Firewalls are an useful way of adding some security to your system, but they are not a panacea. A properly configured firewall can make it much harder to break into your system, and in some cases can even protect you from mistakes or misconfigurations elsewhere in the system, but should not be viewed as the sole, or even the main, defense against hacking, but merely one of a system of defenses. Regular and frequent patching and updates are still essential.
Campus and the department currently have only minimal firewall enabled
at the network level. Individual machines can have personal firewalls as
well, which are not as effective as network level firewalling but still useful.
Linux boxes can use the
iptables firewall/packet filter to
provide some added security.
Firewalls basically allow for network traffic to be blocked based on a
number of criteria, usually related to where it is coming from and what
ports or services are being used.
iptables is a packet filter at
heart, so basically it allows or drops entire packets. An useful feature of
iptables is that it can remember
some previous traffic and use that
information in determining the acceptability of future packets; e.g. when you
contact a web site and the web server sends information back to you,
iptables can determine the the information
sent back to you was in
response to your initial web request, and accept it as part of your web request.
This allows for fairly tight firewall rules to be constructed that still do
not interfere with what you want to do.
The following gives some suggestions for such a set of firewall rules. The basic guideline is to allow for any session initiated by your machine (e.g. your contacting a website, or someone else's foobar server), but basically limitting any contact to your machine to responses from requests you initiated. You will need to modify to allow for any services you want your machine to offer (and in such cases consider limitting to only machines in the department or on campus if possible).
First, you may want to look at your existing ruleset, and/or save it. To do this, use the command
cp /etc/sysconfig/iptables BACKUPFILE
is the name of the file to save it to. These commands all need to be run as root. If you copy the backup file back to /etc/sysconfig/iptables and reboot, the old firewall rules will be back in effect.
Our first step is to clear out the existing rules, and set up the chain structure desired. So, first clear the policies and existing rules
iptables --policy INPUT ACCEPT
iptables --policy OUTPUT ACCEPT
iptables --new-chain existing-connections
iptables --append INPUT -j existing-connections
iptables --append existing-connections --in-interface lo -j ACCEPT
iptables --append existing-connections -m state --state ESTABLISHED -j ACCEPT
iptables --append existing-connections -m state --state RELATED -j ACCEPT
iptables --new-chain allowed
iptables --append INPUT -j allowed
iptables --policy OUTPUT ACCEPT
iptables --policy INPUT DROP
iptables --policy FORWARD DROP
The first block of 4 commands opens the firewall up completely. Once you type them, you want to finish the rest of the commands in a timely manner.
The next block of 5 commands creates a chain called existing-connections, and sets it to allow your machine to talk to itself, and allow you to get responses to connections you start (e.g. to get the web page that you asked for from a web server).
The next block of two commands creates an empty chain called allowed. If there are any services you need to be accessible on your machine from the internet, you can add them to this chain. Opening ports on the allowed chain
The next block of 3 commands tightens up the security again.
The result is all outgoing packets (i.e. anything sent from your machine to someplace else, either initiated by you or in response to something else) are allowed. Incoming packets (i.e. anything being sent to your machine from the outside, whether in response to a request from you or not) are rejected unless:
For a basic desktop, you generally can just leave the allowed chain empty.
If you want your machine to respond to requests initiated from elsewhere on the internet, in effect to be a server, you need to open the required ports. To do this properly, you need to know:
For example, to enable ssh access to your box from anywhere on campus, you could use something like
iptables -A allowed -p tcp --dport 22 -s 220.127.116.11/16 -j ACCEPT
iptables -A allowed -p udp --dport 22 -s 18.104.22.168/16 -j ACCEPT
iptables -A allowed -p tcp --dport 22 -s 22.214.171.124/16 -j ACCEPT
iptables -A allowed -p udp --dport 22 -s 126.96.36.199/16 -j ACCEPT