Table of Contents for
Linux Network Administrator's Guide, Second Edition
Linux Network Administrator's Guide, Second Edition
Published by
O'Reilly Media, Inc., 2000
- Cover
- Linux Network Administrator’s Guide, 2nd Edition
- Preface
- Sources of Information
- File System Standards
- Standard Linux Base
- About This Book
- The Official Printed Version
- Overview
- Conventions Used in This Book
- Submitting Changes
- Acknowledgments
- 1. Introduction to Networking
- TCP/IP Networks
- UUCP Networks
- Linux Networking
- Maintaining Your System
- 2. Issues of TCP/IP Networking
- IP Addresses
- Address Resolution
- IP Routing
- The Internet Control Message Protocol
- Resolving Host Names
- 3. Configuring the Networking Hardware
- A Tour of Linux Network Devices
- Ethernet Installation
- The PLIP Driver
- The PPP and SLIP Drivers
- Other Network Types
- 4. Configuring the Serial Hardware
- Introduction to Serial Devices
- Accessing Serial Devices
- Serial Hardware
- Using the Configuration Utilities
- Serial Devices and the login: Prompt
- 5. Configuring TCP/IP Networking
- Installing the Binaries
- Setting the Hostname
- Assigning IP Addresses
- Creating Subnets
- Writing hosts and networks Files
- Interface Configuration for IP
- All About ifconfig
- The netstat Command
- Checking the ARP Tables
- 6. Name Service and Resolver Configuration
- How DNS Works
- Running named
- 7. Serial Line IP
- SLIP Operation
- Dealing with Private IP Networks
- Using dip
- Running in Server Mode
- 8. The Point-to-Point Protocol
- Running pppd
- Using Options Files
- Using chat to Automate Dialing
- IP Configuration Options
- Link Control Options
- General Security Considerations
- Authentication with PPP
- Debugging Your PPP Setup
- More Advanced PPP Configurations
- 9. TCP/IP Firewall
- What Is a Firewall?
- What Is IP Filtering?
- Setting Up Linux for Firewalling
- Three Ways We Can Do Filtering
- Original IP Firewall (2.0 Kernels)
- IP Firewall Chains (2.2 Kernels)
- Netfilter and IP Tables (2.4 Kernels)
- TOS Bit Manipulation
- Testing a Firewall Configuration
- A Sample Firewall Configuration
- 10. IP Accounting
- Configuring IP Accounting
- Using IP Accounting Results
- Resetting the Counters
- Flushing the Ruleset
- Passive Collection of Accounting Data
- 11. IP Masquerade and Network Address Translation
- Configuring the Kernel for IP Masquerade
- Configuring IP Masquerade
- Handling Name Server Lookups
- More About Network Address Translation
- 12. Important Network Features
- The tcpd Access Control Facility
- The Services and Protocols Files
- Remote Procedure Call
- Configuring Remote Login and Execution
- 13. The Network Information System
- NIS Versus NIS+
- The Client Side of NIS
- Running an NIS Server
- NIS Server Security
- Setting Up an NIS Client with GNU libc
- Choosing the Right Maps
- Using the passwd and group Maps
- Using NIS with Shadow Support
- 14. The Network File System
- Mounting an NFS Volume
- The NFS Daemons
- The exports File
- Kernel-Based NFSv2 Server Support
- Kernel-Based NFSv3 Server Support
- 15. IPX and the NCP Filesystem
- IPX and Linux
- Configuring the Kernel for IPX and NCPFS
- Configuring IPX Interfaces
- Configuring an IPX Router
- Mounting a Remote NetWare Volume
- Exploring Some of the Other IPX Tools
- Printing to a NetWare Print Queue
- NetWare Server Emulation
- 16. Managing Taylor UUCP
- UUCP Configuration Files
- Controlling Access to UUCP Features
- Setting Up Your System for Dialing In
- UUCP Low-Level Protocols
- Troubleshooting
- Log Files and Debugging
- 17. Electronic Mail
- How Is Mail Delivered?
- Email Addresses
- How Does Mail Routing Work?
- Configuring elm
- 18. Sendmail
- Installing sendmail
- Overview of Configuration Files
- The sendmail.cf and sendmail.mc Files
- Generating the sendmail.cf File
- Interpreting and Writing Rewrite Rules
- Configuring sendmail Options
- Some Useful sendmail Configurations
- Testing Your Configuration
- Running sendmail
- Tips and Tricks
- 19. Getting Exim Up and Running
- If Your Mail Doesn’t Get Through
- Compiling Exim
- Mail Delivery Modes
- Miscellaneous config Options
- Message Routing and Delivery
- Protecting Against Mail Spam
- UUCP Setup
- 20. Netnews
- What Is Usenet, Anyway?
- How Does Usenet Handle News?
- 21. C News
- Installation
- The sys File
- The active File
- Article Batching
- Expiring News
- Miscellaneous Files
- Control Messages
- C News in an NFS Environment
- Maintenance Tools and Tasks
- 22. NNTP and the nntpd Daemon
- Installing the NNTP Server
- Restricting NNTP Access
- NNTP Authorization
- nntpd Interaction with C News
- 23. Internet News
- Newsreaders and INN
- Installing INN
- Configuring INN: the Basic Setup
- INN Configuration Files
- Running INN
- Managing INN: The ctlinnd Command
- 24. Newsreader Configuration
- trn Configuration
- nn Configuration
- A. Example Network: The Virtual Brewery
- B. Useful Cable Configurations
- A Serial NULL Modem Cable
- C. Linux Network Administrator’s Guide, Second Edition Copyright Information
- 1. Applicability and Definitions
- 2. Verbatim Copying
- 3. Copying in Quantity
- 4. Modifications
- 5. Combining Documents
- 6. Collections of Documents
- 7. Aggregation with Independent Works
- 8. Translation
- 9. Termination
- 10. Future Revisions of this License
- D. SAGE: The System Administrators Guild
- Index
- Colophon
We’ve discussed the fundamentals of firewall configuration. Let’s now look at what a firewall configuration might actually look like.
The configuration in this example has been designed to be easily extended and customized. We’ve provided three versions. The first version is implemented using the ipfwadm command (or the ipfwadm-wrapper script), the second uses ipchains, and the third uses iptables. The example doesn’t attempt to exploit user-defined chains, but it will show you the similarities and differences between the old and new firewall configuration tool syntaxes:
#!/bin/bash ########################################################################## # IPFWADM VERSION # This sample configuration is for a single host firewall configuration # with no services supported by the firewall machine itself. ########################################################################## # USER CONFIGURABLE SECTION # The name and location of the ipfwadm utility. Use ipfwadm-wrapper for # 2.2.* kernels. IPFWADM=ipfwadm # The path to the ipfwadm executable. PATH="/sbin" # Our internal network address space and its supporting network device. OURNET="172.29.16.0/24" OURBCAST="172.29.16.255" OURDEV="eth0" # The outside address and the network device that supports it. ANYADDR="0/0" ANYDEV="eth1" # The TCP services we wish to allow to pass - "" empty means all ports # note: space separated TCPIN="smtp www" TCPOUT="smtp www ftp ftp-data irc" # The UDP services we wish to allow to pass - "" empty means all ports # note: space separated UDPIN="domain" UDPOUT="domain" # The ICMP services we wish to allow to pass - "" empty means all types # ref: /usr/include/netinet/ip_icmp.h for type numbers # note: space separated ICMPIN="0 3 11" ICMPOUT="8 3 11" # Logging; uncomment the following line to enable logging of datagrams # that are blocked by the firewall. # LOGGING=1 # END USER CONFIGURABLE SECTION ########################################################################### # Flush the Incoming table rules $IPFWADM -I -f # We want to deny incoming access by default. $IPFWADM -I -p deny # SPOOFING # We should not accept any datagrams with a source address matching ours # from the outside, so we deny them. $IPFWADM -I -a deny -S $OURNET -W $ANYDEV # SMURF # Disallow ICMP to our broadcast address to prevent "Smurf" style attack. $IPFWADM -I -a deny -P icmp -W $ANYDEV -D $OURBCAST # TCP # We will accept all TCP datagrams belonging to an existing connection # (i.e. having the ACK bit set) for the TCP ports we're allowing through. # This should catch more than 95 % of all valid TCP packets. $IPFWADM -I -a accept -P tcp -D $OURNET $TCPIN -k -b # TCP - INCOMING CONNECTIONS # We will accept connection requests from the outside only on the # allowed TCP ports. $IPFWADM -I -a accept -P tcp -W $ANYDEV -D $OURNET $TCPIN -y # TCP - OUTGOING CONNECTIONS # We accept all outgoing tcp connection requests on allowed TCP ports. $IPFWADM -I -a accept -P tcp -W $OURDEV -D $ANYADDR $TCPOUT -y # UDP - INCOMING # We will allow UDP datagrams in on the allowed ports. $IPFWADM -I -a accept -P udp -W $ANYDEV -D $OURNET $UDPIN # UDP - OUTGOING # We will allow UDP datagrams out on the allowed ports. $IPFWADM -I -a accept -P udp -W $OURDEV -D $ANYADDR $UDPOUT # ICMP - INCOMING # We will allow ICMP datagrams in of the allowed types. $IPFWADM -I -a accept -P icmp -W $ANYDEV -D $OURNET $UDPIN # ICMP - OUTGOING # We will allow ICMP datagrams out of the allowed types. $IPFWADM -I -a accept -P icmp -W $OURDEV -D $ANYADDR $UDPOUT # DEFAULT and LOGGING # All remaining datagrams fall through to the default # rule and are dropped. They will be logged if you've # configured the LOGGING variable above. # if [ "$LOGGING" ] then # Log barred TCP $IPFWADM -I -a reject -P tcp -o # Log barred UDP $IPFWADM -I -a reject -P udp -o # Log barred ICMP $IPFWADM -I -a reject -P icmp -o fi # # end.
Now we’ll reimplement it using the ipchains command:
#!/bin/bash ########################################################################## # IPCHAINS VERSION # This sample configuration is for a single host firewall configuration # with no services supported by the firewall machine itself. ########################################################################## # USER CONFIGURABLE SECTION # The name and location of the ipchains utility. IPCHAINS=ipchains # The path to the ipchains executable. PATH="/sbin" # Our internal network address space and its supporting network device. OURNET="172.29.16.0/24" OURBCAST="172.29.16.255" OURDEV="eth0" # The outside address and the network device that supports it. ANYADDR="0/0" ANYDEV="eth1" # The TCP services we wish to allow to pass - "" empty means all ports # note: space separated TCPIN="smtp www" TCPOUT="smtp www ftp ftp-data irc" # The UDP services we wish to allow to pass - "" empty means all ports # note: space separated UDPIN="domain" UDPOUT="domain" # The ICMP services we wish to allow to pass - "" empty means all types # ref: /usr/include/netinet/ip_icmp.h for type numbers # note: space separated ICMPIN="0 3 11" ICMPOUT="8 3 11" # Logging; uncomment the following line to enable logging of datagrams # that are blocked by the firewall. # LOGGING=1 # END USER CONFIGURABLE SECTION ########################################################################## # Flush the Input table rules $IPCHAINS -F input # We want to deny incoming access by default. $IPCHAINS -P input deny # SPOOFING # We should not accept any datagrams with a source address matching ours # from the outside, so we deny them. $IPCHAINS -A input -s $OURNET -i $ANYDEV -j deny # SMURF # Disallow ICMP to our broadcast address to prevent "Smurf" style attack. $IPCHAINS -A input -p icmp -w $ANYDEV -d $OURBCAST -j deny # We should accept fragments, in ipchains we must do this explicitly. $IPCHAINS -A input -f -j accept # TCP # We will accept all TCP datagrams belonging to an existing connection # (i.e. having the ACK bit set) for the TCP ports we're allowing through. # This should catch more than 95 % of all valid TCP packets. $IPCHAINS -A input -p tcp -d $OURNET $TCPIN ! -y -b -j accept # TCP - INCOMING CONNECTIONS # We will accept connection requests from the outside only on the # allowed TCP ports. $IPCHAINS -A input -p tcp -i $ANYDEV -d $OURNET $TCPIN -y -j accept # TCP - OUTGOING CONNECTIONS # We accept all outgoing TCP connection requests on allowed TCP ports. $IPCHAINS -A input -p tcp -i $OURDEV -d $ANYADDR $TCPOUT -y -j accept # UDP - INCOMING # We will allow UDP datagrams in on the allowed ports. $IPCHAINS -A input -p udp -i $ANYDEV -d $OURNET $UDPIN -j accept # UDP - OUTGOING # We will allow UDP datagrams out on the allowed ports. $IPCHAINS -A input -p udp -i $OURDEV -d $ANYADDR $UDPOUT -j accept # ICMP - INCOMING # We will allow ICMP datagrams in of the allowed types. $IPCHAINS -A input -p icmp -w $ANYDEV -d $OURNET $UDPIN -j accept # ICMP - OUTGOING # We will allow ICMP datagrams out of the allowed types. $IPCHAINS -A input -p icmp -i $OURDEV -d $ANYADDR $UDPOUT -j accept # DEFAULT and LOGGING # All remaining datagrams fall through to the default # rule and are dropped. They will be logged if you've # configured the LOGGING variable above. # if [ "$LOGGING" ] then # Log barred TCP $IPCHAINS -A input -p tcp -l -j reject # Log barred UDP $IPCHAINS -A input -p udp -l -j reject # Log barred ICMP $IPCHAINS -A input -p icmp -l -j reject fi # # end.
In our iptables example, we’ve switched to using
the FORWARD ruleset because of the difference in
meaning of the INPUT ruleset in the
netfilter implementation. This has implications
for us; it means that none of the rules protect the firewall host
itself. To accurately mimic our ipchains example,
we would replicate each of our rules in the INPUT
chain. For clarity, we’ve dropped all incoming datagrams received from
our outside interface instead.
#!/bin/bash
##########################################################################
# IPTABLES VERSION
# This sample configuration is for a single host firewall configuration
# with no services supported by the firewall machine itself.
##########################################################################
# USER CONFIGURABLE SECTION
# The name and location of the ipchains utility.
IPTABLES=iptables
# The path to the ipchains executable.
PATH="/sbin"
# Our internal network address space and its supporting network device.
OURNET="172.29.16.0/24"
OURBCAST="172.29.16.255"
OURDEV="eth0"
# The outside address and the network device that supports it.
ANYADDR="0/0"
ANYDEV="eth1"
# The TCP services we wish to allow to pass - "" empty means all ports
# note: comma separated
TCPIN="smtp,www"
TCPOUT="smtp,www,ftp,ftp-data,irc"
# The UDP services we wish to allow to pass - "" empty means all ports
# note: comma separated
UDPIN="domain"
UDPOUT="domain"
# The ICMP services we wish to allow to pass - "" empty means all types
# ref: /usr/include/netinet/ip_icmp.h for type numbers
# note: comma separated
ICMPIN="0,3,11"
ICMPOUT="8,3,11"
# Logging; uncomment the following line to enable logging of datagrams
# that are blocked by the firewall.
# LOGGING=1
# END USER CONFIGURABLE SECTION
###########################################################################
# Flush the Input table rules
$IPTABLES -F FORWARD
# We want to deny incoming access by default.
$IPTABLES -P FORWARD deny
# Drop all datagrams destined for this host received from outside.
$IPTABLES -A INPUT -i $ANYDEV -j DROP
# SPOOFING
# We should not accept any datagrams with a source address matching ours
# from the outside, so we deny them.
$IPTABLES -A FORWARD -s $OURNET -i $ANYDEV -j DROP
# SMURF
# Disallow ICMP to our broadcast address to prevent "Smurf" style attack.
$IPTABLES -A FORWARD -m multiport -p icmp -i $ANYDEV -d $OURNET -j DENY
# We should accept fragments, in iptables we must do this explicitly.
$IPTABLES -A FORWARD -f -j ACCEPT
# TCP
# We will accept all TCP datagrams belonging to an existing connection
# (i.e. having the ACK bit set) for the TCP ports we're allowing through.
# This should catch more than 95 % of all valid TCP packets.
$IPTABLES -A FORWARD -m multiport -p tcp -d $OURNET --dports $TCPIN /
! --tcp-flags SYN,ACK ACK -j ACCEPT
$IPTABLES -A FORWARD -m multiport -p tcp -s $OURNET --sports $TCPIN /
! --tcp-flags SYN,ACK ACK -j ACCEPT
# TCP - INCOMING CONNECTIONS
# We will accept connection requests from the outside only on the
# allowed TCP ports.
$IPTABLES -A FORWARD -m multiport -p tcp -i $ANYDEV -d $OURNET $TCPIN /
--syn -j ACCEPT
# TCP - OUTGOING CONNECTIONS
# We will accept all outgoing tcp connection requests on the allowed /
TCP ports.
$IPTABLES -A FORWARD -m multiport -p tcp -i $OURDEV -d $ANYADDR /
--dports $TCPOUT --syn -j ACCEPT# UDP - INCOMING
# We will allow UDP datagrams in on the allowed ports and back.
$IPTABLES -A FORWARD -m multiport -p udp -i $ANYDEV -d $OURNET /
--dports $UDPIN -j ACCEPT
$IPTABLES -A FORWARD -m multiport -p udp -i $ANYDEV -s $OURNET /
--sports $UDPIN -j ACCEPT
# UDP - OUTGOING
# We will allow UDP datagrams out to the allowed ports and back.
$IPTABLES -A FORWARD -m multiport -p udp -i $OURDEV -d $ANYADDR /
--dports $UDPOUT -j ACCEPT
$IPTABLES -A FORWARD -m multiport -p udp -i $OURDEV -s $ANYADDR /
--sports $UDPOUT -j ACCEPT
# ICMP - INCOMING
# We will allow ICMP datagrams in of the allowed types.
$IPTABLES -A FORWARD -m multiport -p icmp -i $ANYDEV -d $OURNET /
--dports $ICMPIN -j ACCEPT
# ICMP - OUTGOING
# We will allow ICMP datagrams out of the allowed types.
$IPTABLES -A FORWARD -m multiport -p icmp -i $OURDEV -d $ANYADDR /
--dports $ICMPOUT -j ACCEPT
# DEFAULT and LOGGING
# All remaining datagrams fall through to the default
# rule and are dropped. They will be logged if you've
# configured the LOGGING variable above.
#
if [ "$LOGGING" ]
then
# Log barred TCP
$IPTABLES -A FORWARD -m tcp -p tcp -j LOG
# Log barred UDP
$IPTABLES -A FORWARD -m udp -p udp -j LOG
# Log barred ICMP
$IPTABLES -A FORWARD -m udp -p icmp -j LOG
fi
#
# end.In many simple situations, to use the sample all you have to do is edit the top section of the file labeled “USER CONFIGURABLE section” to specify which protocols and datagrams type you wish to allow in and out. For more complex configurations, you will need to edit the section at the bottom, as well. Remember, this is a simple example, so scrutinize it very carefully to ensure it does what you want while implementing it.