TCP Wrappers
services supported:
- super daemon : xinetd
-
service linked ton libwrap.so
- ldd $(which sshd) grep libwrap
configure file:
-
/etc/hosts.allow
- ALL: 127.0.0.1
- rsync: 192.168.1.0/255.255.255.0 10.10.10.1
-
/etc/hosts.deny
- rsync: ALL
NetFileter : iptables
version
- kernel 2.0 ipfwadm
- kernel 2.2 ipchains
- kernel 2.4-2.6 iptables
table and chain
-
filter
- input
- output
- forward
-
NAT,
- prerouting
- postrouting
- output
-
Mangle
- preRouting
- output
- input
- forward
iptables command sytax
iptables
- –t tables filter/nat
- -L list tables
- -n numeric, no reverse DNS lookup
- -v verbose
iptables-save
–t table
iptables
- –t tables
- -F
- -X
- -Z
iptables [-t table] {-A|-D} chain rule-specification
|
-t, –table table filter,nat,mangle -A, –append -D, –delete
-I, –insert -R, –replace -L, –list
-S, –list-rules
-F, –flush chain -Z, –zero counters
-N, –new-chain
-X, –delete-chain
-P, –policy
-E, –rename-chain
-j, –jump target ACCEPT/DROP/REJECT/LOG [!] -i, –in-interface name [!] -o, –out-interface name [!] -p, –protocol protocol tcp, udp, udplite,icmp, esp, ah, sctp or all [!] -s, –source address[/mask][,...] [!] -d, –destination address[/mask][,...]
|
/etc/sysconfig/iptables
- # Firewall configuration written by system-config-firewall
- # Manual customization of this file is not recommended.
- *filter
- :INPUT ACCEPT [0:0]
- :FORWARD ACCEPT [0:0]
- :OUTPUT ACCEPT [0:0]
- -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
- -A INPUT -p icmp -j ACCEPT
- -A INPUT -i lo -j ACCEPT
- -A INPUT -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT
- -A INPUT -m state –state NEW -m tcp -p tcp –dport 80 -j ACCEPT
- -A INPUT -j REJECT –reject-with icmp-host-prohibited
- -A FORWARD -j REJECT –reject-with icmp-host-prohibited
/etc/sysctl.conf
- net.ipv4.tcp_syncookies = 1 (syn flooding)
- net.ipv4.icmp_echo_ignore_broadcasts = 1 (ping flooding)
