Linux Firewall Tips

Linux Firewall Tips

Firewalls are an useful way of adding some security to your system, but they are not a panacea. A properly configured firewall can make it much harder to break into your system, and in some cases can even protect you from mistakes or misconfigurations elsewhere in the system, but should not be viewed as the sole, or even the main, defense against hacking, but merely one of a system of defenses. Regular and frequent patching and updates are still essential.

Campus and the department currently have only minimal firewall enabled at the network level. Individual machines can have personal firewalls as well, which are not as effective as network level firewalling but still useful. Linux boxes can use the iptables firewall/packet filter to provide some added security.

Firewalls basically allow for network traffic to be blocked based on a number of criteria, usually related to where it is coming from and what ports or services are being used. iptables is a packet filter at heart, so basically it allows or drops entire packets. An useful feature of iptables is that it can remember some previous traffic and use that information in determining the acceptability of future packets; e.g. when you contact a web site and the web server sends information back to you, iptables can determine the the information sent back to you was in response to your initial web request, and accept it as part of your web request. This allows for fairly tight firewall rules to be constructed that still do not interfere with what you want to do.

The following gives some suggestions for such a set of firewall rules. The basic guideline is to allow for any session initiated by your machine (e.g. your contacting a website, or someone else's foobar server), but basically limitting any contact to your machine to responses from requests you initiated. You will need to modify to allow for any services you want your machine to offer (and in such cases consider limitting to only machines in the department or on campus if possible).

First, you may want to look at your existing ruleset, and/or save it. To do this, use the command

/sbin/iptables -L
. You can save a copy of it with the commands
/etc/init.d/iptables save
cp /etc/sysconfig/iptables BACKUPFILE
where is the name of the file to save it to. These commands all need to be run as root. If you copy the backup file back to /etc/sysconfig/iptables and reboot, the old firewall rules will be back in effect.

Our first step is to clear out the existing rules, and set up the chain structure desired. So, first clear the policies and existing rules

iptables --policy INPUT ACCEPT
iptables --policy OUTPUT ACCEPT
iptables --flush
iptables --delete-chain

iptables --new-chain existing-connections
iptables --append INPUT -j existing-connections
iptables --append existing-connections --in-interface lo -j ACCEPT
iptables --append existing-connections -m state --state ESTABLISHED -j ACCEPT
iptables --append existing-connections -m state --state RELATED -j ACCEPT

iptables --new-chain allowed
iptables --append INPUT -j allowed

iptables --policy OUTPUT ACCEPT
iptables --policy INPUT DROP
iptables --policy FORWARD DROP

The first block of 4 commands opens the firewall up completely. Once you type them, you want to finish the rest of the commands in a timely manner.

The next block of 5 commands creates a chain called existing-connections, and sets it to allow your machine to talk to itself, and allow you to get responses to connections you start (e.g. to get the web page that you asked for from a web server).

The next block of two commands creates an empty chain called allowed. If there are any services you need to be accessible on your machine from the internet, you can add them to this chain. Opening ports on the allowed chain

The next block of 3 commands tightens up the security again.

The result is all outgoing packets (i.e. anything sent from your machine to someplace else, either initiated by you or in response to something else) are allowed. Incoming packets (i.e. anything being sent to your machine from the outside, whether in response to a request from you or not) are rejected unless:

  1. They are in response to or otherwise part of a session you initiated
  2. They are from your own machine
  3. You allowed for it in the allowed chain.

For a basic desktop, you generally can just leave the allowed chain empty.

Opening ports on the allowed chain

If you want your machine to respond to requests initiated from elsewhere on the internet, in effect to be a server, you need to open the required ports. To do this properly, you need to know:

  1. What service you want to open up?
  2. Whether it is a tcp or udp service?
  3. What port number(s) it uses?
You may also wish to think about restricting access to certain machines; e.g. if you only want people in the Physics building or on campus to access the machine.

For example, to enable ssh access to your box from anywhere on campus, you could use something like

iptables -A allowed -p tcp --dport 22 -s -j ACCEPT
iptables -A allowed -p udp --dport 22 -s -j ACCEPT
iptables -A allowed -p tcp --dport 22 -s -j ACCEPT
iptables -A allowed -p udp --dport 22 -s -j ACCEPT
This allows both udp and tcp traffic from either of the two campus class B networks to access port 22 on your machine. Of course, you need to have an sshd daemon running as well for this to work; the code above merely punches the required holes in the firewall.

Main Physics Dept site Main UMD site

Valid HTML 4.01! Valid CSS!