kernel with netfilter compiled into it. Most distrabutions will come with such a kernel. I am not going into making your own kernel here, but if you know how, select the following module from make menuconfig...
networking options -> network packet filtering

and go into the
networking options -> IP netfilter configuration

menu and select the modules that interest you, like the NAT module.

You will also need the iptables software. If your system came with 2.4.x or better you already have it.

How do I start?

You should start by setting up NAT also known as: ipmasq.

What is NAT?

Network Adress Translation is a kinda like a router in that it fowards packets from one interface or network card to another. It uses fake or unrouteable adresses on the side hidden from the internet. All the packets that travel through the NAT box appear to come from it to the outside world. It's likely the main reason that people aren't scrambling to move to a new IP version to run the Internet. We can now use alot less real addresses.

How do I set up NAT?

If you don't use NAT you can ignore this.

NAT is alot simpler to set up with 2.4 and IPTABLES than it was in 2.2 or 2.0. The offical word is that NAT was a cheap hack in those kernels.

You need to switch to root. First you need to insert or load the modules so the kernel understands what iptables is telling it.

"modprobe iptable_nat"

This loads the iptable_nat.o ip_conntrak.o and ip_tables.o modulesinto the kernel.

Now we neet to set up a rule to call our kernel module.

"iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE"

The "eth0" part of this should represent the outgoing or ISP facing interface.

now we must phone the kernel and say "hey this is A-OK" We do this by writing plain old boring text to the phony or virtual file system in proc.

"echo 1 > /proc/sys/net/ipv4/ip_forward"

If you look around in that directory "ls -a /proc/sys/net/ipv4" you will notice alot of very cool information and settings. The proc filesystem is definatly our friend.

Congrats NAT is set up.

What now?

So glad you asked. :) Next we should start blocking traffic we didn't ask for.

What aren't you telling me?

Alot. I think this is a good question to ask somtimes, great for disarming the dishonest. There are some useful proc options that are set correctly by default.

"/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects"
"/bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses"

This one will only work inside a script.
"for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do /bin/echo "1" > ${interface} done"
This one is only OK if you are not running NAT
"/bin/echo "0" > /proc/sys/net/ipv4/ip_forward"

Were any proc options usefull?

One option that didn't show up by default in the kernel was

"/bin/echo "1" > /proc/sys/net/ipv4/conf/all/log_martians"

This logs spoofed packet attempts. Just be warned this may cause strange side effects if you and your ISP are using reserved IP address from the same subnet like 192.168.x.x or 10.x.x.x.

What about this IP Tables we heard so much about?

Lets flush all iptables rules, so we know where we are starting.

"iptables -F"

And lets zero out our counters...

"iptables -Z"

And lets kill user defined chains too...

Now lets be insanly parinoid and shut all incomming and outgoing packets off.

"iptables -P INPUT DROP"
"iptables -P OUTPUT DROP"

Non-NAT people could also shut off forwarding packets with a "iptables -P FORWARD DROP"

Experimenting with this is a bit strange. At this stage you can't ping the NAT box but you can ssh through it. Weird. If you have a dedicated NAT only box you might want to stop here.

Lets unbreak loopback allow everything on the loopback device. Lots of legitimate things use it.

"iptables -A INPUT -i lo -j ACCEPT"
"iptables -A OUTPUT -o lo -j ACCEPT"

OK Lets let our first port through. DNS lookups are important. :)

"iptables -A INPUT -i eth0 -p udp --dport 53 -j ACCEPT"
"iptables -A OUTPUT -o eth0 -p udp --dport 53 -j ACCEPT"

And Lets let the web through, both ways. too...

"iptables -A INPUT -i eth0 -p tcp --sport 80 -j ACCEPT"
"iptables -A OUTPUT -o eth0 -p tcp --sport 80 -j ACCEPT"

And last but not least ssh

"iptables -A INPUT -i eth0 -p tcp --sport 22 -j ACCEPT"
"iptables -A OUTPUT -o eth0 -p tcp --sport 22 -j ACCEPT"