How to securely network a Fedora Linux system
Securely put a Fedora Linux system on the Internet
In order to put a Fedora 4 Linux system online with minimal exposure to attacks, several networking files should be edited. The paths to each are as follows:
A description of each file is given below.
The hosts file:
Typically the hosts file maps certain hostnames to IPs statically. The file is consulted when no DNS servers are specified in the /etc/resolv.conf file. Your hosts file should always contain the local loopback address:
Any other entry in this file must have an similar to:
A typical hosts file has the following format:
|# Do not remove the following line, or various programs|
|# that require network functionality will fail.|
TCP wrappers can be used in order to control access to your system. TCP wrappers reference the following two files: hosts.allow and hosts.deny. Access is controlled in the following way: Access will be granted when a deamon-client pair matches an entry in the /etc/hosts.allow file. Access will be denied when a deamon-client pair matches an entry in the /etc/hosts.deny file. Otherwise, access will be granted.
The hosts.allow file:
A typical hosts.allow file has the following format:
|# hosts.allow This file describes the names of the hosts which are|
|# allowed to use the local INET services, as decided|
|# by the ’/usr/sbin/tcpd’ server.|
|sshd: 192.168.1.1, 192.168.1.2||
Note the deamon-client pairs. For example, if a machine on IP number 192.168.1.2 is trying to ssh into a system with this hosts.allow file they will be allowed in. The sendmail deamon and client localhost.localdomain appear in the hosts allow file in order for the system to send email to users on this particular machine.
The hosts.deny file:
With this file we will deny the entry to anyone who we don’t specify in the hosts.allow file. To do this we just edit the hosts.deny file to look like:
|# hosts.deny This file describes the names of the hosts which are|
|# *not* allowed to use the local INET services, as decided|
|# by the ’/usr/sbin/tcpd’ server.|
|# The portmap line is redundant, but it is left to remind you that|
|# the new secure portmap uses hosts.deny and hosts.allow. In particular|
|# you should know that NFS uses portmap!|
The resolv.conf file:
The resolv.conf file defines which name servers to use. DNS clients use the resolv.conf file to determine both the location of their DNS server and the domains to which the clients belong. The file generally has two columns; the first contains a keyword, and the second contains the desired values separated by commas. Here is an example:
It is generally a good idea to use a local DNS server when installing a system in the field.
The network file:
This file is used to specify information about the desired network configuration on your system. A typical Fedora 4 network file will need the following settings:
|NETWORK = yes|
|HOSTNAME = jackel|
|GATEWAY = 123.456.789.012|
|GATEWAYDEV = eth0|
The ifcfg-eth0 file:
There is usually a ifcfg-ethx file for every ethernet port on your system. For example, if you have two ethernet jacks, you should have files ifcfg-eth0 and ifcfg-eth1. It you need to configure your ethernet port manually, you may need to create this file yourself. Here is an example of such a file:
|DEVICE = eth0|
|BOOTPROTO = static|
|BROADCAST = 100.101.102.255|
|HWADDR = 00:01:C6:35:GG:4C|
|IPADDR = 100.101.102.103|
|NETMASK = 255.255.255.0|
|NETWORK = 100.101.102.0|
|ONBOOT = yes|
|TYPE = Ethernet|
The iptables file:
The Linux kernel has the built-in ability to filter packets. This allows some packets to be received by the system or pass through the system while stopping others. The kernel’s netfilter has three built-in tables or rules. The only one that will be discussed here is the filter rule. Filter is used for handling network packets. Filter has built-in chains which correspond to the actions performed on the packet by the netfilter. The built-in chains for the filter are:
INPUT - applies to network packets that are targeted to the system.
OUTPUT - applies to locally-generated network packets.
FORWARD - applies to network packets passing through the system.
Filter the packets targeted to your system by following these three steps:
create the file /etc/sysconfig/iptables.
restart the iptables service to apply any changes in the file above.
check that iptables is working properly by running the following command:[root@hostname]# iptables -L.
To get you started, here is a basic packet-filtering iptables file:
|:INPUT DROP [0:0]|
|:FORWARD DROP [0:0]|
|:OUTPUT ACCEPT [0:0]|
|# allow all from loopback device|
|-A INPUT -i lo -j ACCEPT|
|-A INPUT -i eth1 -j ACCEPT|
|-A INPUT -i 127.0.0.1 -j ACCEPT|
|# allow established and related packets through, drop all invalid packets|
|-A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT|
|-A INPUT -i eth0 -m state --state INVALID -j DROP|
|# allow ssh connections from local networks|
|-A INPUT -p tcp -m tcp -m state --state NEW --syn -s 192.168.1.0/24 --dport 22 -j ACCEPT|
You can alter the file above to your specifications. For example, if your system doesn’t have an eth1 ethernet jack, you can leave line 9 out of the file. You can also add more lines like the last INPUT line with different IP addresses in order to give clients access to your system. You can run man iptables to learn more about this file.