1. Home
  2. Training Library
  3. Linux Security and Hardening | CSL4 A3.1 |

Firewall Rule Specifications

Start course
3h 21m

In this section, you’ll take a deep dive into Linux security. You’ll build your knowledge and skills through a comprehensive overview of the key areas that you need to know to secure Linux systems.

You’ll begin with Linux security in general before moving on to physical security and the countermeasures you can employ to protect your hardware. From there, you’ll explore authentication systems and the various account types on a Linux system, and how to secure each one. You'll also learn how to enforce strong passwords and manage account and password expirations.

In the networking section, you'll learn how to secure network services that run on Linux systems. You'll also learn how the local firewall works in Linux and how to configure it. You’ll learn about file system security and how permissions work in detail, including special modes, file attributes, and ACLs. You'll also discover what rootkits are, how to detect them, and how to remove them.

You’ll also find several security resources you can use to continue your security education and stay on top of the latest security issues for Linux distributions.

There are several knowledge checks as you go through these resources. These will help you identify any areas that you might need or want to review. At the end you’ll find a final exam, where you can test yourself on what you’ve learnt.

Learning Objectives

  • Get a general view of Linux security including roles, network services, encryption, accounts, and multifactor authentication
  • Learn specific strategies for mitigating physical security risks and protecting your Linux systems against the most common physical attacks
  • Learn about data encryption and how to implement it on new Linux systems, as well as those that are already in service
  • Understand the different types of accounts you'll find on a Linux system and the special precautions you need to take with each account type
  • Learn how to enforce good password security practices on your Linux systems
  • Learn about multi-factor authentication and how it can be implemented in Linux
  • Learn techniques and strategies to secure network services
  • Learn how to secure your files and directories on Linux through permissions, data sharing, special modes, file attributes, ACLs, and rootkits

I'm gonna go over some commonly used rule specification options. For a full list, see the iptables man page. If you want to match a packet by source, use -s followed by the source, this will either be an IP address, a network specification, or a host name. If you're using a host name, it's very important to be aware that the host name is resolved once when the rule is added and the IP address of that host name is used. It's best to use an IP address or a network specification. You can use classless inter-domain routing notation, which is sometimes referred to a slash notation or CIDR. You can also specify the network address and a sub-net mask if you wish. to specify a destination, use the -d option. Again, here you specify an IP, a network, or a name. If you want to match a packet by protocol, use the -p option followed by the network protocol to match. For example, totally matched TCP packets use -p tcp. The -m option is used to enable extended packet matching modules. You follow the -m with the name of the extended module which enables additional command line options provided by that module. From there, you can use those additional options on the command line. You can use multiple extended match modules in a rule if you want or need to. For a list of these modules and their options, view the iptables-extensions man page. If you want to specify a destination port, first specify the protocol with -p, then enable the extended module by using -m followed by the protocol. Now you can use the --dport option followed by the port. For example, if you wanted to match all TCP packets that are destined to port 80, you would use -p tcp -m tcp --dport 80. There's a built-in shortcut for this however, when you use the -p tcp option, all the options for the TCP module become available so you don't have to explicitly use -m tcp. The shorthand version of the previous example would be -p tcp --dport 80. The same concept holds true for UDP. When you use UDP as the protocol, the UDP module options become available to you by default. You can also do the same thing for source ports, in this case use the --sport option followed by the port. If you want to match based on the ICMP protocol use -p icmp. Just like TCP and UDP, When you specify the ICMP protocol, it enables the ICMP module and additional options become available to you. You can specify the ICMP type by using --imcp-type followed by the name or number of the type. to get a full list of types, run iptables -p icmp -h. To match pings, use echo-request and to match pongs, use echo-reply. The limit module can be used to match packets based on rate. For example, you could match all packets that do not exceed a given rate. You can use this module to control how often logs are written or to limit the effects of a denial of service attack. The --limit option is used to set an average rate and the --limit-burst option is used to set an initial burst rate. With --limit five /m --limit dash-burst 10, the first 10 consecutive packets will be matched, and then from then on, only five packets per minute will be matched. The limit-burst count is reset, every time the limit rate is not broken. If you don't specify a limit, it defaults to three per hour, if you don't specify a limit burst, it defaults to five. You can also use the exclamation mark to invert the match. For ! --limit five /s, this means a match will occur after the limit of five packets per second is broken. So that takes care of the matching section of a rule. The other section, the target section is really pretty simple. You specify the target with -j followed by the target name. This could be a built-in target, like ACCEPT or DROP, or it could be the name of a custom chain that you created. You can think of these targets as jumps, when -j is encountered, the matching packet will jump to the specified target.

About the Author