Secure Networking within kernel
Posted by markiemark on Fri 23 Sep 2005 at 16:37
While iptables offers a viable means for limiting network intrusion from outside a local area network as well as containing users in a defined environment set by the adminstrator, there can be much had with the kernel's use of certain, "flags", if you will that redirect the kernel what to do and what not to do with certain specific protocols.
Upon further inspection of /proc/sys/net/ipv4 (or ipv6 depending on your preference and matter of use) one will be quick to see a whole slew of files. As you start to get further into the listing you'll notice that most files will simply contain a 1 (for enable), 0 (for disable) and some will be complete integers themselves.
Setting an entry can be done by running a command like this:
# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all # echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
The 1st of course is enable, and the 2nd is disable.
An explanation of some of the rather interesting ones:
If you're not forwarding traffic between interfaces or if you have only a single interface, its usually a good idea to disable forwarding:
echo 0 > /proc/sys/net/ipv4/ip_forward
rp_filter can reject incoming packets if their source does not match the networks interface from which they are arriving from. This is a good way to prevent IP spoofing (usually not a good idea if you have several IP addresses on different interfaces or if a single interface has multiple IP addys).
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
If your kernel has been compiled with CONFIG_SYSNCOOKIES then you will have the ability to decide protection against SYN floods:
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
Some port scanners send ICMP ECHO requests to see what hosts are up, this is easily circumvented although enabling this will break any pings from legitimate machines:
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
And finally, if your host is penetrated by a user account that was brute forced or hacked into you can ignore broadcast pings to prevent you from being an unwilling participant in smurf attacks:
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
Generally, a lot can be had from the kernels abilities to do various network tasks on respected protocols, provided root sets them as so.
Of course these entries depend on how your network is configured, say for instance if you need the ability to ping different hosts, or if you run alot of IPs on a single interface, etc. Any changes done to a file can be reversed easily.
[ Send Message | View Steve's Scratchpad | View Weblogs ]
It is worth noting that you can setup a lot of these parameters in the file /etc/sysctl.conf.
For example to ignore broadcasts you can set:
net/ipv4/icmp_echo_ignore_broadcasts=1
This flag will then take effect the next time you reboot, or if you run:
sysctl
(Running either "man sysctl", or "man sysctl.conf" will give more details).
Steve
--
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
That's awesome. I had always resorted to rebooting when updating something in /etc/sysctl.conf.
--
Roberto C. Sanchez
http://familiasanchez.net/~roberto/
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Send Message | View dkg's Scratchpad | View Weblogs ]
bug #322548 appears to have a decent summary of the rationale for this decision.
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
/proc/sys/net/ipv4/icmp_ratelimit
/proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
/proc/sys/net/ipv4/conf/*/log_martians
/proc/sys/net/ipv4/conf/*/accept_redirects
/proc/sys/net/ipv4/conf/*/accept_source_route
For a complete reference of kernel IP tunable sysctls, see /usr/src/linux-2.6.11.12/Documentation/networking/ip-sysctl.txt
To reply another comment: you don't need to reboot in order to apply on the fly /etc/sysctl.conf modifications:
sysctl -p /etc/sysctl.conf # is enough
By the way, setting all those params on /etc/sysctl.conf is imho the proper way to do it. One should never try to override (or be overriden by ? are your scripts started before procps ? take care !) a standard config file.
[ Parent | Reply to this comment ]