Php4, Php5 Programming, Ftp Web Hosting, Subdomain, Cpanel Blog

628 Part IV . Implementing Network Services in SUSE Linux Logging Dropped Packets When your firewall has been configured to your liking, you will want to log any traffic that has not been explicitly sanctioned by you. To do this, you need a final rule before the packet hits the default policy for the chain that uses a target of LOG. The LOG target interprets the TCP/IP packet and logs it via the syslog facility for you to monitor unauthorized traffic. Just logging raw, unauthorized traffic is quite difficult to manage, and thankfully the LOG target enables you to specify a log prefix to distinguish the entry based on the chain it originated from: bible:~ # iptables A INPUT j LOG - log-prefix=INPUT: bible:~ # iptables A OUTPUT j LOG - log-prefix=OUTPUT: bible:~ # iptables A FORWARD j LOG - log-prefix=FORWARD: In this example, for each chain that a packet traverses, you have appended a rule that will send all packets to the LOG target (-jLOG). The -log-prefix parameter will make sure each packet that is logged is prefixed by INPUT:, OUTPUT:, or FORWARD: (depending on the chain the rule has been appended to). Any traffic that does not get triggered by a rule will be logged using the LOG target before hitting the default policy. For each chain, you are logging the packet details, with a prefix relating to the chain it originated from. Caution The location of the LOG rules is of paramount importance. If the LOG target were inserted at the beginning of the chain, all traffic, whether it is allowed or not, would be logged. You will find your logs filling up very quickly if you make this mistake. Using SuSEfirewall2 SUSE includes its own sysconfig-based firewall script called SuSEfirewall2. The SuSEfirewall script has come a long way since its conception many years ago and provides a robust feature set that can be configured through YaST. For new users who need to set up a quick firewall, this is the perfect option. We would have suggested in years gone by that you should write your own firewall script, but if you do not feel the need to be able to control your rules explicitly, SuSEfirewall produces a robust secure firewall for most environments.
Please visit Domain Name Hosting services for high quality webhost to host and run your jsp applications.

Chapter 24 . Implementing Firewalls in SUSE Linux 627 Internet Control Message Protocol (ICMP) is integral to the working of the Internet. ICMP is used to send status and error messages about the state of the network to interested parties. For example, when you ping a machine, the ping packet and its echo are sent over ICMP. If you cannot access a machine because its network connectivity is not working, you are told this over ICMP, which your application interprets and tells you Destination Unreachable. One traditional cracker attempt to subvert your network is by issuing an ICMP redirect message. This tells a server that a route is unavailable and traffic for that destination should be routed through another destination. As a minimum, you should allow destination unreachable, source quench (when you need to send smaller packets), and Time to Live (TTL) errors, which is when the packet has traveled through too many routers without reaching its destination. It is up to you if you want to allow ping requests or not. Traditionally, you do not enable these as it gives malicious users another tool during initial investigation for an attack. To allow these types of ICMP traffic, you need to allow inbound ICMP and some outbound ICMP packets: bible:~ # iptables -I INPUT -p icmp –icmp-type destination-unreachable -j ACCEPT bible:~ # iptables -I INPUT -p icmp –icmp-type source-quench -j ACCEPT bible:~ # iptables -I INPUT -p icmp –icmp-type time-exceeded -j ACCEPT For each ICMP protocol type you have allowed, you are accepting incoming (that is, destined for the firewall) ICMP traffic that reports destination unreachable, source quench, and TTL exceeded. Allowing Loopback It is advisable that you allow loopback traffic on your firewall because many services that you usually assume can communicate internally with each other will fail if you don t. To do this, you can specify that the loopback device should not be restricted: bible:~ # iptables A INPUT i lo j ACCEPT bible:~ # iptables A OUTPUT o lo j ACCEPT In this example, by appending to the INPUT chain you accept any type of traffic that is destined for (-i) or sent out (-o) of the loopback (lo) device. As the loopback device is not capable of forwarding packets, you do not need to enable traffic through the FORWARD chain.
We recommend high quality webhost to host and run your jsp application: christian web host services.

626 Part IV . Implementing Network Services in SUSE Linux Here, iptables will append to the FORWARD chain, allowing through any TCP traffic that is destined for the SMTP port on 192.168.1.3 entering the firewall on eth1 and leaving on eth0. When set, all traffic destined for port 25 on the firewall public interface is successfully forwarded to 192.168.1.3. Redirecting Traffic What if you want to redirect traffic to a different port on the firewall? This is very common when you are setting up a transparent HTTP proxy with something like Squid or another content proxy. A redirection rule does not redirect to an IP, only a port. This makes it a local rule to the firewall only. With this in mind, any redirect rules must have a matching INPUT rule allowing the traffic to be accepted on the redirected port. bible:~ # iptables t nat A PREROUTING p tcp - dport 80 i eth0 s 192.168.1.0/24 j REDIRECT - to-port=3128 bible:~ # iptables A INPUT p tcp - dport 3128 s 192.168.1.0/24 j ACCEPT In the first instance, we have told iptables to append to the PREROUTING chain in the NAT table. Any traffic that is TCP-based, destined for port 80 (HTTP), entering the firewall in eth0 from 192.168.1.0/24 should be redirected to port 3128 on the firewall itself. In the second instance, we have appended to the INPUT chain (traffic destined for the firewall itself), allowing TCP traffic destined for port 3128 (the standard Squid proxy port number) from the 192.168.1.0/24 network. So, any outbound traffic (to the Internet) that is for port 80 (HTTP) will be redirected to port 3128. Assuming that you have Squid running and properly configured as a transparent proxy, all of your web traffic will be automatically cached. Cross-For more information on Squid, see Chapter 26. Reference Allowing ICMP Traffic It is all well and good having a secure firewall, but you still need to be able to receive ICMP traffic so that your users, you, and other Internet users are aware if there is a problem.
In case you need quality webspace to host and run your web applications, try our personal web hosting services.

Chapter 24 . Implementing Firewalls in SUSE Linux 625 few DROP rules in the FORWARD chain, or do the right thing and deny everything and allow only essential traffic (maybe only HTTP). Destination NAT Destination NAT (DNAT) is a nice feature when building netfilter firewalls. It does the exact opposite of the SNAT function by translating the destination address of a network packet into another address. Imagine in the example in Figure 24-2 that you had a mail server on your desktop machine. If you want to give access to that machine to Internet users, you can t just tell the firewall that you want everyone to access the IP 192.168.1.3 over port 25; because this is a non-routable address, Internet users would never be able to reach it. To combat this, you can tell netfilter that any traffic destined for port 25 on the public firewall address should be redirected to the machine 192.168.1.3. Any return traffic to the initiating machine will have the source address of the firewall, making the connection routable. And as far as the initiating machine is concerned, it has no idea that the machine it is actually talking to is hidden behind a firewall and is on a non-routable address. To create the illusion, you need to add a DNAT rule to the NAT table for the Simple Mail Transport Protocol (SMTP) service. bible:~ # iptables t nat A PREROUTING p tcp -dport smtp i eth1 j DNAT to destination=192.168.1.3 Here, iptables has been told to work on the NAT table (-tnat) by appending to the PREROUTING chain. You have stated that any traffic that is TCP (-ptcp) based, with a destination port of SMTP (25), and entering the firewall on eth1 should be destination NAT d to 192.168.1.3. In this case, all traffic for port 25 (SMTP) on the public network interface of the fire- wall will have its destination address changed to 192.168.1.3. The port destination of 25 will be untouched (we will come to this later). When enabling DNAT, you have to insert the rules into the PREROUTING chain because a routing decision has to be made on the final destination of the packet. At this point in the netfilter processing in the PREROUTING chain, the final destination address has not been inserted into the packet, so the routing decision is still yet to be made after this for successful delivery. In the same regard as SNAT, you still need to allow traffic destined on port 25 to 192.168.1.3 to be forwarded through the firewall. bible:~ # iptables A FORWARD p tcp dport 25 d 192.168.1.3 i eth1 o eth0 j ACCEPT Note
Please visit Domain Name Hosting services for high quality webhost to host and run your jsp applications.

624 Part IV . Implementing Network Services in SUSE Linux work (-s) and destined to leave the firewall through eth1 (-o) should be source address NAT d to 217.41.132.74. In the example, note that we have tried to be as descriptive as possible concerning what traffic should be subject to the SNAT, detailing the source IP address (specifying the network address with netmask) and the network adaptor that the traffic will leave on. You know that the traffic you need to be SNAT d will leave the eth1 interface because you want to SNAT only traffic that is heading out to the Internet. This can be through the eth1 interface only. Any traffic that is sent back to the machines behind the firewall (for example, during the three-way handshake) will be translated back by the firewall (it remembers connection states) and the destination address will automatically be set to the address of the machine on the private network that initiated the connection. Allowing the Packets to be Forwarded It is all well and good setting up SNAT, but the astute of you will probably realize that you have already told netfilter not to allow any forwarded traffic through the firewall (the default FORWARD policy is DROP). To correct this, you need to allow the firewall to forward these packets before they can be manipulated by the SNAT rule. To do this, you need to enable forwarding for traffic from the private network to the Internet: bible:~ # iptables A FORWARD s 192.168.1.0/24 i eth0 -o eth1 j ACCEPT Here, iptables is being used to append (-A) to the FORWARD chain (any traffic that enters and then leaves the firewall on separate interfaces). Any traffic from the 192.168.1.0/24 network entering the firewall on interface eth0 and leaving on interface eth1 will be allowed through. So, in this example, we have told netfilter that any traffic from the 192.168.1.0/24 network coming in on eth0 and leaving the firewall on eth1 should be allowed through. Again, we are relying on the fact that any traffic coming in on eth0 and leaving on eth1 that is from 192.168.1.0/24 will be traffic we want to go out to the Internet. Tip In this example, we have been quite liberal in what we are allowing our users to access on the Internet. It is usually the policy of most companies that IM clients, P2P, and IRC should not be allowed from the corporate network. As it stands, users can access anything on the Internet as if they were directly connected. For the home network example, this is fine because the users are trusted. However, if you are implementing a corporate firewall, you will probably need to have quite a
We highly recommend you visit web and email hosting services if you need stable and cheap web hosting platform for your web applications.

Chapter 24 . Implementing Firewalls in SUSE Linux 623 Figure 24-2: Network using a netfilter firewall ECN is short for Enhanced Congestion Notification. This is a new feature of TCP/IP that allows machines to notify you that a network route is congested. It is a great feature, but unfortunately is not in widespread circulation and can stop your network traffic from traversing the Internet correctly if it goes through a router that does not support ECN. We have been on customer sites where their networks just stopped working for certain sites for no reason. Turning off ECN fixed this. When IP forwarding has been enabled, you can insert the SNAT rule into the POSTROUTING chain. In the home network, you need to source NAT all the internal traffic (192.168.1.0/24) to the firewall public address of 217.41.132.74. To do this, you need to insert a SNAT rule into the NAT table. The NAT table is used specifically for address translation rules. This includes source and destination address translation. bible:~ # iptables t nat A POSTROUTING s 192.168.1.0/24 o eth1 j SNAT to 217.41.132.74 Here, we have told iptables to edit the nat table (-t nat) by appending a rule to the POSTROUTING chain. We have stated that any traffic from the 192.168.1.0/24 net- Note Tip 217.41.132.74 Internet eth1 192.168.1.1 SUSE Linux 192.168.1.3 AirPort OS X 192.168.1.0/24 DHCP eth0 Linux Firewall
Please visit Domain Name Hosting services for high quality webhost to host and run your jsp applications.

622 Part IV . Implementing Network Services in SUSE Linux Network Address Translation While one of the main uses of netfilter is its packet filtering functions, another very important aspect of netfilter is its NAT functions. Network Address Translation (NAT) is the process whereby the source or destination IP address of a packet is seamlessly changed when it passes through the firewall. Cross- Reference Chapter 6 contains more information about NAT. Source NAT Source NAT (SNAT) works on packets forwarded through the firewall before a packet leaves for the outbound network. For this to work, you must deal with the packets before any routing decisions have been made, and the POSTROUTING chain must be used to implement Source NAT. The main purpose of SNAT is to hide private networks behind a firewall with a public IP address. This drastically reduces the cost of acquiring public IP addresses and allows you to use non-routable addresses in your internal network. The POSTROUTING chain deals with any packets that are about to be sent out to the network card. This includes any packets that are routed onto other destinations. In the case of SNAT, this is the only chain that you want to use because, for example, it makes no sense to source NAT traffic coming into the firewall INPUT chain. Figure 24-2 details a home network that uses netfilterto SNAT our internal network. In this scenario, all of the machines are behind a netfilter firewall that not only protects the machines, but also provides SNAT for outgoing connections. For SNAT to work, IP forwarding must be enabled. To do this, enter a 1 into /proc/sys/net/ipv4/ip_forward. bible:~ # echo 1 > /proc/sys/net/ipv4/ip_forward This will immediately enable IP forwarding on your Linux machine. This is a volatile operation, and once your machine has been rebooted, IP forwarding will be turned off by default. To set IP forwarding on by default, edit the file /etc/sysconfig/sysctl and change IP_FORWARD from no to yes and re-run SuSEconfig. While editing the sysctl file, make sure that DISABLE_ECN is set to yes. Note
Please visit our professional web hosting services to find out about cheap and reliable webhost service that will surely answer all your demands.

Chapter 24 . Implementing Firewalls in SUSE Linux 621 When setting up a rule for connections, you really need to know how the protocol works. In the case of SSH, it is well known that it is a TCP protocol, running on port 22. With this in mind, it is relatively easy to write a rule for it. It is up to you as to how you want to write the rule regarding the state of the connection, but because the initial INPUT state rule has allowed all ESTABLISHED and RELATED connections, you do not need to explicitly set the state to NEW because you have effectively allowed all connection types for SSH by not explicitly setting them. Caution When you do not specify something explicitly with an iptables rule, it is assumed that you want the default setting. For example, if you did not set the interface for the incoming connection, netfilter would have allowed an SSH connection on all network interfaces. This is indeed the same for the protocol type and the destination port. Be very careful how you write your rules, and make sure you explicitly set everything you want to control; otherwise you will probably let in more than you think. For any incoming connections you want to have on a firewall, you can append a rule in the same way you did with the SSH connection. The Order of Rules You must be very conscious of the order you set rules in a chain because netfilter passes the TCP/IP packet through the rules in the order they are inserted into the kernel. If you want to insert a rule at the top of the list (that is, making it the first rule that is executed), you can use the -I (insert) parameter to iptables. For example, if you are allowing SSH into your firewall from the Internet, but you know that you do not want a certain IP address to have access to SSH, you have to insert the REJECT/DROP rule before the general SSH rule: iptables A INPUT p tcp dport ssh i eth0 j ACCEPT iptables I INPUT p tcp dport ssh i eth0 s 10.32.1.4 j DROP In this example, using the -s option to specify a source IP address, we have inserted the DROP rule before the general SSH acceptance rule. When a TCP/IP packet has been inserted into a chain, it is checked in order with each rule. If one of the rules matches the TCP/IP packet, it is then sent to the target specified (ACCEPT, DROP, REJECT) immediately. In the case of our inserted SSH DROP rule, it fires off packets destined for the SSH port to the DROP target before it gets to the ACCEPT SSH rule. In essence, all the TCP/IP packets sequentially go through every rule in the chain until they are directed to a target. If none of the rules fires off a packet to a target, that packet is dealt with by the default policy, which is to kill the packet in this case.
You need excellent and relaible webhost company to host your web applications? Then pay a visit to Inexpensive Web Hosting services.

620 Part IV . Implementing Network Services in SUSE Linux This may seem like quite a big security hole, but bear in mind that it will allow only a connection that has been established, not a new connection. For the stateful rules to kick in, you would have already had to allow a new connection through the chain. Depending on how paranoid you are about security, you may not want to allow all new connections from the firewall itself. However, if you want to use the firewall machine as a server, or want to be able to bounce from the machine to other hosts without the burden of setting up new rules for every protocol or TCP port you want to connect to, it is quite useful. At this point, your firewall is locked down with the exception of allowing outgoing connections. Now, suppose you want to allow an incoming SSH connection to the firewall. Adding a Rule When you add a rule proper, you need to specify as much information as possible to have full control over the TCP/IP packets you are allowing into the trusted network. At a minimum, you need the chain, protocol, and destination port. With just this information, you do not have a very good rule, because it does not specify the interface you are allowing the SSH connection to. Another option that can be set is the connection type: . NEW This is a new connection; no other traffic is associated with this packet. . ESTABLISHED This packet is from a machine you already have a connection to (remember, you both send and receive data when a connection exists). . RELATED This packet is related to an existing connection. The FTP protocol, for example, makes a connection to the FTP server, and the FTP server actually makes a separate connection to the client. This separate connection from the server to the client is a RELATED connection. iptables A INPUT p tcp dport ssh i eth0 j ACCEPT In this example, you have told netfilter that you want to append (-A) a rule to the INPUT chain, specifying the TCP protocol (-ptcp), with a destination port (-dport) of ssh (port 22), incoming (-i) on the eth0 interface, and finally that you want to ACCEPT the packet (-jACCEPT). The -j parameter means jump to a target. Remember that netfilter rules are in a chain, so you are saying, Stop processing this chain because you have a match and jump to the target. In this case, ACCEPT. Note The -dport parameter can take either a numerical port number or a service name that is specified in /etc/services.
Searching for affordable and proven webhost to host and run your servlet applications? Go to Linux Web Hosting services and you will find it.

Chapter 24 . Implementing Firewalls in SUSE Linux 619 For example, previously, if you wanted to allow an incoming connection to SSH on the firewall, you had to first allow the incoming connection and also the return traffic from the SSH server to the client. With stateful firewalls, you can tell the firewall to manage the subsequent outgoing connection automatically because it is aware that an incoming connection to the machine will produce traffic in the opposite direction. It does this by storing the state of a connection and acting upon it with connection tracking. To enable the stateful connection tracking, you need to enable states in the firewall. We discuss this in a small firewall script later in the chapter. Setting Your First Rules Before you touch upon setting more specific rules, you need to set the default policy for the firewall and enable some state rules (see Listing 24-2). Listing 24-2: Setting Initial Firewall Rules bible:~ # iptables -P INPUT DROP bible:~ # iptables -P OUTPUT DROP bible:~ # iptables -P FORWARD DROP bible:~ # iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT bible:~ # iptables -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT bible:~ # iptables -A OUTPUT -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT Here, you have set the default policy for all chains to drop the packets. At this moment in time, all network connections, regardless of their originating address, will be dropped. To set or change the policy of a chain, you need to specify that this is a policy edit (-P), the chain (INPUT, OUTPUT, or FORWARD), and also what to do with the packet. It s a secure feeling knowing that any connection from the Internet that you do not need is dropped and the sender has to wait for a timeout before being notified. Imagine someone running a port scan of all 64,000 available ports on a TCP/IP machine. If they have to wait for a timeout on each port, it will take them quite a few hours to complete the full scan. It provides a kind of tar pit for any malicious users. This is also true for internal connection, too. If your users are interested in what they can and cannot connect to, without reading the network rules, then making them wait will, one hopes, deter them from pushing the network too hard. You have also configured the stateful firewall with the -m state declaration. This tells the firewall that you will allow any established or related connections on the INPUT chain.
Searching for affordable and reliable webhost to host and run your web applications? Go to our java web server services and you will be pleased.