Home Accessibility Courses Diary The Mouth Forum Resources Site Map About Us Contact
 
Python and Tcl - public course schedule [here]
Private courses on your site - see [here]
Please ask about maintenance training for Perl, PHP, Lua, etc
 
Firewall fundamentals - Linux

WHAT IS A FIREWALL?

A firewall is usually a computer that sits on two different networks and passes allowed traffic between them, filtering out traffic that is not permitted. Usually placed between a company's network and the outside world, a firewall provides a useful security blanket to stop rogue traffic getting in, and internal user contacting services they shouldn't on the way out.

Firewalls can also be used between departmental networks within a company, and even on individual machines to limit the incoming and outgoing traffic that may pass.

We need firewalls because of "port scanners" out there - automated or manual - that will look for open ports (services) in your computer and will attempt to connect on any that are carelessly left open.

CHAINS

Kernel chains are how information is passed between the outside world and the operating system and you specify rules using three types of chains
 INPUT - for packets destined for the firewall
 OUTPUT - for packets originated from the firewall
 FORWARD - for packets neither destined nor origined by the firewall

If you're firewalling an individual machine (as we'll do in the examples that follow), you won't have any forwarding possibilities so won't be concerned with FORWARD packets.

SETTING UP A FIREWALL VIA IPCHAINS

Use the iptables command.
-L list current settings
-P apply new settings for a chain
-A add a further rule to a chain at end of chain
-I Insert a rule at top of chain

READING THE CURRENT SETTINGS

snowdrop:~ # iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
snowdrop:~ #

PLANNING YOUR ACTION

If you're setting up a tight firewall, then you'll want to start off by setting the default ACCEPT policy to DROP.

Then add back in support for established or related packets - once you've allowed a connection, you really must allow the conversation to continue.

The Domain Name service (DNS) really ought to be allowed in most circumstances otherwise users are "flying blind" so that should be added back in. And we'll want to add in pings too if we want people to be able to check if we're around. Finally, we should allow loopback traffic so that services / clients running within our system can work.

And finally consider other services you want to add - we'll allow incoming ftp, ssh, ldap and web in our example - perhaps we're firewalling a web and ldap server. We will NOT allow MySQL even though the server may be running it, as we've probably chosen to make it accessible from ssh sessions and the web server only.

Outgoing - any service to be allowed. Forward - all services banned.

APPLYING THE CHAINS

We've edited the rules into a file ...

snowdrop:~ # cat chaingang
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -p tcp --dport ssh -i eth0 -j ACCEPT
iptables -A INPUT -p tcp --dport domain -i eth0 -j ACCEPT
iptables -A INPUT -p tcp --dport ldap -i eth0 -j ACCEPT
iptables -A INPUT -p udp --dport ldap -i eth0 -j ACCEPT
iptables -A INPUT -p tcp --dport ftp -i eth0 -j ACCEPT
iptables -A INPUT -p udp --dport ftp -i eth0 -j ACCEPT
iptables -A INPUT -p tcp --dport ftp-data -i eth0 -j ACCEPT
iptables -A INPUT -p udp --dport ftp-data -i eth0 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -i eth0 -j ACCEPT

iptables -A INPUT -i lo -j ACCEPT

iptables -I INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -I INPUT -p icmp --icmp-type source-quench -j ACCEPT
iptables -I INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
snowdrop:~ #

And applied the rules:

snowdrop:~ # . ./chaingang
snowdrop:~ #

Checking that they worked:

snowdrop:~ # iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:ldap
ACCEPT udp -- anywhere anywhere udp dpt:ldap
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:ldap
ACCEPT udp -- anywhere anywhere udp dpt:ldap
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:ldap
ACCEPT udp -- anywhere anywhere udp dpt:ldap
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT udp -- anywhere anywhere udp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data
ACCEPT udp -- anywhere anywhere udp dpt:ftp-data
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
snowdrop:~ #

NAT RESOLUTION

If you're forwarding packets (which in our example we're not as we've only got the one interface card), then you can use Network Address Translation (or NAT) to change the source or destination IP address of a packet as it passes through the firewall.

Why would you want to do this?

Firstly, so that external packets can be routed to a specific server on your internal network; not only does this approach save on IP addresses, but it lets you hide your network behind the firewall and not reveal its structure.

Secondly, so that with your single IP address to the world any of your users can use Internet services - with their outgoing packets being rewritten to make it appear as if they came from your company's main system, and incoming (return) packets being addressed back to them.

As you get more into this technology, you'll find that you're using SNAT (Source NAT) and DNAT (destination NAT).


See also Setting up a firewall on Linux

Please note that articles in this section of our web site were current and correct to the best of our ability when published, but by the nature of our business may go out of date quite quickly. The quoting of a price, contract term or any other information in this area of our website is NOT an offer to supply now on those terms - please check back via our main web site

Related Material

Web Application Deployment - Network Configuration and Security
  [4134] Setting up your MacBook Air as a mobile broadband router - (2013-07-07)
  [3448] Checking all the systems on a subnet, using Expect and Tk - (2011-09-18)
  [2489] Parallel Pinging, using Python Threads or Expect spawn lists - (2009-11-02)
  [2052] How was my web site compromised? - (2009-02-24)
  [1904] Ruby, Perl, Linux, MySQL - some training notes - (2008-11-23)
  [1712] As different as night and tyres - (2008-07-18)
  [1666] Slow boot and terminal start on Linux boxes - (2008-06-05)
  [1408] Wireless hotel tips - FTP and Skype connections failing - (2007-10-26)
  [1073] Heartbeat script in Perl - (2007-02-09)
  [511] Domain Forwarding - 2 ways of doing it - (2005-11-29)
  [506] What are DHCP and DNS? - (2005-11-27)
  [332] Looking up IP addresses - (2005-06-01)
  [267] Searching security holes - (2005-04-04)
  [37] Security and Safety - (2004-09-03)
  [11] A bolt of lightning on Multicasting - (2004-08-11)

Web Application Deployment - Firewalls
  [3680] How can I run multiple web servers behind a single IP address? - (2012-04-02)
  [3679] Setting up your Linux system as a firewall using iptables - (2012-04-02)
  [806] Check your user is human. Have him retype a word in a graphic - (2006-07-17)
  [770] Splash! - (2006-06-20)

Web Application Deployment - Networking - General
  [2695] TCP v UDP / Client v Server - Python examples - (2010-03-25)
  [2150] Routers, Firewalls and multilayer servers - (2009-05-01)
  [2149] Routing Network Traffic - Proxies, Redirects and DNS - (2009-05-01)
  [768] Our new .eu top level domain - (2006-06-19)

resource index - Deployment
Solutions centre home page

You'll find shorter technical items at The Horse's Mouth and delegate's questions answered at the Opentalk forum.

At Well House Consultants, we provide training courses on subjects such as Ruby, Lua, Perl, Python, Linux, C, C++, Tcl/Tk, Tomcat, PHP and MySQL. We're asked (and answer) many questions, and answers to those which are of general interest are published in this area of our site.

You can Add a comment or ranking to this page

© WELL HOUSE CONSULTANTS LTD., 2019: Well House Manor • 48 Spa Road • Melksham, Wiltshire • United Kingdom • SN12 7NY
PH: 01225 708225 • FAX: 01225 793803 • EMAIL: info@wellho.net • WEB: http://www.wellho.net • SKYPE: wellho

PAGE: http://www.wellho.net/solutions/general- ... linux.html • PAGE BUILT: Wed Mar 28 07:47:11 2012 • BUILD SYSTEM: wizard