Lets take a closer look at the building blocks that make up a complete Linux security system and see how all the pieces fit together to secure the enterprise network.
NETWORK-LAYER FILTERING
While a good perimeter defense system spans multiple layers, the Network (IP) layer often remains the most vulnerable. From its inception, the Linux kernel was implemented to support filtering of both incoming and outgoing IP packets, based on a user-specified set of access-control rules.
The
ipchains
utility lets the Linux system administrator interact with the kernel to specify these rules. The name chains refers to the sequential nature in which the kernel consults rules belonging to the same chain. The
ipchains
syntax is succinct and intuitive. For example, if you want to accept all outbound traffic while restricting inbound traffic to SMTP only, you would use the following statements:
% ipchains -A output -s 132.23.44.0/24 I eth0 -j ACCEPT
% ipchains -A input -p TCP -dport 25 I eth0 -j ACCEPT
% ipchains A
output I eth0 j DENY
% ipchains A input I eth0 j DENY
The first line issues a directive to modify the output chain to accept packets whose source addresses are in the 132.23.44.0 network block (the local network) to go out the first Ethernet interface,
(eth0).
Conversely, the second line instructs the kernel to accept incoming traffic from any source (no
s
switch is present), as long as the destination TCP port number (
-dport
) is the one that corresponds to SMTP (
25
). The third and fourth lines simply declare a deny-all stance, where the default action is to block all traffic on all chains unless otherwise permitted by a previous rule. I strongly recommend that you adopt a similar strategy.