Assignments of day 5 in week #4
Shield up your host: set up your access control
Last Updated : Monday, 17-Jun-2002 19:36:22 HKT
TCP Wrapper
You can use TCP wrapper to guide your daemons in /etc/inetd.conf
- Edit the /etc/hosts.deny as follows
ALL:ALL
- login your partner hosts and try to ftp and finger to your host.
You should be blocked by the TCP wrapper.
- Now edit the /etc/hosts.allow to allow your partner host
to ftp and finger your host
sshd:ALL
in.ftpd:your_parter_host_IP
in.fingerd:your_parter_host_IP
- Repeat step 2 again. Now you should have the access.
Firewall
In brief, a firewall is typically the first line of defense for any Internet-connected
network. What a firewall does and how it behaves depends on what level
it operates on. (Those familiar with the OSI model will understand this.)
Firewalls generally operate at the network layer (IP), or the application
layer, such as HTTP proxies.
Those firewalls at the network layer are often called screening routers.
A screening router examines the IP header on each incoming (and possibly
outgoing) datagram and determines whether or not it should pass. It makes
this determination by comparing key fields such as the source and destination
addresses to the policy set by the administrator. Most screening routers
will also examine the packet at the next layer (the transport layer), which
allows you to create policies based on TCP or UDP port, or ICMP type and
code.
Firewalls at the application layer are called gateways or proxies, and
are designed to understand protocols at this level, such as HTTP or telnet.
Application gateways are useful because they can offer very high level
control over traffic, and so they are in some ways more secure than screening
routers. For example, an application gateway may choose to filter all HTTP
POST commands. Most importantly, gateways can maintain logging specific
to application layer protocols. A paranoid (and privacy-ignorant) company
may choose to have all mail pass through a gateway to log the To, From,
and Subject fields of the header, for instance.
Network layer Firewalls
Although sometimes called screening routers, generally speaking the term
firewall refers to a filter at the network layer. Linux has supported packet
filtering at this level since version 1.3.x (ipfwadm). Kernel 2.2 has revamped
this support and uses a user-space utility called ipchains. (Linux 2.4
is slated to have yet another redesign of the firewalling code.) Since
2.2 is the most recent, stable kernel, we will focus on ipchains.
Assignment : Setting of default ruleset of firewall
-
edit /etc/rc.d/ipchain-default with below content :
## set the default
to deny all incoming network traffic
#/sbin/ipchains
-P input DENY
# Unlimited traffic
on the loop back interface
/sbin/ipchains
-A input -i eth0 -s 127.0.0.0/8 -j ACCEPT
# Allow incoming
traffic from local network and servers
/sbin/ipchains
-A input -i eth0 -s 192.168.0.0/16 -j ACCEPT
/sbin/ipchains
-A input -i eth0 -s 137.189.99.80/29 -j ACCEPT
# Allow incoming
TCP traffic initiated by local machine
/sbin/ipchains
-A input -i eth0 -p tcp ! -y -s any/0 -j ACCEPT
# Allow incoming
UDP traffic from outside above 1024-65535
/sbin/ipchains
-A input -i eth0 -p udp -s any/0 1024:65535 -j ACCEPT
# log all blocked
traffic
/sbin/ipchains
-A input -i eth0 -j DENY -l |
-
change the permission of ipchain-default to 755 : chmod
755 ipchain-default
-
edit /etc/rc.d/ipchain-off with below content:
/sbin/ipchains -X
/sbin/ipchains -F
/sbin/ipchains -P input
ACCEPT
/sbin/ipchains -P output
ACCEPT
/sbin/ipchains -P forward
ACCEPT |
-
change the permission of ipchain-off to 755 : chmod
755 ipchain-off
-
edit /etc/rc.d/ipchain-restart with below content:
/etc/rc.d/ipchain-off
/etc/rc.d/ipchain-custom
/etc/rc.d/ipchain-default |
-
change the permission of ipchain-restart to 755 : chmod
755 ipchain-restart
-
create an empty file for custom policy : touch
/etc/rc.d/ipchain-custom
-
change the permission of ipchain-custom to 755 : chmod
755 ipchain-custom
-
Use : /sbin/ipchains -L to examine
your exsiting firewall setting
Now you have set the default firewall policies for your machine. The purpose
of those policies are to deny any incoming traffic from those networks
you are not trusted.
Use of portscanning tools nmap
-
Use nmap to scan openning ports of your externer
partner and reveal the OS he/she is running : /usr/local2/bin/nmap -sS
-F -O externer_partner's hostname
Now you have a good tool to test the firewall policies,
you can now experiment your firewall rules.
More information on nmap, pls read man pages of nmap and it web site
: http://www.nmap.org
Editing of custom firewall rules
-
edit /etc/rc.d/ipchain-custom to deny the connection
of your external partner's host to connect to your machine's ssh port (port
22)
| /sbin/ipchains -A input
-i eth0 -p tcp -s external_host_ipaddress/32 -d your_host_ipaddress/32
22 -j DENY -l |
-
restart your firewall rules : /etc/rc.d/ipchain-restart
-
use : /sbin/ipchains
-L to examine your new rules and capture its output to your web pages.
A sample of the page can be found here
.
-
Ask your external partner to ssh your machine
-
Capture the output from /var/log/messages to the
web page, you should see the ssh packets from your externer are blocked
and logged here.
-
Make sure your external parnter has finishing the
above parts, use nmap to scan your external partner host and capture the
output and put in the web page.
You have now learned the basic techniques to deploy
a firewall using Linux's ipchain. For more details description and syntax
of ipchains, you can see the man pages of ipchain and the below references
:
References: