Professional Documents
Culture Documents
A Little Context
The Five Golden Principles of Security
Know your system
Principle of Least Privilege
Defense in Depth
Protection is key but detection is a must.
Know your enemy.
Avoid generic rules like this at the top of the policy rules:
iptablesAINPUTptcpdport22jDROP
10
12
13
14
Regulating by Time
Scenario: The backlash from your employees over
denying access to Facebook is causes you to relent (a
little). You decide to allow access to facebook.com only at
lunch time (1200 to 1300).
Tip: Use the time features of IPTables to open up the
access.
iptablesAOUTPUTptcpmmultiportdport
http,httpsieth0oeth1mtimetimestart12:00
timestop13:00d31.13.64.0/18jACCEPT
15
16
17
18
Monitoring IPTables
Scenario: You would like to monitor whats going on with
IPTables in real time, sort of like with top.
Tip #1: Issue this command as root:
watchinterval=5iptablesnvL|grepv"00"
19
20
21
22
Reporting on IPTables
Scenario: You (Your boss) think(s) this dynamic stuff is
just great, but a daily activity report would also be great.
Tip: Use FWReport (http://fwreport.sourceforge.net/).
FWReport is a log parser and reporting tool for IPTables.
It generates daily and monthly summaries of the log files,
allowing the security administrator to free up substantial
time, maintain better control over security of the network,
and reduce unnoticed attacks.
23
24
25
26
27
In Conclusion
Weve covered many facets of IPTables; all the way from
making sure you dont lock yourself out when working
with IPTables to monitoring IPTables to visualizing the
activity of an IPTables firewall.
These are just some of the tips and tricks that exist for
IPTables.
These will get you started down the path to realizing even
more IPTables tips and tricks.
There REALLY is more to IPTables than just ACCEPT and
DROP.
28
References
Convert an address range to CIDR www.ipaddressguide.com/cidr
Real-time IPTables Monitor - www.perlmonks.org/?
node_id=513732
FWReport - http://fwreport.sourceforge.net
Using Afterglow to Visualize IPTables Logs http://lintut.com/use-afterglow-to-visualize-IPTables-logson-centos-rhel-fedora/
IPTables - http://www.netfilter.org/
29
Questions?
Gary Smith
Information System Security Officer, Molecular
Science Computing, Pacific Northwest National
Laboratory
Richland, WA
gary.smith@pnnl.gov
30