\input{gl2.slide-header-beamer}% \errorcontextlines=99 %% Subtopic Number = '1.114.1' %% Title: 'Perform security administration tasks' %% Weight: 4 %% Description: %% Candidates should know how to review system configuration %% to ensure host security in accordance with local security policies. This %% objective includes how to configure TCP wrappers, find files with %% SUID/SGID bit set, verify packages, set or change user passwords and %% password aging information, update binaries as recommended by CERT, %% BUGTRAQ, and/or distribution's security alerts. Includes basic knowledge %% of ipchains and iptables. %% Key files, terms, and utilities include: %% /proc/net/ip_fwchains %% /proc/net/ip_fwnames %% /proc/net/ip_masquerade %% find %% ipchains %% passwd %% socket %% iptables \title{1.114.1\\Perform security administration tasks\\Weight 4} \date{2005 November} \author[Nick Urbanik]{Nick Urbanik \texttt{}\\ {\scriptsize This document Licensed under GPL---see section~\ref{sec:license}}}% \subtitle{Linux Professional Institute Certification --- 102}% \mode
{\chead{1.114.1}}% \begin{document} \maketitle \mode
{\thispagestyle{empty}} \mode* \begin{frame} \frametitle{Outline} \mode {% %\footnotesize \begin{multicols}{2} \tableofcontents \end{multicols} % You might wish to add the option [pausesections] }% \mode
{% \tableofcontents }% \end{frame} \section{Context} \label{sec:context} \begin{frame} \frametitle{Topic 114 Security [8]}% \framesubtitle{Where we are up to}% \begin{description} % \uline depends on \usepackage[normalem]{ulem}: \item[1.114.1] \textbf{\uline{Perform security administration tasks [4]}} \item[1.114.2] Setup host security [3] \item[1.114.3] Setup user level security [1] \end{description} \end{frame} \section{Objectives} \label{sec:objectives} \begin{frame} \frametitle{Description of Objective}% \framesubtitle{1.114.1\ \ Perform security administration tasks [4]}% \mode{\Large}% Candidates should know how to review system configuration to ensure host security in accordance with local security policies. This objective includes how to configure TCP wrappers, find files with SUID/SGID bit set, verify packages, set or change user passwords and password aging information, update binaries as recommended by CERT, BUGTRAQ, and/or distribution's security alerts. Includes basic knowledge of ipchains and iptables. \end{frame} \begin{frame}[fragile] \frametitle{Key files, terms, and utilities include:}% \framesubtitle{1.114.1\ \ Perform security administration tasks [4]}% \mode{\large}% \begin{description} \item[\texttt{/proc/net/ip\_fwchains}] --- Firewall chain linkage (2.2 kernel) \item[\texttt{/proc/net/ip\_fwnames}] --- Firewall chain names (2.2 kernel) \item[\texttt{/proc/net/ip\_masquerade}] --- Major masquerading table (2.2 kernel) \item[\texttt{find}] --- We see how to find SUID and SGID programs using \texttt{find} \item[\texttt{ipchains}] --- The tool to configure the firewall on a 2.2 kernel \item[\texttt{passwd}] --- Discuss how to use to set password aging information \item[socket] --- The end point of a network connection \item[\texttt{iptables}] --- The tool to configure the firewall on a 2.4, 2.6 kernel \end{description} \end{frame} \section{Configuring TCP Wrappers} \label{sec:tcp-wrappers} \subsection{Rules for \texttt{hosts.allow}, \texttt{hosts.deny}} \label{sec:rules-for-hosts-allow-deny} \begin{frame} \frametitle{Rules for \texttt{hosts.allow}, \texttt{hosts.deny}} \begin{itemize} \item Search stops at the first match \alert{in this sequence}: \item Access will be granted when a (daemon,client) pair matches an entry in the \red{\texttt{/etc/hosts.allow}} file. \item Otherwise, access will be denied when a (daemon,client) pair matches an entry in the \red{\texttt{/etc/hosts.deny}} file. \item Otherwise, access will be granted. \end{itemize} \end{frame} \begin{frame} \frametitle{More about how tcp\_wrappers rules applied} \begin{itemize} \item Because access rules in \texttt{hosts.allow} are applied first, they take precedence over rules specified in \texttt{hosts.deny}. \begin{itemize} \item Therefore, if access to a service is allowed in \texttt{hosts.allow}, a rule denying access to that same service in \texttt{hosts.deny} is ignored. \end{itemize} \item The rules in each file are read from the top down and the first matching rule for a given service is the only one applied. The \alert{order of the rules is extremely important}. \item If no rules for the service are found in either file, or if neither file exists, access to the service is \alert{granted}. \item changes to \texttt{hosts.allow} or \texttt{hosts.deny} \alert{take effect immediately} without restarting network services. \end{itemize} \end{frame} \subsection{Format of rules in \texttt{hosts.\{allow,deny\}}} \label{sec:format-of-rules} \begin{frame} \frametitle{Format of rules in \texttt{hosts.\{allow,deny\}}} \begin{itemize} \item Each rule is of the form:\\ \noindent% {\mode{\small}% \mbox{\texttt{\meta{daemon list}: \meta{client list} [: \meta{option}: \meta{option}: \ldots]}}} \end{itemize} \begin{description} \item[\meta{daemon list}] A comma separated list of process names (\alert{not service names}) or the \texttt{ALL} wildcard --- see \S\,\ref{sec:wildcards}. The daemon list also accepts the \texttt{EXCEPT} operator to allow greater flexibility --- see \S\,\ref{sec:except-operator} \item[\meta{client list}] A comma separated list of hostnames, host IP addresses, special patterns --- see \S\,\ref{sec:patterns}, or special wildcards --- see \S\,\ref{sec:wildcards} --- which identify the hosts effected by the rule. You can also use the \texttt{EXCEPT} operator. \item[\meta{option}] An optional action or colon separated list of actions performed when the rule is triggered. Option fields support \%~expansions --- see \cmdbox{man 5 hosts\_access}, launch shell commands, allow or deny access, and \alert{alter logging behavior} --- see \S\,\ref{sec:option-fields} \end{description} \end{frame} \subsection{Example} \label{sec:example} \begin{frame} \frametitle{Example rule}% \texttt{vsftpd : .example.com} \begin{itemize} \item watch for connections to the FTP daemon (\texttt{vsftpd}) from any host in the \texttt{example.com} domain. \item If this rule appears in \texttt{hosts.allow}, the connection is accepted. \item If this rule appears in \texttt{hosts.deny}, the connection is rejected. \end{itemize} \end{frame} \subsection{Wildcards} \label{sec:wildcards} \begin{frame} \frametitle{Wildcards}% \label{sld:wildcards}% Wildcards allow TCP wrappers to more easily match groups of daemons or hosts. They are used most frequently in the client list field of access rules. \par The following wildcards may be used: \begin{description} \item[\texttt{ALL}] Matches everything. It can be used for both the daemon list and the client list. \item[\texttt{LOCAL}] Matches any host that does not contain a period (.), such as \texttt{localhost} \item[\texttt{KNOWN}] Matches any IP address which has a corresponding hostname; also matches usernames when the \emph{ident} service is available (which is usually not) \item[\texttt{UNKNOWN}] Matches any IP address which does \alert{not} have a corresponding hostname; also matches usernames when the \emph{ident} service \alert{not} available \item[\texttt{PARANOID}] Matches any host where a double reverse hostname/IP address lookup fails to match \end{description} \end{frame} A double-reverse lookup involves looking up the hostname that corresponds to an incoming IP connection, then looking up that hostname to verify that it has a matching IP address. This often fails because: \begin{itemize} \item machines can have more than one address \item IP addresses can resolve to more than one name. \end{itemize} Note about \texttt{portmap}: Use IP addresses, not hostnames, since the \texttt{portmap} does not look up hostnames with TCP wrappers, and \texttt{portmap} is important where NFS and some other protocols are used. \subsection{Patterns} \label{sec:patterns} \mode
\begin{frame} \frametitle{Patterns} \begin{itemize} \item Hostname beginning with a period (\texttt{.}) Putting a dot at the beginning of a hostname matches all hosts sharing the listed components of the name. This matches any host in the \texttt{example.com} domain: \par \texttt{ALL : .example.com} \item IP address ending with a period (.) Placing a period at the end of an IP address matches all hosts sharing the initial numeric groups of an IP address. This matches any host in the 192.168.x.x network: \par \texttt{ALL : 192.168.} \item IP address/netmask pair Netmask expressions can also be used as a pattern to control access to a particular group of IP addresses. This matches any host in the address range 192.168.0.0 \ldots\ 192.168.1.255: \par \texttt{ALL : 192.168.0.0/255.255.254.0} \begin{itemize} \item Note: a pattern of the form \texttt{192.168.0.0\red{/23}} \alert{will not work} \end{itemize} \item The asterisk (*) Asterisks can be used to match entire groups of hostnames or IP addresses, as long as they are not mixed in a client list containing other types of patterns. This matches any host in the \texttt{example.com} domain: \par \texttt{ALL : *.example.com} \begin{itemize} \item This asterisk notation is also used in \texttt{/etc/exports} but with hostnames only \item \alert{asterisks appear in IP addresses only here} as far as I know. \end{itemize} \end{itemize} \end{frame} \mode* \mode \begin{frame} \frametitle{Patterns} \begin{itemize} \item Hostname beginning with a period (\texttt{.}) This matches any host in the \texttt{example.com} domain: \par \texttt{ALL : .example.com} \item IP address ending with a period (.) This matches any host in the 192.168.x.x network: \par \texttt{ALL : 192.168.} \item IP address/netmask pair This matches any host in the address range 192.168.0.0 \ldots\ 192.168.1.255: \par \texttt{ALL : 192.168.0.0/255.255.254.0} \begin{itemize} \item Note: a pattern of the form \texttt{192.168.0.0\red{/23}} \alert{will not work} \end{itemize} \item The asterisk (*) Asterisks can match entire groups of hostnames or IP addresses. This matches any host in the \texttt{example.com} domain: \par \texttt{ALL : *.example.com} \begin{itemize} \item This asterisk notation is not used anywhere else as far as I know. \end{itemize} \end{itemize} \end{frame} \mode* \subsection{Option Fields: Logging} \label{sec:option-fields} \begin{frame} \frametitle{Option Fields: Logging with \texttt{severity}} \begin{itemize} \item See \cmdbox{man 5 hosts\_options} for details of other options; just look at \texttt{severity} directive for logging access \item Here, connections to the SSH daemon from any host in the \texttt{example.com} domain are logged to the default \texttt{authpriv} syslog facility (because no facility value is specified) with a level of \texttt{emerg}: \par \texttt{sshd : .example.com : severity emerg} \item specifying a facility: The following example logs any SSH connection attempts by hosts from the \texttt{example.com} domain to the \texttt{local0} facility with a level of \texttt{alert}: \par \texttt{sshd : .example.com : severity local0.alert} \end{itemize} \end{frame} \subsection{\texttt{EXCEPT} operator} \label{sec:except-operator} \begin{frame} \frametitle{\texttt{EXCEPT} operator} \begin{itemize} \item There is one operator: \texttt{EXCEPT}. \item can be used in both the daemon list and the client list of a rule. \item allows specific exceptions to broader matches within the same rule. \item Example:\\ \texttt{ALL: .example.com EXCEPT cracker.example.com} \item In the another example from a \texttt{hosts.allow} file, clients from the 192.168.0.$x$ network can use all services except for FTP: \par \texttt{ALL EXCEPT vsftpd: 192.168.0.} \end{itemize} \end{frame} \subsection{How is TCP Wrappers enabled?} \label{sec:how-tcp_wrappers-enabled} \begin{frame}[fragile] \frametitle{How is TCP Wrappers enabled?} \begin{itemize} \item Recent systems use \texttt{libwrap}, part of the \texttt{tcp\_wrappers} package \item Red Hat suggest doing {\mode{\small} \cmdbox{strings -f \meta{binary-name} | grep hosts\_access}} to see if a program is compiled with \texttt{libwrap}. \item Most programs are dynamically linked against \path{/usr/lib/libwrap.so.0}, so you can check for that with \cmdbox{ldd \meta{binary-name}} \item Example: {\mode{\footnotesize} \begin{semiverbatim} \cmd{/usr/sbin/xinetd | grep libwrap} libwrap.so.0 => /usr/lib/libwrap.so.0 (0x00320000) \end{semiverbatim} } \item Older systems used \path{/usr/sbin/tcpd} and entered this in \texttt{/etc/inetd.conf} instead of the binary name of the service, but this is no longer necessary \end{itemize} \end{frame} \section{Finding files with SUID/SGID bit set} \label{sec:find-suid-sgid-files} \subsection{Effect of SUID/SGID permissions} \label{sec:effect-of-SUID-SGID} \begin{frame} \frametitle{Effect of SUID/SGID permissions} \begin{itemize} \item A \alert{program} with Set User-ID (SUID) permission will execute with the process owned by the owner of the file instead of the user that executed the program. \item A \alert{program} with Set Group-ID (SGID) permission will execute with the group of the process the same as the group of the file instead of the group of the user that executed the program. \item A serious security risk. \end{itemize} \begin{block}{Some History} \begin{itemize} \item% A friend in UNSW in 1985 used to stay in the lab with me till 5\,AM many mornings; he had \texttt{root} access on the PDP-11, greatly upsetting the BOFH. \item% He told me that he gained this through a set user-ID executable owned by \texttt{root}. \end{itemize} \end{block} \end{frame} \subsection{Specifying Permissions to \texttt{find}} \label{sec:find-permissions} \begin{frame} \frametitle{Specifying Permissions to \texttt{find}} \begin{itemize} \item The \texttt{find} program finds files for which various conditions are true \item The \texttt{-perm \meta{mode}} condition can find files which match the permissions specified in \meta{mode} in various ways: \begin{itemize} \item if \meta{mode} starts with `\texttt{-}' then true if \alert{all} of the permissions in \meta{mode} are present. Any permissions not in \meta{mode} are ignored \item if \meta{mode} starts with `\texttt{+}' then true if \alert{any} of the permissions in \meta{mode} are present. Any permissions not in \meta{mode} are ignored \item if \meta{mode} starts with neither `\texttt{-}' nor `\texttt{+}' then true if permissions are exactly \meta{mode}. \end{itemize} \item \meta{mode} can be specified in octal or symbolically: e.g., you can specify \texttt{-perm~+6000} or \texttt{-perm~+ug=s} \begin{itemize} \item both are true if the file has either SUID or SGID permission set. \end{itemize} \end{itemize} \end{frame} \subsection{Finding SUID or SGID files} \label{sec:finding-suid-sgid-files} \begin{frame} \frametitle{\texttt{find}ing SUID or SGID files} \begin{itemize} \item Here we can search the entire file system for SUID or SGID files: \cmd{find / -perm +6000 -ls} \mode
\item We get a few error messages about files in \texttt{/proc} that do not exist \item Suppose we have some NFS mounted filesystems? \item We might like to skip \texttt{/proc} and some NFS file systems. \mode \end{itemize} \end{frame} \mode
\subsection{\texttt{find}: Ignoring some directories with \texttt{prune}} \label{sec:prune} \begin{frame} \frametitle{\texttt{find}: Ignoring some directories with \texttt{prune}} \begin{itemize} \item \texttt{find} combines conditions that are true and false by default with logical \emph{AND}, with logical \emph{OR} specified by `\texttt{-o}' \item The \texttt{-prune} action provides the way we skip some directories or files with \texttt{find} \item We can search the entire file system except \texttt{/proc} for SUID or SGID files with: \par% \cmd{sudo find / -path /proc -prune -o -perm +6000 -ls} \item If we want to skip \texttt{/nfs} as well, we do: \par% \sloppypar\cmd{sudo find / -path /proc -prune -o -path /nfs -prune -o -perm +6000 -ls} \end{itemize} \end{frame} \mode* \section{Verify Packages} \label{sec:verify-packages} \subsection{Why Verify Software Packages?} \label{sec:why-verify} \begin{frame} \frametitle{Why Verify Software Packages?}% \framesubtitle{Main reasons:} \begin{itemize} \item As another tool to check whether trojan executables have been installed by a cracker, replacing the original binary \item As a check that software downloaded from the Internet is from a trusted source and has not been compromised \end{itemize} \end{frame} \subsection{Verify Package Files with \texttt{rpm}} \label{sec:verify-package-files-with-rpm} \begin{frame} \frametitle{Verify Package Files with \texttt{rpm}} \begin{itemize} \item Ensure have the GPG key of the signer of the software packages, e.g., \cmdbox{sudo rpm -{}-import /media/cdrom/RPM-GPG-KEY*} \item Verify that each downloaded software package is signed before installing it: with \texttt{yum}, use the option \texttt{gpgcheck=1} \item If you have the RPM binary package file, you can check its signature with: \par% \cmdbox{rpm -K \meta{complete-package-file-name}} \item Example: \cmdbox{rpm -K httpd-2.0.54-10.2.i386.rpm}\linebreak \texttt{httpd-2.0.54-10.2.i386.rpm: (sha1) dsa sha1 md5 gpg OK} \end{itemize} \end{frame} \subsection{Verify Installed Packages with \texttt{rpm}} \label{sec:verify-installed-with-rpm} \begin{frame} \frametitle{Verify Installed Packages with \texttt{rpm}} \begin{itemize} \item Do \cmdbox{rpm -V \meta{package-name}} \item Ensure that no binary executables have changed; here is an example of an executable that does not match the original installed version: \cmdbox{rpm -V spamassassin}\\ \texttt{S.5....T\ \ \ /usr/bin/spamc} \item This indicates that the size, the MD5sum and the timestamp have changed of this executable file, and it could quite possibly be a trojan \item There are eight characters; a dot indicates original value, a letter shows there is change: \end{itemize} \setlength{\extrarowheight}{0pt} \begin{tabular}[t]{@{}ll@{}} S & file \textbf{S}ize differs\\ M & \textbf{M}ode differs (includes permissions and file type)\\ 5 & MD\textbf{5} sum differs\\ D & \textbf{D}evice major/minor number mismatch\\ L & read\textbf{L}ink(2) path mismatch\\ U & \textbf{U}ser ownership differs\\ G & \textbf{G}roup ownership differs\\ T & m\textbf{T}ime differs\\ \end{tabular} \end{frame} \subsection{Verify Packages with \texttt{apt}/\texttt{dpkg}} \label{sec:verify-with-dpkg} \begin{frame} \frametitle{Verify Packages with \texttt{apt}/\texttt{dpkg}} \begin{itemize} \item To be done. \item There is a way\ldots \end{itemize} \end{frame} \section{Passwords and Aging Information} \label{sec:passwords} \begin{frame} \frametitle{Password Aging} \begin{itemize} \item Limiting the age of passwords can improve security, although users may ping-pong between two passwords \item Best not to force users to change more than once every few months (page~607, \cite{Gar2003}), else some will write them down \end{itemize} \end{frame} \begin{frame} \frametitle{Password Aging options to \texttt{passwd}} \begin{description} \item[\texttt{-d}] This is a quick way to disable a password for an account. It will set the named account passwordless. Available to root only. \item[\texttt{-n}] This will set the minimum password lifetime, in days, if the user's account supports password lifetimes. Available to root only. \item[\texttt{-x}] This will set the maximum password lifetime, in days, if the user's account supports password lifetimes. Available to root only. \item[\texttt{-w}] This will set the number of days in advance the user will begin receiving warnings that her password will expire, if the user's account supports password lifetimes. Available to root only. \item[\texttt{-i}] This will set the number of days which will pass before an expired password for this account will be taken to mean that the account is inactive and should be disabled, if the user's account supports password lifetimes. Available to root only. \end{description} \end{frame} \section{Update binaries with security alerts} \label{sec:update-with-security-alerts} \begin{frame} \frametitle{Finding out about security alerts} \begin{itemize} \item The \green{best way to get cracked} is to never apply security updates on a machine exposed to the Internet \item Subscribe to the mailing list for your distribution that announces security updates \item Subscribe to \url{http://lwn.net} and read their comprehensive security information, in particular from \url{http://lwn.net/security} \end{itemize} \end{frame} \begin{frame} \frametitle{Update binaries with security alerts} \begin{itemize} \item You can either apply updates automatically: with systems with \texttt{yum} installed, enable \texttt{yum} updates in \texttt{cron}. \item To update a system with \texttt{yum}: \cmdbox{sudo yum -y update} \item To update a system with \texttt{apt}: \cmdbox{sudo apt-get update} \cmdbox{sudo apt-get -y upgrade} \item If the system is mission critical and especially if it has complex software installed, install updates on a test system first \end{itemize} \end{frame} \section{Basic intro to \texttt{iptables} and \texttt{ipchains}} \label{sec:intro-to-iptables} \begin{frame} \frametitle{What are \texttt{iptables} and \texttt{ipchains}?} \begin{itemize} \item Used to filter network packets coming into, out of and through the system \item Very useful for network security, Internet connection sharing \item \texttt{iptables} on 2.4, 2.6 kernels, \texttt{ipchains} on 2.2 kernels \item \texttt{iptables} is easier to use than \texttt{ipchains} \begin{itemize} \item Many more things must be considered before you can predict what will happen to a packet passing through an \texttt{ipchains} system, while \texttt{iptables} tends to have a packet dealt with in one spot only, causing less brain pain. \end{itemize} \item \texttt{iptables} has support for \emph{stateful inspection} which allows the system to remember which response is in answer to which packet \end{itemize} \end{frame} \begin{frame} \frametitle{Components of \texttt{iptables}} \begin{itemize} \item There are four main terms to consider with \texttt{iptables}: \begin{description} \item[table] --- a table holds a major category of set of rules. \item[chain] --- sets of rules within a table that affect traffic \item[rule] --- decides how to send a packet to a \alert{target}. Next rule checks a packet if this doesn't match. \item[target] --- can be \texttt{ACCEPT}, \texttt{DROP}, \texttt{QUEUE}, or \texttt{RETURN}. A matched packet is accepted, dropped, queued on another chain or returned to the parent chain from the current chain. \end{description} \end{itemize} \end{frame} \subsection{\texttt{iptables} tables} \label{sec:tables} \begin{frame} \frametitle{\texttt{iptables} tables} \begin{itemize} \item There are three \alert{tables} used by \texttt{iptables}: \begin{description} \item[filter] --- default table for handling network packets \item[nat] --- used to alter packets that create a new connection and used for Network Address Translation (NAT). \item[mangle] --- for specific types of packet alteration, including time to live, type of service --- for special routing purposes \end{description} \end{itemize} \end{frame} \subsection{\texttt{iptables} chains} \label{sec:chains} \begin{frame} \frametitle{\texttt{iptables} \texttt{filter} chains} \begin{itemize} \item \texttt{iptables} \texttt{filter} table has three \alert{chains}: \begin{description} \item[INPUT] for packets coming into the system, destined for the system itself \item[OUTPUT] for packets originating from the system, destined for outside the system \item[FORWARD] for packets entering the system that are meant for other systems on the other side, where the system is working as a router \end{description} \end{itemize} \end{frame} \subsection{Examples of filtering} \label{sec:examples-of-filtering} \begin{frame} \frametitle{Examples of filtering} \begin{itemize} \item To drop all traffic to this machine from the source IP address 1.2.3.4, do: \par \cmdbox{sudo iptables -A~INPUT -s~1.2.3.4 -j~DROP} \item You might do that if there is nuisance traffic from that remote machine. \end{itemize} \end{frame} % \begin{frame} % \frametitle{} % \begin{itemize} % \item % \end{itemize} % \end{frame} \begin{frame} \frametitle{\texttt{iptables} \texttt{nat} chains} \begin{itemize} \item The built-in chains for the \texttt{nat} table: \begin{description} \item[PREROUTING] --- Alters network packets when they arrive \par% \item[OUTPUT] --- Alters locally-generated network packets before they are sent out \item[POSTROUTING] --- Alters network packets before they are sent out \end{description} \end{itemize} \end{frame} \subsection{Viewing firewall rules} \label{sec:viewing-firewall-rules} \begin{frame} \frametitle{Viewing firewall rules} \begin{itemize} \item To see the firewall rules for the \texttt{filter} table, do: \cmdbox{iptables -L} \item To avoid the time to look up each IP address, do: \cmdbox{iptables -L -n} \item To see the counters of the number of packets for each rule: \cmdbox{iptables -L -n -v} \item To see the exact counters of the number of packets: \cmdbox{iptables -L -n -v -x} \item To view the rules for the \texttt{\red{nat}} table without the DNS lookup delay: \par% \cmdbox{iptables \red{-t nat} -L -n} \item To view the rules for the \texttt{\red{mangle}} table without the DNS lookup delay: \par% \cmdbox{iptables \red{-t mangle} -L -n} \end{itemize} \end{frame} % \begin{frame} % \frametitle{} % \begin{itemize} % \item % \end{itemize} % \end{frame} \begin{frame} \frametitle{Sharing an Internet connection in an internal network} \begin{itemize} \item Use masquerade where the external Internet address is changed by the ISP: \item \sloppypar\texttt{iptables -t nat -A POSTROUTING -s~192.168.0.0/24 -o~ppp0 -j~MASQUERADE} \item This is source Network Address Translation where the external address is changing. \item Where the Internet address is fixed, use the SNAT target: \item \sloppypar\texttt{iptables -t nat -A POSTROUTING -s~192.168.0.0/24 -o~ppp0 -j~SNAT -{}-to-source~220.233.65.75} \end{itemize} \end{frame} \subsection{Saving and restoring rules} \label{sec:saving-and-restoring-rules} \begin{frame} \frametitle{Saving and restoring rules} \begin{itemize} \item the \texttt{iptables-save} command saves the rules; \item \texttt{iptabels-restore} reads them back in from a file. \begin{itemize} \item On Debian, need redirect to/from a file \item Red Hat/Fedora systems store them in \path{/etc/sysconfig/firewall} \end{itemize} \end{itemize} \end{frame} \section{References} \label{sec:references} \begin{frame}[allowframebreaks] \frametitle{Perform security administration tasks} \framesubtitle{Resources of interest} \begin{thebibliography}{5} % None of these affects how cite appears, only how the bibitem appears. % \beamertemplatebookbibitems makes little pictures of books in bib. % \beamertemplatebookbibitems % \beamertemplatearticlebibitems makes little pictures of text in bib. \beamertemplatearticlebibitems % \beamertemplatetextbibitems uses [1], [2] or [optional] in bib. % \beamertemplatetextbibitems % \beamertemplatearrowbibitems make little arrows (like ordinary items) % \beamertemplatearrowbibitems \bibitem{proc.txt}% \emph{The \texttt{/proc} Filesystem}% \newblock% in \path{Documentation/filesystems/proc.txt} with Linux Kernel source \bibitem{rhel4rgch17-18}% Red Hat, Inc.% \newblock% \emph{Red Hat Enterprise Linux 4: Reference Guide}% \newblock% Chapter 17: \emph{TCP Wrappers and \texttt{xinetd}} \newblock% \url{http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/ref-guide/ch-tcpwrappers.html}% \newblock% Chapter 18: \emph{\texttt{iptables}} \newblock% \url{http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/ref-guide/ch-iptables.html} \beamertemplatebookbibitems \bibitem[Gar2003]{Gar2003} Simson Garfinkel, Gene Spafford and Alan Schwartz.% \newblock% \emph{Practical Unix and Internet Security}% \newblock% O'Reilly 2003. \bibitem{Kir2000} Olaf Kirch and Terry Dawson. \newblock% \emph{Linux Network Administrator's Guide} \newblock% O'Reilly 2000. \newblock% \url{http://tldp.org/LDP/nag2/} \beamertemplatearticlebibitems \bibitem[findperms]{findperms} Info node: Find Permissions \newblock% \cmd{info '(find)Permissions'} \newblock \cmd{info '(find)File Permissions'} \bibitem[man-rpm]{man-rpm} rpm man page \newblock% \cmd{man rpm}% \newblock% and search for \texttt{VERIFY~OPTIONS} \bibitem[FoJ2005]{FoJ2005}% Eric Foster-Johnson. \newblock% \emph{RPM Guide}% \newblock% \url{http://fedora.redhat.com/docs/drafts/rpm-guide-en/} \end{thebibliography} \end{frame} \mode {% \begin{frame} \frametitle{Topics Covered} %\footnotesize %\begin{multicols}{2} \tableofcontents[pausesections,pausesubsections] %\end{multicols} % You might wish to add the option [pausesections] \end{frame} } \section{License Of This Document} \label{sec:license} \begin{frame} \frametitle{License Of This Document} \raggedright% Copyright \copyright\ 2005 Nick Urbanik \par You can redistribute modified or unmodified copies of this document provided that this copyright notice and this permission notice are preserved on all copies under the terms of the GNU General Public License as published by the Free Software Foundation---either version 2 of the License or (at your option) any later version. \end{frame} \end{document}