security: Add firewall example

Signed-off-by: Holger Dengler <dengler@linutronix.de>

2 files changed, 329 insertions, 0 deletions

diff --git a/security/examples/Makefile b/security/examples/Makefile
new file mode 100644
index 0000000..257d70d
--- /dev/null
+++ b/security/examples/Makefile
@@ -0,0 +1,9 @@
+all:
+	for pdf in `ls -1 handout_*.tex pres_*.tex 2> /dev/null` ; do \
+		TEXINPUTS=`pwd`/../..:.:..:$(TEXINPUTS) pdflatex $$pdf; \
+		TEXINPUTS=`pwd`/../..:.:..:$(TEXINPUTS) pdflatex $$pdf; \
+	done
+
+clean:
+	rm -f *.aux *.log *.pdf *.log *.snm *.toc *.vrb *.nav *.out
+
diff --git a/security/examples/pres_ex_firewall.tex b/security/examples/pres_ex_firewall.tex
new file mode 100644
index 0000000..84e384a
--- /dev/null
+++ b/security/examples/pres_ex_firewall.tex
@@ -0,0 +1,320 @@
+\def\lximg{/usr/share/lx/icons/fueller.png}
+
+\input{configpres}
+
+\subsection{Firewall Examples}
+
+\title{Example Firewall}
+\maketitle
+
+\def\lximg{none}
+
+\begin{frame}
+\frametitle{Contents}
+\tableofcontents
+\end{frame}
+
+% ----------------------------
+\subsubsection{Initialization}
+
+\begin{frame}[fragile]
+\frametitle{iptables config}
+\begin{itemize}
+\item Create and change to new directory ex\_ipt
+\item Get root (su)
+\item Print current iptables configuration (iptables)
+\item Save current configuration (iptables-save)
+\item Reset iptables configuration (iptables)
+\end{itemize}
+
+\pause
+
+\begin{beamerboxesrounded}[shadow=true]{Solution:}
+\begin{tiny}
+\begin{verbatim}
+mkdir ex_ipt
+cd ex_ipt
+su
+iptables -L
+iptables-save > start.conf
+iptables -X
+iptables -F
+iptables -Z
+\end{verbatim}
+\end{tiny}
+\end{beamerboxesrounded}
+\end{frame}
+
+% ----------------------------
+\subsubsection{Policy}
+
+\begin{frame}[fragile]
+\frametitle{Default Policy}
+\begin{itemize}
+\item Drop all incoming, outgoing and forwarding traffic
+\item Save this default policies to file
+\item Reset iptables and restore saved config
+\end{itemize}
+
+\pause
+
+\begin{beamerboxesrounded}[shadow=true]{Solution:}
+\begin{tiny}
+\begin{verbatim}
+iptables -P INPUT DROP
+iptables -P OUTPUT DROP
+iptables -P FORWARD DROP
+iptables-save > step1
+iptables -F
+iptables-restore < step1
+\end{verbatim}
+\end{tiny}
+\end{beamerboxesrounded}
+\end{frame}
+
+% ----------------------------
+\subsubsection{User-defined Chains}
+
+\begin{frame}[fragile]
+\frametitle{LOGDROP}
+\begin{itemize}
+\item From now on, edit stepX file and load with iptables-restore
+\item Create new Chain LOGDROP
+\item Log and drop INPUT and OUTPUT traffic with new chain
+\item Check with ping
+\end{itemize}
+
+\pause
+
+\begin{beamerboxesrounded}[shadow=true]{Solution:}
+\begin{tiny}
+\begin{verbatim}
+# New chain
+:LOGDROP - [0:0]
+-A LOGDROP -m limit --limit 2/min -j LOG --log-prefix "LOGDROP: "
+-A LOGDROP -j DROP
+
+# Catch all falling through
+-A INPUT -i eth0 -j LOGDROP
+-A OUTPUT -o eth0 -j LOGDROP
+\end{verbatim}
+\end{tiny}
+\end{beamerboxesrounded}
+\end{frame}
+
+% ----------------------------
+\subsubsection{Traffic Filter}
+
+\begin{frame}[fragile]
+\frametitle{Allow loopback traffic}
+\begin{itemize}
+\item Allow INPUT and OUTPUT traffic on interface lo
+\end{itemize}
+
+\pause
+
+\begin{beamerboxesrounded}[shadow=true]{Solution:}
+\begin{tiny}
+\begin{verbatim}
+# loopback
+-A INPUT -i lo -j ACCEPT
+-A OUTPUT -o lo -j ACCEPT
+\end{verbatim}
+\end{tiny}
+\end{beamerboxesrounded}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{DNS}
+\begin{itemize}
+\item Allow DNS requests from this machine (UDP, Port 53)
+\item Allow DNS responses
+\end{itemize}
+
+\pause
+
+\begin{beamerboxesrounded}[shadow=true]{Solution:}
+\begin{tiny}
+\begin{verbatim}
+# DNS
+-A OUTPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
+-A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT
+\end{verbatim}
+\end{tiny}
+\end{beamerboxesrounded}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{ICMP}
+\begin{itemize}
+\item Allow simple ping requests (icmp-type 0 and 8)
+\item Limit to 2 requests per second
+\end{itemize}
+
+\pause
+
+\begin{beamerboxesrounded}[shadow=true]{Solution:}
+\begin{tiny}
+\begin{verbatim}
+# PING limited accept
+-A INPUT -p icmp --icmp-type 0 -m limit --limit 2/s -j ACCEPT
+-A INPUT -p icmp --icmp-type 8 -m limit --limit 2/s -j ACCEPT
+-A INPUT -p icmp -j DROP
+# Limit outgoing PING as well
+-A OUTPUT -p icmp --icmp-type 0 -m limit --limit 2/s -j ACCEPT
+-A OUTPUT -p icmp --icmp-type 8 -m limit --limit 2/s -j ACCEPT
+-A OUTPUT -p icmp -j DROP
+\end{verbatim}
+\end{tiny}
+\end{beamerboxesrounded}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Established Connections}
+\begin{itemize}
+\item Allow INPUT and OUTPUT traffic for all ESTABLISHed connections
+\item Remove obsolete rules (DNS)
+\end{itemize}
+
+\pause
+
+\begin{beamerboxesrounded}[shadow=true]{Solution:}
+\begin{tiny}
+\begin{verbatim}
+# Allow established connections in and out
+-A INPUT -m state --state ESTABLISHED -j ACCEPT
+-A OUTPUT -m state --state ESTABLISHED -j ACCEPT
+[...]
+# DNS
+-A OUTPUT -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
+# -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT
+\end{verbatim}
+\end{tiny}
+\end{beamerboxesrounded}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Log new connections}
+\begin{itemize}
+\item Create new Chain LOGNEW\_ACCEPT
+\item New Connections should be logged with prefix ''New: ''
+\item Traffic should be accepted
+\end{itemize}
+
+\pause
+
+\begin{beamerboxesrounded}[shadow=true]{Solution:}
+\begin{tiny}
+\begin{verbatim}
+# LOGNEW_ACCEPT Chain
+:LOGNEW_ACCEPT - [0:0]
+-A LOGNEW_ACCEPT -m state --state NEW -j LOG --log-prefix "New: "
+-A LOGNEW_ACCEPT -j ACCEPT
+\end{verbatim}
+\end{tiny}
+\end{beamerboxesrounded}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Log new DNS connections}
+\begin{itemize}
+\item Log new DNS connection with rule LOGNEW\_ACCEPT
+\end{itemize}
+
+\pause
+
+\begin{beamerboxesrounded}[shadow=true]{Solution:}
+\begin{tiny}
+\begin{verbatim}
+# DNS
+-A OUTPUT -p udp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED \
+          -j LOGNEW_ACCEPT
+\end{verbatim}
+\end{tiny}
+\end{beamerboxesrounded}
+\end{frame}
+
+% ----------------------------
+\subsubsection{Summary}
+
+\begin{frame}[fragile]
+\frametitle{Full example with Ping, DNS, and SSH}
+\begin{tiny}
+\begin{verbatim}
+# Generated by iptables-save v1.4.14 on Sat Apr  6 19:47:41 2013
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT DROP [0:0]
+
+# New chain
+:LOGDROP - [0:0]
+-A LOGDROP -m limit --limit 2/min -j LOG --log-prefix "LOGDROP: "
+-A LOGDROP -j DROP
+
+# DNS Chain
+:LOGNEW_ACCEPT - [0:0]
+-A LOGNEW_ACCEPT -m state --state NEW -j LOG --log-prefix "New: "
+-A LOGNEW_ACCEPT -j ACCEPT
+\end{verbatim}
+\end{tiny}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Full example with Ping, DNS, and SSH}
+\begin{tiny}
+\begin{verbatim}
+# loopback
+-A INPUT -i lo -j ACCEPT
+-A OUTPUT -o lo -j ACCEPT
+
+# PING limited accept
+-A INPUT -p icmp --icmp-type 0 -m limit --limit 2/s -j ACCEPT
+-A INPUT -p icmp --icmp-type 8 -m limit --limit 2/s -j ACCEPT
+-A INPUT -p icmp -j LOGDROP
+-A OUTPUT -p icmp --icmp-type 0 -m limit --limit 2/s -j ACCEPT
+-A OUTPUT -p icmp --icmp-type 8 -m limit --limit 2/s -j ACCEPT
+-A OUTPUT -p icmp -j LOGDROP
+
+# Allow established connections in and out
+-A INPUT -m state --state ESTABLISHED -j ACCEPT
+-A OUTPUT -m state --state ESTABLISHED -j ACCEPT
+\end{verbatim}
+\end{tiny}
+\end{frame}
+
+% ----------------------------
+\begin{frame}[fragile]
+\frametitle{Full example with Ping, DNS, and SSH}
+\begin{tiny}
+\begin{verbatim}
+# DNS
+-A OUTPUT -p udp --dport 53 --sport 1024:65535 -m state --state NEW,ESTABLISHED \
+          -j LOGNEW_ACCEPT
+
+# Outgoing SSH
+-A OUTPUT -p tcp --dport ssh --sport 1024:65535 -m state --state NEW,ESTABLISHED \
+          -j LOGNEW_ACCEPT
+
+# Incoming SSH
+-A INPUT -p tcp --dport ssh -m state --state NEW,ESTABLISHED -j LOGNEW_ACCEPT
+
+# Catch all falling through
+-A INPUT -i eth0 -j LOGDROP
+-A OUTPUT -o eth0 -j LOGDROP
+
+COMMIT
+# Completed on Sat Apr  6 19:47:41 2013
+\end{verbatim}
+\end{tiny}
+\end{frame}
+
+% ----------------------------
+\subsection{}
+\input{tailpres}