70


Chapter 7. Firewalls


The rules will be stored in the file


/etc/sysconfig/iptables


and will be applied whenever the


service is started, restarted, or the machine rebooted.


7.1.3.


INPUT


Filtering


Keeping remote attackers out of a LAN is an important aspect of network security, if not the most


important. The integrity of a LAN should be protected from malicious remote users through the


use of stringent firewall rules. In the following example, The LAN (which uses a private class C


192.168.1.0/24 IP range) rejects telnet access from the outside. The rule for this looks like the follow 


ing:


iptables  A INPUT  p tcp   sport telnet  j REJECT


The rule rejects all outside tcp connections using the telnet protocol (typically port 23) with a


con 


nection refused


error message. Rules using the


  sport


or


  dport


options can use either port


numbers or common service names. So, using both


  sport telnet


and


  sport 23


are accept 


able.


Note


There is a distinction between the REJECT and DROP target actions. The REJECT target denies access


and returns a connection refused error to users who attempt to telnet users. The DROP, as the


name implies, simply drops the packet without any warning to telnet users. Administrators can use


their own discretion when using these targets; however, to avoid user confusion and attempts to


continue connecting, the REJECT target is recommended.


There may be times when certain users require remote access to the LAN from the road or from a


field office. Secure services, such as SSH and CIPE, can be used for encrypted remote connection


to LAN services. For administrators with PPP based resources (such as modem banks or bulk ISP


accounts), dialup access can be used to circumvent firewall barriers securely, as modem connections


are typically behind a firewall/gateway because they are direct connections. However, for remote users


with broadband connections, special cases can be made. You can set


iptables INPUT


to accept


connections from remote SSH and CIPE clients. For example, to allow remote SSH access to the


LAN, the following may be used:


iptables  A INPUT  p tcp   sport 22  j ACCEPT


CIPE connection requests from the outside can be accepted with the following command:


iptables  A INPUT  p udp  i cipcb0


 j ACCEPT


Since CIPE uses its own virtual device which transmits datagram (UDP) packets, the rule allows the


cipcb0 interface for incoming connections, instead of source or destination ports (though they can


be used in place of device options). For information about using CIPE, refer to Chapter 6.


There are other services for which you may need to define


INPUT


rules. Refer to the Official Red Hat


Linux Reference Guide for comprehensive information on


iptables


and its various options.


7.1.4.


OUTPUT


Filtering


There may be instances when an administrator must block certain users on the internal network from


making outbound connections. Perhaps the administrator intends to curtail malicious trojans from


contacting their intended hosts or wants to keep an employee from misusing network resources for








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      web hosting comparison

      
 

    

  

  




Our partners: 
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting 
Jsp Web Hosting 




Cheapest Web Hosting
Jsp Hosting
Cheap Hosting



Visionwebhosting.net Business web hosting division of Web 
Design Plus. All rights reserved