On Tue, 3 Feb 2009, in the Usenet newsgroup comp.os.linux.misc, in article
Post by RahulBut again, this ONLY applies to stuff compiled to use libwrap.
Oh! So, what is the best way of opening / blocking ports selectively?
iptables? Or are there other options?
Normally, I answer a "what is the best" question with "I like chocolate
ice-cream" (or similar). That's asking an opinion, and opinions are as
varied as the people involved.
"firewall" - whether iptables (which is actually the application that
interfaces with the built-in firewall code in the kernel), the older
IPCHAINS or ipfwadm (not applicable to 2.6 kernels), or an external
appliance of some kind. These have the finest / most versatile
control. You can specify source/destination ports, addresses, as well
as flags within the packet headers.
"tcp_wrappers" (and the associated libwrap) - a simpler mechanism where
you can specify remote address and local ports. It's essentially
unmaintained now - the last release was 7.6 in March 1997.
"routing" which covers a multitude of sins - such things as forwarding
(or _not_ forwarding) packets through a router/modem/what-ever. Another
technique is mucking with the routing tables using 'Reject' routes
(a technique that is NOT recommended, but is used by some protective
tools like BlockHosts or PortSentry) or routing via the loopback
interface (a common technique used by ad blockers, etc.).
Individual applications may also have their own access control rules.
An example would be Apache.
As to which one I'd recommend - strawberry is pretty good...
There is a web site http://www.netfilter.org/documentation/HOWTO/ (also
reachable via http://www.iptables.org/documentation/HOWTO/) that has
seven HOWTOs that are quite useful.
"tcp_wrappers" has some documentation, but some of the tools (such as
tcpdchk) don't work on "modern" installations (specifically, those
using 'xinetd' instead of the older 'inetd').
As for routing - mixed results. Done manually, such as forwarding or
not forwarding packets based on destination port numbers - is usually
a good technique. A packet not forwarded can't be used to exploit
something it can't reach. There are automatic tools, such as
BlockHosts (http://www.aczoom.com/cms/blockhosts), DenyHosts
(http://denyhosts.sourceforge.net), fail2ban (http://www.fail2ban.org)
or the ancient (unsupported) PortSentry that can alter routing in an
effort to block ``attacks'' (usually identified by log-reading). A
real problem with automatic tools is that they can easily be configured
to automatically shoot yourself in the wobbly bits. Some one can spoof
an attack from the IP of your name server - you automatically block
that IP address, and then wonder why new connections have stopped
working. While I include URLs here, I hesitate to recommend such
automatic tools because they are intolerant of configuration mistakes,
and may encourage a sloppy or unreliable setup.
On the OTHER hand, I do recommend you looking at where you expect or
desire connections from. For example, if you have no expectation of
anyone in 'Burkina Faso' (a country in Western Africa - 2W/12N) for
example, you could block the 8 IP ranges registered there. Two problems
with this concept is that IP addresses may be registered in one country
and used elsewhere, and IP address ranges are not conveniently arranged
for ease of use (those 8 ranges in Burkina Faso need 7 rules to
describe them - a /19, 3 /20s a /22, /23 and /24) and you can't depend
on a rDNS (lookup may fail, and .com is used in every country). A
somewhat simpler concept is to ALLOW connections from ranges you want,
and default block the rest. Where that gets hairy is that there are
over 93000 networks around the world.
Hope this gives you something to look at, and some things to think
about. ;-)
Old guy