Linux IP Tables - a Pathway to Success
Novell Cool Solutions: Trench
By Joe Doupnik
Digg This -
Posted: 9 Apr 2004
Have you thought about the quality of the IP filter protecting your Linux server? Good. How about knowing just what it does, and maybe does not do unexpectedly? Right, you have much company there; the subject is rather complicated (a politically correct term this month).
I faced these issues last summer, became confused and annoyed, and decided to dig into the iptables affair in some depth. I came away with a really nice, short, highly effective IP filter which I knew worked and had no back doors to cause trouble. I also created design rules which help us analyze our situation and create such simple effective rules by starting with plain English (insert natural language of choice) descriptions of what we need.
Curiously, as I worked on the problem and looked at filters written by many people and several major vendors, I discovered that most folks were in the same situation as I was: willing but slightly befuddled. The iptables folks are not helping much with their obscure documentation; I had to read kernel source code for some aspects. Thus we can waste a lot of time and effort trying to copy items which are inherently confusing or mysterious to us, and our faith in the results is minimal. My servers deserved better.
One rule I created was to place all the IP filtering rules in one place, one file, and keep it as simple as possible. Then even I had a chance of comprehending the whole thing, and I could place faith in what I could check carefully. By way of contrast, the vendor-supplied filtering material is spread over many many files, tied to configuration programs, has nearly invisible ways of adding yet more openings to the filter, and worse, the material is nearly impossible for me to read.
Another rule was that whatever filter I wrote had to survive patches and upgrades to the main operating system. I could not remember to tweak an obscure file in an obscure way, and then have it replaced with new magic in the next release. A corollary was I would not damage files created by the vendor. I did find a simple useful way, and it works on a variety of Linux distributions. In fact, the same set of filter rules also work on these distributions.
A third rule was to segregate regions of trust. There is the world versus my gear, my large site and then my server farm. Each has different strength factors and can offer different services. I found ways of expressing these conditions compactly and clearly and was able to maintain them later. From the world's perspective my servers are truly invisible, except for the particular services I choose to expose. Yet I am able to reach outward from them and do all manner of system admin chores touching the world.
That should be enough to get you thinking about the subject. Each site is different, each machine may have different degrees of exposure and offerings. One size does not fit all.
At BrainShare/US this year Gary Porter and I did a joint presentation on Linux security, as TUT303 (look it up here in the BrainShare Session catalog.). I had to explain to the audience that the nitty gritty of all this was in my commercial course presentations on Linux, but I would outline the concepts for them. That sort of worked. Then the light dawned. Why not make a CD with the material, at reasonable cost, and help lots more folks than by visiting sites etc. I'm a slow learner, but I get there.
We have just put the finishing touches on such a CD-ROM and are offering it through MindWorks Inc Ltd in the UK. Check here for details.
Enjoy your copy of SUSE Linux. It's a good starting point.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com