70
Chapter 7. Firewalls
The rules will be stored in the file
/etc/sysconfig/iptables
and will be applied whenever the
service is started, restarted, or the machine rebooted.
7.1.3.
INPUT
Filtering
Keeping remote attackers out of a LAN is an important aspect of network security, if not the most
important. The integrity of a LAN should be protected from malicious remote users through the
use of stringent firewall rules. In the following example, The LAN (which uses a private class C
192.168.1.0/24 IP range) rejects telnet access from the outside. The rule for this looks like the follow
ing:
iptables A INPUT p tcp sport telnet j REJECT
The rule rejects all outside tcp connections using the telnet protocol (typically port 23) with a
con
nection refused
error message. Rules using the
sport
or
dport
options can use either port
numbers or common service names. So, using both
sport telnet
and
sport 23
are accept
able.
Note
There is a distinction between the REJECT and DROP target actions. The REJECT target denies access
and returns a connection refused error to users who attempt to telnet users. The DROP, as the
name implies, simply drops the packet without any warning to telnet users. Administrators can use
their own discretion when using these targets; however, to avoid user confusion and attempts to
continue connecting, the REJECT target is recommended.
There may be times when certain users require remote access to the LAN from the road or from a
field office. Secure services, such as SSH and CIPE, can be used for encrypted remote connection
to LAN services. For administrators with PPP based resources (such as modem banks or bulk ISP
accounts), dialup access can be used to circumvent firewall barriers securely, as modem connections
are typically behind a firewall/gateway because they are direct connections. However, for remote users
with broadband connections, special cases can be made. You can set
iptables INPUT
to accept
connections from remote SSH and CIPE clients. For example, to allow remote SSH access to the
LAN, the following may be used:
iptables A INPUT p tcp sport 22 j ACCEPT
CIPE connection requests from the outside can be accepted with the following command:
iptables A INPUT p udp i cipcb0
j ACCEPT
Since CIPE uses its own virtual device which transmits datagram (UDP) packets, the rule allows the
cipcb0 interface for incoming connections, instead of source or destination ports (though they can
be used in place of device options). For information about using CIPE, refer to Chapter 6.
There are other services for which you may need to define
INPUT
rules. Refer to the Official Red Hat
Linux Reference Guide for comprehensive information on
iptables
and its various options.
7.1.4.
OUTPUT
Filtering
There may be instances when an administrator must block certain users on the internal network from
making outbound connections. Perhaps the administrator intends to curtail malicious trojans from
contacting their intended hosts or wants to keep an employee from misusing network resources for
footer
Our partners:
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting
Jsp Web Hosting
Cheapest Web Hosting
Jsp Hosting
Cheap Hosting
Visionwebhosting.net Business web hosting division of Web
Design Plus. All rights reserved