The Linux Firewall configuration.
Most linux distros come shipped with basic firewall software. Other then ipchains or ipfwadm probably the most common command line firewall just might be iptables. If you run a small home network and need a bit more security on your box then what comes already available or a router already ships with, iptables is something you’ll want to run. What you put in the firewall will depend on what services you need running on your Linux box and which outside networks or devices will be able to access them. A general rule I follow is to block everything except what my applications need. For example, I’ll block everything with a single line then slowly unblock absolutely necessary traffic such as MSN, Email ports, internal server service communication etc. This guarantees me taht I won’t absolutely overlook a security hole. If I take the opposite approach, by blocking only what ‘know’ at the time is dangerous, then the only way to know if you have trouble is if it occurs to you. So the latter is probably not the best approach.
Here are sample firewall rules to use on your workstation (In this case we’ll edit the firewall rules file directly so we can also add comments to it for good documentation):
$ cat /etc/sysconfig/iptables
# Generated by iptables-save v1.2.8 on Sun Jul 10 09:32:07 2005
*filter
:INPUT ACCEPT [773884715:135056116375]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1181726177:1505725578005]
# —————————————- [ FOREIGN ] —————————————————-
-A INPUT -s 123.123.123.123 -j DROP
# —————————————- [ ACCEPT ] —————————————————–
# Internal server / workstation traffic (from itselt).
-A INPUT -s 127.0.0.1 -p tcp -m tcp –dport 3306 -j ACCEPT
-A INPUT -s 127.0.0.0/255.0.0.0 -d 127.0.0.0/255.0.0.0 -j ACCEPT
# FTP
-A INPUT -p tcp -m tcp –dport 21 -j ACCEPT
# SSH
#-A INPUT -p tcp -m tcp –dport 22 -j LOG
-A INPUT -p tcp -m tcp –dport 22 -j ACCEPT
# SMTP (sendmail)
-A INPUT -p tcp -m tcp –dport 25 -j ACCEPT
-A INPUT -p udp -m udp –dport 25 -j ACCEPT
-A INPUT -p udp -m udp –dport 25 -j ACCEPT
# DNS
-A INPUT -p tcp -m tcp –dport 53 -j ACCEPT
-A INPUT -p udp -m udp –dport 53 -j ACCEPT
# Secure mail (In Canada ISP’s like Rogers.com use 587)
-A INPUT -p tcp -m tcp –dport 587 -j ACCEPT
# IMAP
-A INPUT -p tcp -m tcp –dport 143 -j ACCEPT
# POP3
-A INPUT -p tcp -m tcp –dport 110 -j ACCEPT
# WHOIS
-A INPUT -p tcp -m tcp –dport 43 -j ACCEPT
-A INPUT -p udp -m udp –dport 43 -j ACCEPT
# HTTP
-A INPUT -p tcp -m tcp –dport 80 -j ACCEPT
# SHTTP
-A INPUT -p tcp -m tcp –dport 443 -j ACCEPT
# LAN (Ports required for your local LAN traffic)
-A INPUT -s 192.168.0.0/16 -p tcp -m multiport –sports 138,137,514,8009 -j ACCEPT
-A INPUT -s 192.168.0.0/16 -p tcp -m multiport –dports 138,137,514,8009 -j ACCEPT
-A INPUT -d 192.168.0.0/16 -p udp -m multiport –sports 138,137,68,67,69,514,44089,8009 -j ACCEPT
-A INPUT -d 192.168.0.0/16 -p udp -m multiport –dports 138,137,68,67,69,514,44089,8009 -j ACCEPT
-A INPUT -s 0.0.0.0 -p udp -m multiport –sports 68 -j ACCEPT
-A INPUT -d 255.255.255.255 -p udp -m multiport –dports 67 -j ACCEPT
# SSH from work.
-A INPUT -s 123.123.123.123 -i eth0 -p tcp -m multiport –sports 12345 -j ACCEPT
-A INPUT -s 123.123.123.123 -i eth0 -p udp -m multiport –sports 12345 -j ACCEPT
-A INPUT -s 123.123.123.123 -i eth0 -p tcp -m multiport –sports 12345 -j ACCEPT
-A INPUT -s 123.123.123.123 -i eth0 -p udp -m multiport –sports 12345 -j ACCEPT
# MSN (Hotmail etc)
-A INPUT -p udp -m multiport –dports 6891 -j ACCEPT
# ITUNES PORT (?)
-A INPUT -p udp -m multiport –dports 5353 -j ACCEPT
# IRC, Filesharing and other PTP protocol ports.
-A INPUT -p udp -m multiport –dports 4661,4662,1214,6881,6882,4672,11541,4444,6346,6347,4666,4672,16197 -j ACCEPT
-A INPUT -p tcp -m multiport –dports 4661,4662,1214,6881,6882,4672,11541,4444,6346,6347,4666 -j ACCEPT
-A INPUT -p udp -m udp –dport 6000:10000 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 6000:10000 -j ACCEPT
#VOIP
-A INPUT -p udp -m multiport –dports 5000,5060,5021 -j ACCEPT
-A INPUT -p udp -m multiport –dports 5000,5060,5021 -j ACCEPT
# Allow high end port traffic to services. (May comment out with ‘#’ at the front. Not always necessary)
-A INPUT -p udp -m udp –dport 32768:65535 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 32768:65535 -j ACCEPT
# BLOCK PING (ICMP) (Allow ‘Echo=8′, ‘Destination Unreachable = 3′ and ‘Time Exceeded’)
-A INPUT -p icmp –icmp-type 0 -j ACCEPT
# Could also use “-A INPUT -p icmp –icmp-type echo-reply -j ACCEPT” above.
-A INPUT -p icmp –icmp-type 8 -j ACCEPT
-A INPUT -p icmp –icmp-type 3 -j ACCEPT
-A INPUT -p icmp –icmp-type 11 -j ACCEPT
#
-A OUTPUT -s 127.0.0.0/255.0.0.0 -j ACCEPT
# —————————————- [ REJECT – Everything else not already accepted by above. ] —————————————————–
# Block ‘mysql’, ’ssh’ and other connection access to current host form outside, unless from allowed ranges defined above. LOG anything viewed as suspicious to “/var/log/securelog”
-A INPUT -p tcp -m tcp –dport 3306 -j REJECT –reject-with icmp-port-unreachable
-A INPUT -p udp -m udp –dport 22 -j LOG
-A INPUT -p udp -m udp –dport 22 -j REJECT –reject-with icmp-port-unreachable
-A INPUT -p tcp -m tcp –dport 32768 -j LOG
-A INPUT -p tcp -m tcp –dport 32768 -j REJECT –reject-with icmp-port-unreachable
-A INPUT -p tcp -m tcp –dport 7100 -j LOG
-A INPUT -p tcp -m tcp –dport 7100 -j REJECT –reject-with icmp-port-unreachable
-A INPUT -p tcp -m tcp –dport 2049 -j LOG
-A INPUT -p tcp -m tcp –dport 2049 -j REJECT –reject-with icmp-port-unreachable
-A INPUT -p udp -m udp –dport 2049 -j LOG
-A INPUT -p udp -m udp –dport 2049 -j REJECT –reject-with icmp-port-unreachable
-A INPUT -p udp -m udp –dport 0:1023 -j LOG
-A INPUT -p udp -m udp –dport 0:1023 -j REJECT –reject-with icmp-port-unreachable
-A INPUT -p tcp -m tcp –dport 0:1023 -j LOG
-A INPUT -p tcp -m tcp –dport 0:1023 -j REJECT –reject-with icmp-port-unreachable
#
-A INPUT -p tcp -m tcp –dport 6000:6009 -j LOG
-A INPUT -p tcp -m tcp –dport 6000:6009 -j REJECT –reject-with icmp-port-unreachable
-A INPUT -p udp -m udp –dport 1025:65535 -j LOG
-A INPUT -p udp -m udp –dport 1025:65535 -j REJECT –reject-with icmp-port-unreachable
-A OUTPUT -d 123.123.123.123 -p tcp -j REJECT –reject-with icmp-port-unreachable
#
# DENY EVERYTHING ELSE
-P OUTPUT ACCEPT
-A INPUT -j LOG
-P INPUT DROP
COMMIT
# Completed on Sun Jul 10 09:32:07 2005
Other then the ACCEPT and REJECT directives, notice the LOG directive above. This saves any suspicious connection attempts to
/var/log/securelog
This is where you should check on a regular basis for attempted connections or overly strict firewall rules when you have connectivity problems after enabling the above firewall rules. Once you save the above file you’ll need to run:
$ service iptables restart
OR
$ service iptables start
This should take your newly entered rules into effect. If there are problems, the iptables checker will tell you so you can correct. No rules will be loaded if there are problems in your definitions above so check carefully. As usual,
$ man iptables
will provide further information on all the directives available for use in /etc/sysconf/iptables.save
Now you’ll probably want to ensure your firewall runs each time your server / workstation runs. To check if iptables is already configured to start automatically type:
$ chkconfig –list|grep iptables
iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:off
$
Startup is on levels 2, 3, 4 and 5. (NOTE: One and 6 are off because 1 is by default a ‘run level’ in which networking itself isn’t even available. Your level will likely be 5 (GUI + command line). Run level 6 is the ’shutdown’ level when you turn off your system. To get your current run level type
$ runlevel
More on runlevels later.)
If you see no output after checking with chkconfig, iptables is probably not enabled on your machine. You’ll need to run the following to enable it on run level 2,3,4 and 5:
$ chkconfig –level 2345 iptables on
then run the previous chkconfig command to check and ensure iptables is now enabled.
Once you enable your firewall rules you may run into connectivity issues with new applications. All will center around not being able to reach a certain site or not being able to connect somewhere. For these you should always check the following log file found at
$ /var/log/securelog
to figure out which ports you may need to open for your application. Simply modify one of the rules in this manner:
[ FROM ]
-A INPUT -p udp -m udp –dport 43 -j ACCEPT
[ TO ]
-A INPUT -p udp -m udp –dport 12345 -j ACCEPT
for example where 12345 would be the actual port that application will need.
To find commands related to ip or anything starting with this string in any and all available bin or sbin folders of your distribution type:
$ locate ip|grep -r “/[s]bin/ip.*”
Couple noteworthy commands you might find usefull when running your own Linux firewall box are
$ /usr/sbin/iptstate
AND
$ netstat -aeentp
to view network activity on your server showing connections to and from your box at any one time. A good third party network monitoring tool you can use is iftop found on http://www.ex-parrot.com/~pdw/iftop/. This tool did not come pre packaged with my distribution and may not come with yours. You’ll have to install it via RPM or compile it from sources by downloading a ‘tar.gz’ file off rpmfind.net, one of the online repositories of linux third party binaries now available, or other sites available online.
As with any Linux command, you can also add rules by issuing the iptables command on the command prompt. Here’s an example:
$ iptables -A INPUT -s 0/0 -i eth0 -d 192.168.1.1 -p TCP -j ACCEPT
Some definitions for above:
-i The interface. The network card name to apply the rule to. Use ifconfig to determine this.
-d Destination IP/PORT.
-s Source IP/PORT.
-sports Source ports
-dports Destination ports
-sport Source port
-dport Destination port
-A Append to take on the following conditions.
-p protocol (IE, TCP, IP, UDP etc)
-m module (IE ‘-m multiport’ to be able to specify multiple ports.)
-j Action to take on this rule. Some common are LOG, REJECT and ACCEPT.
To ensure your iptables rules are now saved and active, type
$ iptables –list
OR
$iptables -nL
to see your rules in effect.
Cheers!
[…] of compromise, the compromise is contained to that user only. Good network security (ie a secure firewall and/or router configuration) is also mandatory here to prevent uninvited guests. The reader […]
[…] people today know or have some idea what a firewall is. For those not too familiar with it, it's essentially a piece of software or hardware […]
[…] way to keep your workstation secure is to have a good firewall. Here's our how to on The Linux Firewall Configuration. I took it upon myself then to secure my own Apache HTTPD installation with […]