Network security in Linux has five basic components. Security by computer can help you manage what computers can send messages into and out of your network. Security by port can help you manage the services that others can use to break into your network. Security by address translation can help you hide the computers inside your network. Security by rule can help you manage the type of data allowed into your network in excruciating detail. And finally, security by SELinux can help manage network services on an entirely different level. Red Hat Enterprise Linux includes tools that can help you configure a firewall and SELinux on your computer: system- config-securitylevel (also known as the Red Hat Security Level Configuration tool) and system-config-selinux (also known as the SELinux Management Tool). Firewalls are covered in Chapter 15 and SELinux configuration is covered in Chapters 4 and 15. As SELinux is not a "prerequisite" skill, it is not covered in this chapter.
The /etc/hosts.allow and /etc/hosts.deny files can help you manage what computers are allowed into your network. You can specify computers by name, IP address, network, or domain name in each file. This can help you limit access to a trusted few computers such as those within your company, or it can protect you from computers that you know may pose a problem.
TCP/IP has 65,536 ports, which work sort of like TV channels. If you leave all ports open, you're leaving a lot of options for a cracker who wants to break into your network. With a firewall, you can create a solid barrier and then open only the ports that you need.
Most LAN administrators set up Network Address Translation (NAT) as a matter of course on an IPv4 network. Since IPv4 addresses are scarce, it is typical to use private IP addresses inside a LAN, with a regular IP address only on the gateway computer that is directly connected to an outside network such as the Internet.
For example, when a computer inside a LAN wants access to a Web page, NAT sends the IP address of the gateway to the Internet. Nobody outside the LAN need know the real source of the Web page request.
The iptables command has three basic ways to look at a data packet: input, output, or forward. Within these and other parameters, you can set up your firewall with instructions to let the packet pass, let it drop, or direct it someplace else. If you're working with IPv6, the corresponding command is ip6tables.
Once you've configured a firewall and loaded it, the rules are stored in the /etc/ sysconfig/iptables file. iptables is covered in more detail in Chapter 15.