Posted by markiemark on Fri 23 Sep 2005 at 16:37
While iptables offers a viable means for limiting network intrusion from outside a local area network as well as containing users in a defined environment set by the adminstrator, there can be much had with the kernel's use of certain, "flags", if you will that redirect the kernel what to do and what not to do with certain specific protocols.
Upon further inspection of /proc/sys/net/ipv4 (or ipv6 depending on your preference and matter of use) one will be quick to see a whole slew of files. As you start to get further into the listing you'll notice that most files will simply contain a 1 (for enable), 0 (for disable) and some will be complete integers themselves.
Setting an entry can be done by running a command like this:
# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all # echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
The 1st of course is enable, and the 2nd is disable.
An explanation of some of the rather interesting ones:
If you're not forwarding traffic between interfaces or if you have only a single interface, its usually a good idea to disable forwarding:
echo 0 > /proc/sys/net/ipv4/ip_forward
rp_filter can reject incoming packets if their source does not match the networks interface from which they are arriving from. This is a good way to prevent IP spoofing (usually not a good idea if you have several IP addresses on different interfaces or if a single interface has multiple IP addys).
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
If your kernel has been compiled with CONFIG_SYSNCOOKIES then you will have the ability to decide protection against SYN floods:
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
Some port scanners send ICMP ECHO requests to see what hosts are up, this is easily circumvented although enabling this will break any pings from legitimate machines:
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
And finally, if your host is penetrated by a user account that was brute forced or hacked into you can ignore broadcast pings to prevent you from being an unwilling participant in smurf attacks:
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
Generally, a lot can be had from the kernels abilities to do various network tasks on respected protocols, provided root sets them as so.
Of course these entries depend on how your network is configured, say for instance if you need the ability to ping different hosts, or if you run alot of IPs on a single interface, etc. Any changes done to a file can be reversed easily.
This article can be found online at the Debian Administration website at the following bookmarkable URL:
This article is copyright 2005 markiemark - please ask for permission to republish or translate.