search

Red Hat NETSCAPE MANAGEMENT SYSTEM 6.2 - COMMAND-LINE Guida di Installazione Pagina 26

  • Scaricare
  • Aggiungi ai miei manuali
  • Stampa
  • Pagina
    / 82
  • Indice
  • SEGNALIBRI
    • Valutato. / 5. Basato su recensioni clienti
Vedere la pagina 25
−d <IP address> [port]: This rule only applies to the destination address as specified.
Also, it may include port or port range.
−l : Any packet that hits a rule with this option is logged (lower case "L").
−j ACCEPT: Jumps to the "ACCEPT" "target". This effectively terminates this chain and
decides the ultimate fate for this particular packet, which in this example is to "ACCEPT" it.
The same is true for other −j targets like DENY.
By and large, the order in which command line options are specified is not significant. The chain name (e.g.
input) must come first though.
Remember in Step 1 when we ran netstat, we had both X and print servers running among other things. We
don't want these exposed to the Internet, even in a limited way. These are still happily running on bigcat, but
are now safe and sound behind our ipchains based firewall. You probably have other services that fall in this
category as well.
The above example is a simplistic all or none approach. We allow all our own outbound traffic (not
necessarily a good idea), and block all inbound connection attempts from outside. It is only protecting one
interface, and really just the inbound side of that interface. It would more than likely require a bit of fine
tuning to make it work for you. For a more advanced set of rules, see the Appendix. And you might want to
read http://tldp.org/HOWTO/IPCHAINS−HOWTO.html.
Whenever you have made changes to your firewall, you should verify its integrity. One step to make sure
your rules seem to be doing what you intended, is to see how ipchains has interpreted your script. You can do
this by opening your xterm very wide, and issuing the following command:
# ipchains −L −n −v | less
The output is grouped according to chain. You should also find a way to scan yourself (see the Verifying
section below). And then keep an eye on your logs to make sure you are blocking what is intended.
5.2.2. iptables
iptables is the next generation packet filter for Linux, and requires a 2.4 kernel. It can do everything
ipchains can, but has a number of noteworthy enhancements. The syntax is similar to ipchains in many
respects. See the man page for details.
The most noteworthy enhancement is "connection tracking", also known as "stateful inspection". This gives
iptables more knowledge of the state of each packet. Not only does it know if the packet is a TCP or UDP
packet, or whether it has the SYN or ACK flags set, but also if it is part of an existing connection, or related
somehow to an existing connection. The implications for firewalling should be obvious.
The bottom line is that it is easier to get a tight firewall with iptables, than with ipchains. So this is the
recommended way to go.
Here is the same script as above, revised for iptables:
Security Quick−Start HOWTO for Red Hat Linux
5.2.2. iptables 23
Vedere la pagina 25
1 2 ... 21 22 23 24 25 26 27 28 29 30 31 ... 81 82

Commenti su questo manuale

Nessun commento
  • Exceleram Netcom Runco Elicom Arctic
  • JVC Radio-CD Frigidaire Frigoriferi Cirago Docking station per HDD/SSD Alpine Amplificatore per strumenti musicali Ninja Kit per auto
  • Safco 3391BV LG ST600 American DJ Revo 4 Acer CB281HK Samsung GT-C5220
  • Electrolux EWS1052NDU Manuale Utente Hunter 83002 Manuale delle Istruzioni Samsung ME32C Manuale Utente Lg MR6549DRL Manuale Utente Samsung T200 Manuale Utente