Manualshelf

User guide

ManualsBrandsRed Hat ManualsOtherENTERPRISE LINUX 4 - SELINUX GUIDE
81828384858687888990
Malicious Software and Spoofed IP Addresses
79
With this command, all HTTP connections to port 80 from outside of the LAN are routed to the HTTP
server on a network separate from the rest of the internal network. This form of network segmentation
can prove safer than allowing HTTP connections to a machine on the network.
If the HTTP server is configured to accept secure connections, then port 443 must be forwarded as
well.
2.5.6. Malicious Software and Spoofed IP Addresses
More elaborate rules can be created that control access to specific subnets, or even specific nodes,
within a LAN. You can also restrict certain dubious applications or programs such as trojans, worms,
and other client/server viruses from contacting their server.
For example, some trojans scan networks for services on ports from 31337 to 31340 (called the elite
ports in cracking terminology).
Since there are no legitimate services that communicate via these non-standard ports, blocking them
can effectively diminish the chances that potentially infected nodes on your network independently
communicate with their remote master servers.
The following rules drop all TCP traffic that attempts to use port 31337:
[root@myServer ~ ] # iptables -A OUTPUT -o eth0 -p tcp --dport 31337 --sport 31337 -j DROP
[root@myServer ~ ] # iptables -A FORWARD -o eth0 -p tcp --dport 31337 --sport 31337 -j DROP
You can also block outside connections that attempt to spoof private IP address ranges to infiltrate
your LAN.
For example, if your LAN uses the 192.168.1.0/24 range, you can design a rule that instructs the
Internet-facing network device (for example, eth0) to drop any packets to that device with an address
in your LAN IP range.
Because it is recommended to reject forwarded packets as a default policy, any other spoofed IP
address to the external-facing device (eth0) is rejected automatically.
[root@myServer ~ ] # iptables -A FORWARD -s 192.168.1.0/24 -i eth0 -j DROP
Note
There is a distinction between the DROP and REJECT targets when dealing with appended rules.
The REJECT target denies access and returns a connection refused error to users who
attempt to connect to the service. The DROP target, as the name implies, drops the packet without
any warning.
Administrators can use their own discretion when using these targets. However, to avoid user
confusion and attempts to continue connecting, the REJECT target is recommended.
2.5.7. IPTables and Connection Tracking
You can inspect and restrict connections to services based on their connection state. A module within
iptables uses a method called connection tracking to store information about incoming connections.
You can allow or deny access based on the following connection states:
NEW — A packet requesting a new connection, such as an HTTP request.