WHAT IS A FIREWALL?
A firewall is usually a computer that sits on two different networks and passes allowed traffic between them, filtering out traffic that is not permitted. Usually placed between a company's network and the outside world, a firewall provides a useful security blanket to stop rogue traffic getting in, and internal user contacting services they shouldn't on the way out.
Firewalls can also be used between departmental networks within a company, and even on individual machines to limit the incoming and outgoing traffic that may pass.
We need firewalls because of "port scanners" out there - automated or manual - that will look for open ports (services) in your computer and will attempt to connect on any that are carelessly left open.
CHAINS
Kernel chains are how information is passed between the outside world and the operating system and you specify rules using three types of chains
INPUT - for packets destined for the firewall
OUTPUT - for packets originated from the firewall
FORWARD - for packets neither destined nor origined by the firewall
If you're firewalling an individual machine (as we'll do in the examples that follow), you won't have any forwarding possibilities so won't be concerned with FORWARD packets.
SETTING UP A FIREWALL VIA IPCHAINS
Use the iptables command.
-L list current settings
-P apply new settings for a chain
-A add a further rule to a chain at end of chain
-I Insert a rule at top of chain
READING THE CURRENT SETTINGS
snowdrop:~ # iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
snowdrop:~ #
PLANNING YOUR ACTION
If you're setting up a tight firewall, then you'll want to start off by setting the default ACCEPT policy to DROP.
Then add back in support for established or related packets - once you've allowed a connection, you really must allow the conversation to continue.
The Domain Name service (DNS) really ought to be allowed in most circumstances otherwise users are "flying blind" so that should be added back in. And we'll want to add in pings too if we want people to be able to check if we're around. Finally, we should allow loopback traffic so that services / clients running within our system can work.
And finally consider other services you want to add - we'll allow incoming ftp, ssh, ldap and web in our example - perhaps we're firewalling a web and ldap server. We will NOT allow MySQL even though the server may be running it, as we've probably chosen to make it accessible from ssh sessions and the web server only.
Outgoing - any service to be allowed. Forward - all services banned.
APPLYING THE CHAINS
We've edited the rules into a file ...
snowdrop:~ # cat chaingang
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport ssh -i eth0 -j ACCEPT
iptables -A INPUT -p tcp --dport domain -i eth0 -j ACCEPT
iptables -A INPUT -p tcp --dport ldap -i eth0 -j ACCEPT
iptables -A INPUT -p udp --dport ldap -i eth0 -j ACCEPT
iptables -A INPUT -p tcp --dport ftp -i eth0 -j ACCEPT
iptables -A INPUT -p udp --dport ftp -i eth0 -j ACCEPT
iptables -A INPUT -p tcp --dport ftp-data -i eth0 -j ACCEPT
iptables -A INPUT -p udp --dport ftp-data -i eth0 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -i eth0 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -I INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -I INPUT -p icmp --icmp-type source-quench -j ACCEPT
iptables -I INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
snowdrop:~ #
And applied the rules:
snowdrop:~ # . ./chaingang
snowdrop:~ #
Checking that they worked:
snowdrop:~ # iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:ldap
ACCEPT udp -- anywhere anywhere udp dpt:ldap
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:ldap
ACCEPT udp -- anywhere anywhere udp dpt:ldap
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:ldap
ACCEPT udp -- anywhere anywhere udp dpt:ldap
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT udp -- anywhere anywhere udp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data
ACCEPT udp -- anywhere anywhere udp dpt:ftp-data
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
snowdrop:~ #
NAT RESOLUTION
If you're forwarding packets (which in our example we're not as we've only got the one interface card), then you can use Network Address Translation (or NAT) to change the source or destination IP address of a packet as it passes through the firewall.
Why would you want to do this?
Firstly, so that external packets can be routed to a specific server on your internal network; not only does this approach save on IP addresses, but it lets you hide your network behind the firewall and not reveal its structure.
Secondly, so that with your single IP address to the world any of your users can use Internet services - with their outgoing packets being rewritten to make it appear as if they came from your company's main system, and incoming (return) packets being addressed back to them.
As you get more into this technology, you'll find that you're using SNAT (Source NAT) and DNAT (destination NAT).
See also
Setting up a firewall on Linux
Please note that articles in this section of our
web site were current and correct to the best of our ability when published,
but by the nature of our business may go out of date quite quickly. The
quoting of a price, contract term or any other information in this area of
our website is NOT an offer to supply now on those terms - please check
back via
our main web site