Escolar Documentos
Profissional Documentos
Cultura Documentos
What is the SELINUX and What is IPTABLES. What's the difference between
the both ?
SELinux
NSA Security-Enhanced Linux (SELinux) is an implementation of flexible mandatory
access control architecture in the Linux operating system. The SELinux architecture
provides general support for the enforcement of many kinds of mandatory access
control policies, including those based on the concepts of Type Enforcement, RoleBased Access Control, and Multi-Level Security. Background information and technical
documentation about SELinux can be found at http://www.nsa.gov/research/selinux.
The /etc/selinux/config configuration file controls whether SELinux is enabled or
disabled, and if enabled, whether SELinux operates in permissive mode or enforcing
mode. The SELINUX variable may be set to any one of disabled, permissive, or
enforcing to select one of these options. The disabled option completely disables the
SELinux kernel and application code, leaving the system running without any SELinux
protection. The permissive option enables the SELinux code, but causes it to operate
in a mode where accesses that would be denied by policy are permitted but audited.
The enforcing option enables the SELinux code and causes it to enforce access denials
as well as auditing them. Permissive mode may yield a different set of denials than
enforcing mode, both because enforcing mode will prevent an operation from
proceeding past the first denial and because some application code will fall back to a
less privileged mode of operation if denied access.
The /etc/selinux/config configuration file also controls what policy is active on the
system. SELinux allows for multiple policies to be installed on the system, but only one
policy may be active at any given time. At present, multiple kinds of SELinux policy
exist: targeted, mls for example. The targeted policy is designed as a policy where
most user processes operate without restrictions, and only specific services are placed
into distinct security domains that are confined by the policy. For example, the user
would run in a completely unconfined domain while the named daemon or apache
daemon would run in a specific domain tailored to its operation. The MLS (Multi-Level
Security) policy is designed as a policy where all processes are partitioned into finegrained security domains and confined by policy. MLS also supports the Bell and
LaPadula model, where processes are not only confined by the type but also the level
of the data.
You can define which policy you will run by setting the SELINUXTYPE environment
variable within /etc/selinux/config. You must reboot and possibly relabel if you change
the policy type to have it take effect on the system. The corresponding policy
configuration for each such policy must be installed in the /etc/selinux/{SELINUXTYPE}/
directories.
Many domains that are protected by SELinux also include SELinux man pages
explaining how to customize their policy.
IPtables
Iptables is used to set up, maintain, and inspect the tables of IPv4 packet filter rules in
the Linux kernel. Several different tables may be defined. Each table contains a
number of built-in chains and may also contain user-defined chains.
Each chain is a list of rules which can match a set of packets. Each rule specifies what
to do with a packet that matches. This is called a target, which may be a jump to a
user-defined chain in the same table.
Differences
SELinux is a security enhancement to Linux that allows users and administrators more
control over which users and applications can access which resources, such as files.
Standard Linux access controls, such as file modes (-rwxr-xr-x) are modifiable by the
user and applications that the user runs whereas SELinux access controls are
determined by a policy loaded on the system and not changeable by careless users or
misbehaving applications.
iptables:Iptables is used to set up, maintain, and inspect the tables of IP packet filter
rules in the Linux kernel. Several different tables may be defined. Each table contains a
number of built-in chains and may also contain user-defined chains.
2
What does SEALERT do? and What does SEMANAGE do? Explain the usage of
both?
Sealert is the user interface component (either GUI or command line) to the
setroubleshoot system. setroubleshoot is used to diagnose SELinux denials and
attempts to provide user friendly explanations for a SELinux denial (e.g. AVC) and
recommendations for how one might adjust the system to prevent the denial in the
future.
In a standard configuration setroubleshoot is composed of two components,
setroubleshootd and sealert.
sealert can be run in either a GUI mode or a command line mode. In both instances
sealert run as a user process with the privileges associated with the user. In GUI mode
it attaches to a setroubleshootd server instance and listens for notifications of new
alerts. When a new alert arrives it alerts the desktop user via a notification in the
status icon area. The user may then click on the alert notification which will open an
alert browser. In addition to the current alert sealert communicates with the
setroubleshootd daemon to access all prior alerts stored in the setroubleshoot
database.
semanage is used to configure certain elements of SELinux policy without requiring
modification to or recompilation from policy sources. This includes the mapping from
Linux usernames to SELinux user identities (which controls the initial security context
assigned to Linux users when they login and bounds their authorized role set) as well
as security context mappings for various kinds of objects, such as network ports,
interfaces, and nodes (hosts) as well as the file context mapping. See the EXAMPLES
section below for some examples of common usage. Note that the semanage login
command deals with the mapping from Linux usernames (logins) to SELinux user
identities, while the semanage user command deals with the mapping from SELinux
user identities to authorized role sets. In most cases, only the former mapping needs to
be adjusted by the administrator; the latter is principally defined by the base policy
and usually does not require modification.
4
I'm using ftp and I'm not able to see/access user home directories. How will I
fix this ?
setsebool -P ftp_home_dir on
In FTP, I'm not able to write as anonymous user. How will I fix this ?
setsebool -P allow_ftpd_anon_write
What are chains that are available in IPTABLES? Where is the config file of
IPTABLES located?
Chains available in iptables INPUT chain, OUTPUT chain and FORWARD chain
Configuration file location: /etc/sysconfig/iptables-config
Write a rule to allow all communication to anywhere from the Linux machine
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
Write a rule to NAT internal IP address to public IP address when going out
to internet
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
I miss configured the IP table rules when wrote a rule to reject traffic which
was supposed to be the last rule. Now the machine is not getting any traffic.
How will you fix it.
#services iptables stop
#service iptables save
Use iptables flush option to delete all the rules temporarily
# iptables flush
After the iptables flush, if you restart the iptables, youll see all the default rules
again.
Make the necessary changes to the saved rules i.e. (placing the current required rule at
last).
How to add a rule in specific location of IPTABLES rules and How to delete
certain rule from IPTABLES
We can delete specific rule by their chain number and name. Find the chain number &
name using iptables list and them delete by using iptables -D INPUT 4 (4 being the
chain number)
How do you take back up IPTABLES and how do you flush certain chain in
IPTABLES
Service iptables stop
Service iptables save
Iptables -F
This rule uses the NAT packet matching table (-t nat) and specifies the built-in
POSTROUTING chain for NAT (-A POSTROUTING) on the firewall's external networking
device (-o eth0).
POSTROUTING allows packets to be altered as they are leaving the firewall's external
device.
The -j MASQUERADE target is specified to mask the private IP address of a node with
the external IP address of the firewall/gateway.
This target is only valid in the nat table, in the POSTROUTING chain. It should only be
used with dynamically assigned IP (dialup) connections: if you have a static IP address,
you should use the SNAT target. Masquerading is equivalent to specifying a mapping
to the IP address of the interface the packet is going out, but also has the effect that
connections are forgotten when the interface goes down. This is the correct behavior
when the next dialup is unlikely to have the same interface address (and hence any
established connections are lost anyway). It takes one option:
--to-ports port [-port]
This specifies a range of source ports to use, overriding the default SNAT
source port-selection heuristics (see above). This
is only valid if the rule also specifies -p tcp or -p udp.
--random
Randomize source port mapping If option --random is used then port mapping
will be randomized (kernel >= 2.6.21).
8
I want to log all the traffic that is coming into my machine. How can I do it
through IPTABLES
iptables -A INPUT -j LOG
iptables -A OUTPUT -j LOG
iptables -A FORWARD -j LOG
I've added few rules in IPTABLES but when I list for all the available rules in
IPTABLES, I do not see the newly added rules in the list. How can
fix/troubleshoot ?
Service iptables stop
service iptables save
service iptables restart