GUF-Yocto-jethro-9.0-r7707-0
i.MX6
User Manual
root@santaro:~# iptables -F
root@santaro:~# iptables -A INPUT -j DROP
This is the first step is a mandatory preparation for the following steps
Open SSH access only:
root@santaro:~# iptables -I INPUT 1 -i eth0 -p tcp --dport 22 -m state --state NEW,
,!
ESTABLISHED -j ACCEPT
root@santaro:~# iptables -I OUTPUT 1 -o eth0 -p tcp --sport 22 -m state --state
,!
ESTABLISHED -j ACCEPT
Open network access on port 80 and dns replies on port 53 from the device:
root@santaro:~# iptables -I INPUT 1 -p udp --source-port 53 -j ACCEPT
root@santaro:~# iptables -I OUTPUT 1 -o eth0 -p tcp --dport 80 -m state --state NEW,
,!
ESTABLISHED -j ACCEPT
root@santaro:~# iptables -I INPUT 1 -i eth0 -p tcp -m state --state ESTABLISHED -j
,!
ACCEPT
Save the firewall configuration persistent:
root@santaro:~# iptables-save > /etc/iptables.rules
root@santaro:~# echo "iptables-restore < /etc/iptables.rules" > /etc/network/if-pre-
,!
up.d/iptables
root@santaro:~# chmod +x /etc/network/if-pre-up.d/iptables
Disable the firewall:
root@santaro:~# iptables -F
10.5.2 Using secure network protocols
We strongly recommend the usage of secure network protocols. E.g HTTPS instead of HTTP, FTPS instead of
FTP or SSH instead of telnet.
Further mechanisms regarding the security for network connected linux systems are described here:
http://embedded-computing.com/articles/improving-security-for-network-connected-linux-based-systems
10.6
Restrict physical access
Each physical interface like USB, SD-Card or ethernet socket can serve as an entrance gate for hackers. If you
limit the number of easily accessible interfaces you in turn decrease the possibility for attackers to connect with
the target device. You need less concern about security mechanism for those interfaces which are not accessible
or not equipped at all.
10.7
Application security
Application security is seldom a high priority for embedded devices. But it is, of course, essential to take account
of identifying risks in embedded applications. Since application development is a very complex subject and it is
out of scope for Garz & Fricke developement we will refer to secondary lecture at this point.
65