Linux with Operating System Concepts

510
◾
Linux with Operating System Concepts
start or stop the interface
, arp/-arp
to enable or disable the use of the ARP proto-
col on this device, 
promisc/-promisc
to enable or disable promiscuous mode on this 
interface, or 
allmulti/-allmulti
to enable or disable multicast mode on this device. 
Additionally, you can change the MTU parameter, destination IP address if the device is a 
ppp, change the netmask, and change the device’s IP address.
Neither route nor ifconfig are necessary because ip can accomplish all these tasks. 
However, both route and ifconfig continue to be available in current versions of Linux. You 
might find them easier to use over the rather complicated ip, but eventually, these instruc-
tions might be deprecated; so, it is best to learn ip now.
We have already discussed 
ping
and 
traceroute
in Chapter 5. As a system admin-
istrator, you might find these commands useful in testing out your network access and the 
availability of other devices that you are in charge of. However, both commands can lead 
to security holes in your network as others might try to investigate your local area network 
through these programs. Through ping or traceroute, a clever hacker could accumulate 
legal IP addresses of your network. This is known as a 
reconnaissance attack
. With such 
IP addresses, the hacker could exploit this information using other forms of attack such 
as denial of service, intrusion, and IP spoofing. You can configure your firewall to prevent 
incoming messages from ping or traceroute.
Netstat
, like ifconfig and route, is an older program available to obtain network con-
nection and routing table information as well as interface statistics and multicast member-
ships. The netstat command will dump all available statistics if not provided any options. 
The options -t (or --tcp) and -u (or --udp) provide information on TCP and UDP commu-
nication, respectively. The -r (or --route) option provides the same output as the route com-
mand. The option -i (or --interfaces) followed by an interface name provides information 
about that interface.
The netstat command now has been superseded by the command 
ss
. The ss command 
is a utility to investigate network sockets. In essence, this program dumps socket statistics. 
It permits many of the same options as netstat, for instance, -t (--tcp), -u (--udp), and -r. We 
also have 
nstat
and 
rtacct
to monitor the kernel’s snmp communication and report 
statistics on network and interface usage.
12.6 THE LINUX FIREWALL
A 
firewall
is a program that examines incoming and outgoing network messages and 
decides which messages are permitted to be passed through the firewall. The firewall itself 
uses a collection of rules that define attributes of messages that should or should not be 
allowed through. Rules can pertain to incoming messages only, outgoing messages only, or 
possibly both. The criteria tested by the rules can include matching any source or destina-
tion IP addresses, ports, protocols, size, and/or interface to specific values.
A 
stateful
firewall is able to make decisions on groups of messages that make up a single 
network connection. This is useful when a message is a part of a group of messages that 
make up an established session between two machines. The firewall is an essential tool in 
today’s computing to prevent or reduce external attacks. However, as we will see, a firewall 
is only as good as the rules defined.

Network Configuration
◾
511
A firewall can be set up to protect a single computer or an entire network. Typically, an 
organization will employ multiple firewalls, one at the Internet point of presence, perhaps 
as a proxy server (or in addition to a proxy server), and one for every computer. Figure 12.5 
illustrates the concept of a firewall protecting a single computer. In the figure, we see two 
of five incoming messages are accepted and the other three are not while both outgoing 
messages are permitted to leave the firewall.
The Linux firewall can be configured through the GUI (as covered in Chapter 11) or 
by modifying the 
iptables
(and 
ip6tables
) file that contains the firewall rules, and 
the 
iptables-config
(and ip6tables-config) file that contains the configuration direc-
tives. These files are stored in 
/etc/sysconfig
. Here, we will concentrate on configur-
ing the firewall through these files rather than the GUI. We will only consider using the 
IPv4 portion of the firewall (iptables and iptables-config) as it is more critical that you set 
up your firewall for IPv4 than IPv6. You would find the ip6tables/ip6tables-config to be 
similar.
12.6.1 The iptables-config File
The iptables-config file contains a handful of directives pertaining to your firewall. This 
file controls general aspects of the firewall. Table 12.5 provides the directives for this file 
along with their meaning and default value. Aside from the first directive (IPTABLES_
MODULES), the values are either “yes” or “no.”
Many of the directives from Table 12.5 impact information displayed in response to 
issuing the status command to the iptables controlling script (i.e., in response to 
/sbin/
service iptables status
). The iptables service’s status information differs from the 
status information obtained from most other services that usually just respond with a mes-
sage that the service is running or stopped. With iptables, you obtain detailed information 
of the firewall’s rules. Figure 12.6 demonstrates the response from a status request. The 
iptables-config file, in this case, has directives of 
IPTABLES_STATUS_VERBOSE
=
yes
and 
IPTABLES_STATUS_LINENUMBERS
=
yes
.
12.6.2 Rules for the iptables File
The iptables file contains the rules for your firewall. The rules specify how incoming 
(INPUT) messages will be handled, how outgoing (OUTPUT) messages will be handed, 
Outgoing messages
Internet connection
Incoming
messages
Computer
Firewall
Internet
FIGURE 12.5 
A computer’s firewall.

512
◾
Linux with Operating System Concepts
and how forwarded (FORWARD) messages will be handled. The most critical of the rules 
are the incoming message rules. With improper (or no) INPUT rules, your computer is 
open to receiving messages of any type. You want to ensure that only specific types of mes-
sages are permitted into your computer. Although OUTPUT rules are less common, you 
might wish to use some rules to control outgoing messages as well, for instance, to prevent 
users from accessing particular websites.
The iptables service works by using 
chains
of rules. For any incoming packet, the packet 
is compared to a chain of input rules. The firewall continues to compare the message to the 
rules of the given chain until either it reaches the end of the chain, in which case, a default 
rule is applied, or a rule with a 
target
value matches the message, in which case, the rule 
triggers and the target is followed. Rules have the following format:
-A 
chain
[options] [–j 
target
]
TABLE 12.5
Iptables-config Directives

Download 5,65 Mb.

Do'stlaringiz bilan baham: