Scribd
Upload
2 views

Day23-IPtables-SELinux

Uploaded by

Douglas Kamga
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
2 views

Day23-IPtables-SELinux

Uploaded by

Douglas Kamga
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

Firewall

• A firewall is a gateway device which sits between different networks.

• It is an appliance or a software running on a computer, which


inspects network traffic passing through it.

• It denies or permits the traffic based on a set of predefined rules.

• The rules are based generally on:


– IP Address

– Services
Firewall

Router

Internet Cloud

WAN
Switch

DMZ
Firewall

LAN

Switch

Firewall

• Hardware Firewall
– NetASQ, Multicom, Cisco Pix, etc.

• Software Firewall
– Clavister, Iptables, ISA, Checkpoint, etc.

IPTables Configuration

IPtables configuration syntax


-I -s
INPUT tcp ACCEPT
[root@server ~]# iptables -A -d
OUTPUT udp REJECT
-R - -sport
FORWARD icmp DROP
-D - -dport

-I Insert -s Source IP

-A Append -d Destination IP

-R Replace - -sport Source port

-D Delete - -dport Destination port


Chains

• Input

– This chain is configured to filter traffic coming to the server on


which IPTables is configured.

• Output

– This chain is configured for traffic originating from the server on


which IPTables is configured.

• Forward

– This chain is configured for traffic passing through the server on


which IPTables is configured

Action To Perform

• Accept
– The traffic is allowed.

• Reject
– The traffic is blocked and a message is sent to the end user.

• Drop
– The traffic is blocked and no message is sent to the end user.

IPTables Configuration - Examples

To block web browsing from the server


[root@server~]# iptables -I OUTPUT -p tcp - -dport 80 -j REJECT

To block a particular system from accessing ftp services on the server


[root@server~]# iptables -I INPUT -p tcp - -dport ftp -s
192.168.0.252 -j DROP
IPTables Configuration - Examples

To view the rules created


[root@server~]# iptables -L - -line-number

To delete a rule
[root@server~]# iptables -D <chain> <rule number>

Disadvantages of IPTables

• It does not provide stateful inspection.

• It decreases the network performance.

• It decreases the reliability of a network by presenting a single point


of failure.

• It can only prevent attacks that it can detect (no Intrusion Prevention
System).
SELinux

• SELinux stands for Security Enhanced Linux.

• It was developed by National Security Agency (NSA) and Secure


Computing Corporation (SCC) to promote Mandatory Access Control
(MAC).

• Selinux provides security from hacking, cracking, exploits and running


programs as owner or with the uid of root.

• It compartmentalizes the operating system so that attacks are


localized to the particular application files only.

SELinux

• SELinux can be configured in three ways

– Enforcing - SELinux security policies are applied and security


objects will be restricted.

– Permissive - SELinux prints warnings messages instead of


restricting.

– Disabled - SELinux is fully disabled.

• The main SELinux configuration file

– /etc/selinux/config

SELinux Configuration

Edit the configuration file


[root@server ~]# vi /etc/selinux/config

Change the following lines


SELINUX=enforcing
SELINUXTYPE=targeted

Reboot the system


SELinux Configuration

To enable or disable SELinux at boot


While booting in the kernel line pass the parameter
selinux=0 -- to disable
selinux=1 -- to enable

Changing from enforcing to permissive


setenforce 0
Changing from permissive to enforcing
setenforce 1

SELinux Configuration

To check the status


[root@server ~]# sestatus
[root@server ~]# getenforce

Checking the logs of denied programs


[root@server ~]# sealert –b

SELinux Configuration

Setting the boolean value of objects to enable/disable protection


[root@server ~]# getsebool
[root@server ~]# setsebool

Checking the status of the current policy


[root@server ~]# seinfo

Managing SELinux graphically


[root@server ~]# system-config-selinux &

You might also like