[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: New to iptables

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, Jan 04, 2017 at 10:54:53AM -0600, Richard Owlett wrote:
> I'm searching for an introduction to iptables that leads me to
> answers to the questions *I* have. I've got a flock of links I'm
> working thru.

Take your time...

> In the meantime I have a few questions.
> 
> One of the links led to _Securing Debian Manual_ and in particular
> "Appendix F - Security update protected by a firewall"
> {https://www.debian.org/doc/manuals/securing-debian-howto/ap-fw-security-update.en.html}
> 
> I follow the description as far as it goes - i.e. access is limited
> to a specific URL.

Aside of the (very valid) remarks by Dan, here a few points:

 (a) firewall rules concern (mainly) themselves with network
   things, that is, hosts and ports (to follow the -- rushed
   example in your reference, security.debian.org and 80,
   typically for HTTP or 443, typically for https. Saying that
   you "limit access to a specific URL" is most probably an
   error which comes from mixing up layers which don't belong
   together.

 (b) if you want good understanding on what firewall rules do,
   I'd recommend (at least) skimming a good networking book
   and trying to work through an example of how, e.g. one
   HTTP transaction (any other simple protocol might do) works,
   so you can "see" where the several parts of the URL fit
   in. Although a bit heavy, I can sincerely recommend
   "TCP/IP Illustrated" by Richard W. Stevens. 

> QUESTION 1
> What happens if the URL is not "security.debian.org" but my bank.
> I assume that there is no problem with links within the same domain.
> I DO know however that the site gets information from other sites to
> handle my requests. From what I can follow they are JavaScripts
> applets(right word) to display information. What would happen?

Point above is relevant here: the host/port part of the URL terminates
at

   http://www.yourbank.com

So with firewall rules you can typically restrict wholesale for
any URL which starts like this.

Whatever (possibly insecure) Javascript comes through the connection
is something the firewall rules are not concerned with (and how
should they? they run in-kernel, and if you use encryption, something
your bank better does, only your client (i.e. the browser) and
the bank's web server should be able to read what's going on (otherwise
you'd have a "man in the middle", something nobody using encryption
really wants to have [1])).

> Because of my my uncertainties intend to have a "sandboxed" install.
> The associated partition will have only Debian and the browser.

But you pointed out one of the big vulnerable spots these days:
a browser (especially when it has dubious plugins. Adobe, I'm
looking at you!).

> Question 2
> There will be a separate install of Debian that I will use for
> "everything else". Can the iptables of that install be set to allow
> access to any domain *EXCEPT* my bank's? The goal being minimization
> of "operator error".

If your "sandboxed" install is setup to use your "everything else"
install (which you consider reasonably secure, I take) as a router,
then yes, you can tweak your mothership's iptables rules (forwarding)
to keep your sandbox to see your bank's host (note the somewhat
more restricted verbiage).

> Question 3
> Is there a simple minded tool that I could enter the show in the
> example in "Appendix F".

Sorry, couldn't parse this question.

Regards
[1] Except for debugging purposes. Promised.

- -- t

> TIA
> 
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlhtOTwACgkQBcgs9XrR2kYzPwCeIUTtlm4AFUmLzOaSSiwH11jk
gRUAnRBVWlR9N5efCvxROCbXD4UG+YLE
=KiTH
-----END PGP SIGNATURE-----
Reply to: