Step 6
Adding additional walls to keep the uninvited out:
Firewalls are software that you use to build added protection against unauthorized access to your machine. Two
of the most popular methods of building a firewall on your linux box are ipchains (supported under 2.2.x kernels)
and iptables (supported under 2.4.x kernels). Here I will give you some very basic examples of both with links to
more information.
IP CHAINS:
Here are some examples on how to block ports using ipchains.
ipchains -A INPUT -p all -s 0/0 -d 207.18.130.11 21 -j DENY
ipchains -A INPUT -p all -s 0/0 -d 207.18.130.11 53 -j DENY
ipchains -A INPUT -p all -s 0/0 -d 207.18.130.11 110 -j DENY
Now lets examine these:
- ipchains is the program we use to manage these rules in our system
- -A is telling it to add the rule
- INPUT is to make this apply to incoming packets to our system
- -p all is to set this rule to all supported protocols, other options would be TCP,UDP,ICMP if you wish to only do certain protocols
- -s 0/0 is setting it to everything, if for some reason you wanted to specify a specific ip or network you could do so here
- -d 207.18.130.11 is setting the rule for any packets with a destination of 207.18.130.11 are to be judged by this rule, this of
course would be the ip address of your machine
- 23, 53, 110 are the ports these rules apply to
- -j DENY sets what is to be done with packets that meet this rule, other options are REJECT, and FORWARD
Remember that this is a simple example of ipchains and by no means all you should know about them. One good resource is
http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO.html
IP TABLES:
Here are some examples on how to block ports using iptables.
iptables -A INPUT -p TCP -s 0/0 -d 207.18.130.11 --dport 21 -j DROP
iptables -A INPUT -p UDP -s 0/0 -d 207.18.130.11 --dport 21 -j DROP
- iptables is the program we use to manage these rules in our system
- -A is telling us to append this rule to the rest
- INPUT is to make this apply to incoming packets to our system
- -p TCP or -p UDP is setting the protocol type for this rule, I have found that -p all doesn't seem to work in iptables
- -s 0/0 is setting it to everything
- -d 207.18.130.11 is setting the rule for any packets with a destination of 207.18.130 are to be judged by this rule,
this of course would be the ip address of your machine
- --dport is setting the port of the rule for 21
- -j DROP set what is to be done with packets the meet this rule
Remember that this is a simple example of iptables and by no means all you should know about them. One good resource is
http://netfilter.samba.org/documentation/index.html#HOWTO
|
