RHCSA Study Guide – Objective 9 : Network Security

############################
Everything below are my raw notes that I took while attending an unofficial RHCSA training session.  I am posting them here in hopes they will assist others who may be preparing to take this exam.  

My notes are my own interpretation of the lectures, and are certainly not a replacement to classroom training either through your company, or by taking the official RHCSA classes offered through Red Hat.  If you are new to the Red Hat world, I strongly suggest looking into their training courses over at Red Hat.
############################

TCP Wrappers

TCP wrappers were originally written to provide host based access controls, pretty much back 30 years ago. It can be thought of as the first firewall of sorts. So assuming the service your looking to protect supports tcpwrappers, and tcpwrappers are turned on, then you can enable wrappers.

To see if the application has tcpwrappers built in, you can do the following:

[root@web01 ~]# which sshd
[root@web01 ~]# /usr/sbin/sshd
[root@web01 ~]# ldd /usr/sbin/sshd |grep wrap # If you see libwrap.so.0, it has support.

The 2 configuration files are below:

/etc/hosts.allow
/etc/hosts.deny

They are parsed in the following order:

1.  /etc/hosts.allow is consulted first.  If the configuration permits the requested connections, its allowed.
2.  /etc/hosts.deny is consulted.  If the configuration doesn't permit the connection, its denied.

If the connection is not specifically accepted or rejected in either file, its denied.

The syntax in both of these files are as follows: (Using sshd as the example)

[root@web01 ~]# vi /etc/hosts.deny
# Deny ssh connections from 192.168.2.223
sshd: 192.168.2.223

iptables

Iptables operates at the kernel level, which allows for:

- Flexible layer 2 filtering engine
- NAT support
- Port forwarding
- And a ton more

The configuration is parsed top to bottom. First match wins. If there is no specific match, the chain policy will apply.

Tools:

[root@web01 ~]# iptables # view/modify current firewall rules
[root@web01 ~]# iptables-save # Script to save current firewall rules for use with iptables-restore
[root@web01 ~]# iptables-restore # Restores iptables-save format firewall rules - useful to setup firewalls at boot.

Personally, I like doing this stuff myself by directly editing:

[root@web01 ~]# /etc/sysconfig/iptables.

When creating rules, considerations include:

1.  What chain should the rule apply to?  Note:  A chain is just a collection of rules
  a.  INPUT - Any traffic coming inbound 
  b.  OUTPUT - Egress filtering (outbound filtering)
  c.  FORARD - Responsible for filtering traffic between different interfaces

2.  What traffic pattern to look for
The most common flags for the exam are posted below:
  a.  -i incoming interface
  b.  -p protocol (udp/tcp)
  c.  -s source ip address
  d.  -d destination ip address
  e.  --dport destination port

3.  What should happen with the traffic.
  a.  DROP : Do not deliver, do not respond
  b.  REJECT : Do not deliver, send reject notice
  c.  ACCEPT : Deliver
  d.  Log : Just log the packet.

EXAM NOTE: Will probably only see INPUT chain rules only.

Summary of iptables:
- iptables

What chain should the rule apply to?
 -A INPUT

What is the traffic pattern to look for?
 -s 192.168.222.2

What should happen with the traffic?
 -j REJECT

Lab

1.  Use iptables, configure your web server to NOT accept connections from the 192.168.1.0/24 network, EXCEPT for the ip address of whomever is sitting next to you.  Work together to test firewall settings, and remember, WEB server.

[root@web01 ~]# vi /etc/sysconfig/iptables
...
-A INPUT -s 192.168.1.4 -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -m tcp -p tcp --dport 80 -j REJECT
...

2.  Browse through the man page for iptables.
[root@web01 ~]# man iptables

3.  Use iptables to allow ssh from the classroom network only.
[root@web01 ~]# vi /etc/sysconfig/iptables
...
-A INPUT ! -s 192.168.1.0/24 -m tcp -p tcp --dport 22 -j REJECT
...