Frame/Packet Filtering
A Very Brief Introduction |
Prof. David Bernstein |
Computer Science Department |
bernstdh@jmu.edu |
iptables
iptables -t filter
:
An Example
#--------------------------------------------------------------- # If a packet doesn't match one of the built-in chains, then # the policy should be to drop it #--------------------------------------------------------------- iptables --policy INPUT DROP iptables --policy OUTPUT DROP #--------------------------------------------------------------- # The loopback interface should accept all traffic necessary for # X-Windows and other socket based services #--------------------------------------------------------------- iptables -A OUTPUT -o lo -j ACCEPT #--------------------------------------------------------------- # We’ll allow incoming icmp (ping) messages for now although we # might want to disable this later #--------------------------------------------------------------- iptables -A INPUT -p icmp -j ACCEPT #--------------------------------------------------------------- # Allow DNS traffic #--------------------------------------------------------------- iptables -A INPUT -p tcp --dport 53 -j ACCEPT iptables -A INPUT -p udp --dport 53 -j ACCEPT #--------------------------------------------------------------- # Log and reject non-local access to MySQL #--------------------------------------------------------------- iptables -A INPUT -p tcp --dport 3306 -j LOG iptables -A INPUT -p tcp --dport 3306 -j REJECT iptables -A INPUT -p udp --dport 3306 -j LOG iptables -A INPUT -p udp --dport 3306 -j REJECT #--------------------------------------------------------------- # Disallow access to low ports with SYN bit set # Note: ! is used for negation #--------------------------------------------------------------- iptables -A INPUT -p tcp ! --syn --dport :1023 -j ACCEPT #--------------------------------------------------------------- # Open up access to high ports (necessary for web browsing) #--------------------------------------------------------------- iptables -A INPUT -p tcp --dport 1024: -J ACCEPT iptables -A INPUT -p udp --dport 1024: -J ACCEPT
hosts.allow
and
hosts.deny
that include lists of
services and who can/can't use them