Top

A Linux User Reference

Search tips
  • search ignores words that are less than 4 characters in length
  • searches are case insensitve
  • if a search does not return anything try it in Boolean mode then Query expansion mode by checking the appropriate radio button e.g. searching for 'cron' in just the Administration category returns nothing - presumably because the 50% threshold is reached. Boolean mode ignores this threshold so a search for 'cron' returns several hits
  • in Boolean mode preceding a word with a '+' means the result must include that word, a '-' means it must not
  • in Boolean mode '+crontab -anacron' means match articles about crontab that DO NOT mention anacron
  • to match a phrase e.g. 'manage system' check the Boolean mode radio button and enclose the phrase in quotes "some phrase ..."
  • in Query expansion mode the search context is expanded beyond the keywords you entered - relevancy of hits may well be degraded

SECURITY

Firewalls

  • IPchains firewall (dated)

    Somewhat dated now - a stateless firewall which has largely been replaced by 'IPtables' (a stateful firewall).

    Configure a stateless firewall - /sbin/ipchains

    ipchains <option> <chain> [rule] [-j <target>]
    
    Options:
     -A chain <rule>                Append a rule to the end of the specified chain.
     -D chain <rule>                Delete a rule from the specified chain.
     -n -L [chain]                  List all rules in specified or all chains. -n do not resolve IPs.
     -F chain                       Flush all rules from the specified chain
     -P chain <target>              Set Policy of specified chain to <target>
     -N chain                       Create a custom-chain.
    
        <chain>
         INPUT                      Checks inbound packets against rules, demasquerades if required
                                    (then sends direct to OUTPUT chain), sends to packet router which
                                    either sends to a local process or to FORWARD chain.
         FORWARD                    Checks packets to be forwarded through the router, masquerading
                                    rule for internal network traffic destined for the internet, sends
                                    to OUTPUT chain.
         OUTPUT                     Checks outward bound packets against rules.
    
    [Rule]
     -p <protocol>                  TCP, UDP, ICMP or all.
     -s <address> [port]            Source address, name of host or network or IP.
     -d <address> [port]            Destination address, name of host or network or IP.
     -i <interface>                 The interface the packet comes from.
     -y                             Is a SYN packet (does not match syn-ack).
     -j <target>                    A target rule (what to do with packet if it matches the rule).
    
        <target>
         ACCEPT                     Allow packet through.
         DENY                       Drop the packet.
         REJECT                     Drop packet and send an ICMP message back to sender
                                    stating that the packet was dropped.
         MASQ                       Only in the FORWARD chain. Requires CONFIG_IP_MASQUERADE 
                                    kernel option.
    

    Delete all rules for all built-in chains

    # ipchains -F input
    # ipchains -F forward
    # ipchains -F output
    

    Delete all user-defined chains

    # ipchains -X
    

    Deny all traffic by setting default Policies to Deny

    # ipchains -P input DENY
    # ipchains -P forward DENY
    # ipchains -P output DENY
    

    Allow everything coming to and from the internal lan eth0 and the loopback

    # ipchains -A input -i eth0 -j ACCEPT
    # ipchains -A output -i eth0 -j ACCEPT
    # ipchains -A input -i lo -j ACCEPT
    # ipchains -A output -i lo -j ACCEPT
    

    List all rules in output chain, do not resolve names

    # ipchains -n -L output
    

    Drop all packets arriving on eth0 that are a tcp SYN

    # ipchains -A  input -i eth0 -p tcp -y -j DENY
    

    Accept all DNS replies from the outside world/Internet

    # ipchains -A input -p UDP -s 0.0.0.0/0 53 -j ACCEPT
    

    Allow all incoming non-syn TCP traffic for the internal network 10.0.0.0/24

    # ipchains -A input -p TCP -d 10.0.0.0/24 ! -y -j ACCEPT
    

    Allow internal machines to ping external machines

    # ipchains -A output -i eth1 -p icmp --icmp-type ping -j ACCEPT
    # ipchains -A input -i eth1 -p icmp --icmp-type ping -j ACCEPT
    # ipchains -A input -p icmp --icmp-type destination-unreachable -j ACCEPT
    # ipchains -A output -p icmp --icmp-type destination-unreachable -j ACCEPT
    
  • IP masquerading with IPchains
    ipmasqadm

    Command usage

    ipmasqadm portfw -[adfLn] 
                     -P <protocol> 
                     <local address>
                     <local port>
                     -R <remote address>
                     <remote port>
    
    Options:
     portfw -a                            Add entry
     portfw -d                            Delete entry
     portfw -f                            Clear table
     portfw -L                            List table
     portfw <args> -n                     No name resolution
     <local address>                      Must be firewall's own address
     <local port>                         Port that traffic is addressed to
     <remote address> <remote port>       Address that traffic will be forwarded to
    

    Port redirection

    Masquerade all IPs originating from internal network 10.0.0.0/24

    # ipchains -A forward -s 10.0.0.0/24 -j MASQ
    # ipmasqadm portfw -a -P tcp -L 172.23.0.1 80 -R webserver 8080
    

    Packets sent out from the internal lan to the Internet are masqueraded to use the routers Internet facing interface (172.23.0.1).

    Packets arriving from the Internet destined for the internal webserver are routed accordingly.

  • IPtables firewall

    IPv4 stateful packet filtering and NAT.

    Configure a stateful firewall - /sbin/iptables

    Administration tool used to set up, maintain and inspect the tables of IP packet filter rules in the Linux kernel, several different tables may be defined.

    iptables [-t <table>]
             <option> 
             <chain> 
             [rule] 
             [-j <target>]
    
    Options:
     -A | --append <chain> <rule>                    Append a rule to the end of the specified chain.
     -D | --delete <chain> <rule>                    Delete a rule from the specified chain.
     -D | --delete <chain> <rule num>                Delete a rule based on the rule number.  All 
                                                     rules start from 1.
     -I | --insert <chain> [rule num] <rule>         Insert a rule at optional <rule num> position.
     -R | --replace <chain> <rule num> <rule>        Replace rule at position <rule num>.
     -n                                              Do not resolve IPs.
     -L | --list [chain]                             List all rules in specified or all chains.
     -F | --flush [chain]                            Flush all rules from the specified chain.
     -P | --policy <chain> <target>                  Set Policy of specified chain to <target>.
     -N | --new-chain <chain>                        Create a custom-chain.
     -X | --delete-chain [chain]                     Delete a user-defined chain.
     -E | --rename-chain <old-chain> <new-chain>     Rename chain
     -Z | --zero [chain]                             Zero all counters in chain if specified, else
                                                     all chains.
    
    <table>
     filter                   Filtering rules are applied to the filter table.
     nat                      NAT rules are applied to the nat table. 
     mangle                   Specialised rules to alter packets are applied
                              in the mangle table.
     raw                      For rules that should function independently of
                              the NetFilter connection-tracking subsystem.
    
    Each table contains a number of built-in chains and may also contain user-defined chains.
    <chain>
     INPUT                    This chain is traversed by packets destined for the
                              local linux system after a routing decision has been
                              made within the kernel.
     OUTPUT                   This chain is traversed by packets generated by the
                              local linux system.
     FORWARD                  Governs packets that are routed through the local
                              linux system.
     PREROUTING               Modifies packets before a routing calculation/decision
                              is made (in the nat table only).
     POSTROUTING              Modifies packets after a routing calculation/decision
                              has been made. (in the nat table only).
    
    Each chain is a list of rules which can match a set of packets.
     -p | --protocol <protocol>             tcp, udp, icmp or all.
     -s | --source <address>                Source address, name of host or network or IP.
     -d | --destination <address>           Destination address, name of host or network or IP.
     -dport | --destination-port <port>     Destination port of packet.
     -j | --jump <target>                   A target rule (what to do with packet if it matches the rule).
     -i | --in-interface <interface>        Interface the packet comes from. Only allowed in INPUT,
                                            FOWARD and PREROUTING chains.
     -o | --out-interface                   Interface the packet will be sent out on. Only allowed
                                            in OUTPUT, FORWARD and POSTROUTING chains.
     -m | --state <state>                   Valid states are ESTABLISHED, INVALID and RELATED
                                            or a comma separated list of states.
     -y | --syn                             Is a SYN packet (does not match syn-ack).
     -g | --goto <chain>                    Like jump, go to another chain.
    
    Each rule specifies a target - what to do with a packet that matches the rule.
    <target>
     ACCEPT                   Allow packet through.
     DROP                     Drop the packet.
     DENY                     Drop packet and send an ICMP message back to
                              sender stating that the packet was dropped.
     MASQUERADE               Only in the FORWARD chain. Requires 
                              CONFIG_IP_MASQUERADE kernel option.
    
    • If the packet does not match a rule, the next rule in the chain is examined.
    • If it does match a rule then the value of the target is applied. This can be the name of a user defined chain or one of the special values/targets ACCEPT, DROP, QUEUE, or RETURN.

    Usually commands are put into a script and the script is then run on boot. Below are command line examples.

    Load required connection tracking modules

    # /sbin/modprobe nf_conntrack
    # /sbin/modprobe iptable_nat
    # /sbin/modprobe nf_conntrack_ftp
    # /sbin/modprobe nf_nat_ftp
    

    Flush the 'filter' table. 'filter' table is the default table

    # iptables -F
    

    Flush the nat table

    # iptables -F -t nat  f
    

    List all rules in all chains in the filter (default) table, do not use reverse lookup

    # iptables -L -n
    

    List all rules in all chains in the nat table, do not use reverse lookup

    # iptables -t nat -L -n
    

    List all rules in the INPUT chain in the filter table, do not use reverse lookup

    # iptables -L INPUT -n
    

    Create a custom chain called 'blocking'

    # iptables -N blocking
    

    Delete every non-built-in chain

    # iptables -X
    

    Set INPUT chain Policy to DROP

    # iptables -P INPUT DROP
    

    If packet invalid, LOG it including info. from the IP and TCP headers

    # iptables -A INPUT -m state --state INVALID -j LOG --log-prefix \
    "DROP input: INVALID" --log-ip-options -log-tcp-options
    

    If a packet is invalid drop it

    # iptables -A INPUT -m state --state INVALID -j DROP
    

    If a packet is part of an established connection or is related to it in some way accept

    # iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    

    Allow SSH if a syn packet and connection tracking state is NEW

    # iptables -A INPUT -i eth1 -p tcp -s 192.168.0.0/29 \
    --dport 22 --syn -m state --state NEW -j ACCEPT
    

    Allow the following services out to the Internet

    # iptables -A OUTPUT -p tcp --dport 4321 --syn -m state --state NEW -j ACCEPT     (rwhois)
    # iptables -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT             (dns)
    # iptables -A OUTPUT -p udp --dport 514 -m state --state NEW -j ACCEPT            (syslog)
    # iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT                   (ping)
    
  • IPtables anti-spoofing rule

    Spoofed packets occur when the source IP address does not match the network address it's sent on.

    Drop and log packets on the internal network where source IP does not match

    # iptables -A INPUT -i eth1 -s ! 192.168.0.0/29 -j LOG --log-prefix "SPOOFED PACKET - input: "
    # iptables -A INPUT -i eth1 -s ! 192.168.0.0/29 -j DROP
    
  • IPtables demasquerading rule

    These rules allow web and DNS service requests from external sources to be sent to the appropriate servers on the internal lan using destination nat (DNAT) target.

    # iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth0 -j DNAT --to 192.168.0.2:80     (http)
    # iptables -t nat -A PREROUTING -p tcp --dport 53 -i eth0 -j DNAT --to 192.168.0.2:53     (dns)
    # iptables -t nat -A PREROUTING -p tcp --dport 443 -i eth0 -j DNAT --to 192.168.0.2:443   (https)
    
  • IPtables masquerading rule

    Rule allows sources from the internal network to access the external network, appearing to come from this system i.e. IP masquerading using this systems IP address.

    # iptables -t nat -A POSTROUTING -s 192.168.0.0/29 -o eth0 -j MASQUERADE
    
  • Saving and loading IPtables rules
    • Usually create a script and put commands similar to the above into it then run from /etc/rc.local.
    • Distributions vary on how to configure on boot.

    Dump/save loaded rules to file

    # iptables-save > firewall-rules
    

    Restore/load rules from previously saved file

    # iptables-restore firewall-rules