Chapter 7. Firewalls
71
inappropriate or illicit reasons. In these cases, specialized rules can be established using
OUTPUT
action in
iptables
. The
OUTPUT
action places restrictions on outbound data.
Suppose an administrator notices heavy amounts of network traffic on port 6699 (a commonly used
port for peer to peer file sharing services). To stop the traffic and conserve bandwidth for legitimate
business purposes, the administrator can block LAN users from communicating on this port. After a
thorough examination of what other services may be adversely affected by the blockage of port 6699,
the administrator can add the following rule to the firewall and effectively block outbound traffic from
the source port:
iptables A OUTPUT p TCP sport 6699 j REJECT
More elaborate rules can be created that control access to specific subnets, or even specific nodes,
within a LAN. You can also restrict certain dubious services such as trojans, worms, and other
client/server viruses from contacting their server. For example, there are some trojans that scan net
works for services on ports from 31337 to 31340 (called the elite ports in cracking lingo). Since there
are no legitimate services that communicate via these non standard ports, blocking it can effectively
diminish the chances that potentially infected nodes on your network independently communicate
with their remote master servers.
iptables A OUTPUT o eth0 p tcp dport 31337 sport 31337 j DROP
7.1.5.
FORWARD
and NAT Rules
Most organizations are allotted a limited number of publicly routable IP addresses from their ISP. Due
to this limited allowance, administrators must find creative ways to share access to Internet services
without giving scarce IP addresses to every node on the LAN. Using class C private IP address is
the common way to allow all nodes on a LAN to properly access network services internally and
externally. Edge routers (such as firewalls) can receive incoming transmissions from the Internet and
route the bits to the intended LAN node; at the same time, it can also route outgoing requests from a
LAN node to the remote Internet service. This forwarding of network traffic can become dangerous
at times, especially with the availability of modern cracking tools that can spoof internal IP addresses
and make the remote attacker's machine act as a node on your LAN. To prevent this,
iptables
provides routing and forwarding policies that you can implement to prevent aberrant usage of network
resources.
The
FORWARD
policy allows an administrator to control where packets can be routed. For example, to
allow forwarding for an entire internal IP address range, the following rule can be set:
iptables A FORWARD i eth1 j ACCEPT
Note
By default, IPv4 policy in Red Hat Linux kernels disables support for IP forwarding, which prevents
boxes running Red Hat Linux from functioning as dedicated edge routers. To enable IP forwarding,
run the following command or place it in your firewall initialization script:
echo "1" > /proc/sys/net/ipv4/ip_forward
FORWARD
rules can be implemented to restrict certain types of traffic to the LAN only, such as local
network file shares through NFS or Samba. The following rules reject outside connections to Samba
shares:
footer
Our partners:
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting
Jsp Web Hosting
Cheapest Web Hosting
Jsp Hosting
Cheap Hosting
Visionwebhosting.net Business web hosting division of Web
Design Plus. All rights reserved