Red Hat NETSCAPE MANAGEMENT SYSTEM 6.2 - COMMAND-LINE Guida di Installazione Scaricare il pdf (Pagina 28)

$IPTABLES −A INPUT −m state −−state ESTABLISHED,RELATED −j ACCEPT

$IPTABLES −A INPUT −m state −−state NEW −i ! $WAN_IFACE −j ACCEPT

$IPTABLES −A INPUT −j LOG −m limit −−limit 30/minute −−log−prefix "Dropping: "

echo "Iptables firewall is up `date`."

##−− eof iptables.sh

The same script logic is used here, and thus this does pretty much the same exact thing as the ipchains script

in the previous section. There are some subtle differences as to syntax. Note the case difference in the chain

names for one (e.g. INPUT vs input). Logging is handled differently too. It has its own "target" now (−j

LOG), and is much more flexible.

There are some very fundamental differences as well, that might not be so obvious. Remember this section

from the ipchains script:

# Accept non−SYN TCP, and UDP connections to LOCAL_PORTS. These are the high,

# unprivileged ports (1024 to 4999 by default). This will allow return

# connection traffic for connections that we initiate to outside sources.

# TCP connections are opened with 'SYN' packets. We have already opened

# those services that need to accept SYNs for, so other SYNs are excluded here

# for everything else.

$IPCHAINS −A input −p tcp −s $ANYWHERE −d $WAN_IP $LOCAL_PORTS ! −y −j ACCEPT

# We can't be so selective with UDP since that protocol does not know

# about SYNs.

$IPCHAINS −A input −p udp −s $ANYWHERE −d $WAN_IP $LOCAL_PORTS −j ACCEPT

We jumped through hoops here with ipchains so that we could restrict unwanted, incoming connections as

much as possible. A bit of a kludge, actually.

That section is missing from the iptables version. It is not needed as connection tracking handles this quite

nicely, and then some. This is due to the "statefulness" of iptables. It knows more about each packet than

ipchains. For instance, it knows whether the packet is part of a "new" connection, or an

"established" connection, or a "related" connection. This is the so−called "stateful inspection" of connection

tracking.

There are many, many features of iptables that are not touched on here. For more reading on the Netfilter

project and iptables, see http://netfilter.samba.org. And for a more advanced set of rules, see the Appendix.

5.2.3. Red Hat Firewall Configuration Tools

Red Hat has not included firewall configuration tools until 7.1, when the GUI utility gnome−lokkit started

being bundled. gnome−lokkit does a minimalist set of rules for ipchains only. Explicit support for

iptables configuration is not an option, despite the fact that the default kernel is 2.4.

gnome−lokkit is an option on non−upgrade installs, and can also be run as a stand−alone app any time after

installation. It will ask a few simple questions, and dump the resulting rule−set into

Security Quick−Start HOWTO for Red Hat Linux

5.2.3. Red Hat Firewall Configuration Tools 25

1 2 ... 23 24 25 26 27 28 29 30 31 32 33 ... 81 82

Nessun commento

Red Hat NETSCAPE MANAGEMENT SYSTEM 6.2 - COMMAND-LINE Guida di Installazione Pagina 28