A firewall is one of many components necessary to protect your computer. A “Firewall” is basically a system that is intended to be a gatekeeper that allows only traffic of a certain type to pass into the network. It is basically like a guard that checks everyone entering or leaving a building to make certain that they are allowed to pass his post.
There are a lot of types of firewalls as well; This article covers one in particular. “iptables” is a packet filter that has been part of the Linux kernel since version 2.4. It inspects every packet transferred to every network connection from that computer. Iptables replaced the older product known as “ipchains” and added the capability of doing “stateful inspection”. Stateful inspection means that the firewall is able to distinguish legitimate packets for different types of connections. Only packets matching a known connection state will be allowed by the firewall; others will be rejected.
Definitions
iptables follows a set of rules to decide how to handle each packet that tries to pass between the network and the linux system. Those rules basically dictate whether traffic will be allowed to pass or not. When writing rules for iptables there are a few terms and concepts you'll need to understand. The term “Target” basically asks “what action do I do with the packet when this rule is matched.” The most common are
ACCEPT
Allow the packet through the firewall.
DROP
Drops the packet; the packet is not allowed through the firewall and the sender of the packet is not notified.
QUEUE
Pass the packet to the userspace
RETURN
“stop traversing this chain and resume at the next rule in the previous chain
Rules are grouped into chains which in turn are contained in tables. There are three default tables which the packets may traverse; we are only concerned with one of these right now: the filter table. This is the default table and contains three chains:
OUTPUT
For packets generated by and leaving your computer; for example
when you connected to the Linux Gazette's web site your browser
created a packet and sent it out of your computer to the Gazette's
server.
INPUT
Any packets coming into your computer; for example the packets
containing the Gazette's web page sent back by its server to your
browser.
FORWARD
For packets being routed through your computer; for example
entering one network card and leaving through the other. We will
cover this in more detail later.
There are some different table definitions in different kernel versions however the main table types are:
raw
low level alteration of packets
nat
changes on packet headers (network address translation)
mangle
used to make specialized modifications to packets
filter
packet filtering
Packets can be inspected based on their state within a particular packet stream. Rules can be written to address various stateful conditions.
NEW
The packet is trying to start a new connection; for example when
you first connected to a website your browser attempts to create a new connection to the web server.
ESTABLISHED
A connection that has seen packets travel in both directions; once
the web server replies to your browser the connection is established.
RELATED
A packet that is starting a new connection but is related to an
existing connection. An example of this is downloading a file over
FTP. When you first connect to an FTP server you are creating a new
connection to its FTP port. However, when you download a file from
the FTP server using this connection a second new connection is
made between your computer and the FTP server for the file
download. Although it is a new connection it is related to the
first. This stateful packet filtering is useful as this new
connection does not use the same FTP port and simple port based rules
are not appropriate for this.
INVALID
This packet is associated with no known connection. These packets
should be dropped.
Creating Rules
Rules can be appended to the chains directly by using the iptables command. For example, to add a new rule to allow new connections to a web server running on your computer from anywhere we would execute the following:
$ iptables -A INPUT -s 0/0 -d 1.2.3.4 -m state --state NEW -p tcp --dport 80 -i eth0 -j ACCEPT
where:
-s (or --src or --source) and -d (or --dst or --destination)
is the source and destination specification of the packet. It is
usually an IP address with an optional mask.
0/0 is shorthand for 0.0.0.0/0.0.0.0 meaning that the source can be any IP address.
1.2.3.4 is the IP our your machine and is equivalent to writing 1.2.3.4/32
or 1.2.3.4/255.255.255.255 meaning the destination must be this and only
this IP. Other examples include:
1.2.3.0/24
Any IP in the range 1.2.3.0 to 1.2.3.255 (256 possible IPs). Could also
have been written as 1.2.3.0/255.255.255.0
1.2.0.0/16
Any IP in the range 1.2.0.0 to 1.2.255.255 (65536 possible IPs). Could
also have been written as 1.2.0.0/255.255.0.0
! 1.2.3.0/24
The exclamation mark inverts the match so this will result is a
match if the IP is anything except one in the given range 1.2.3.0
to 1.2.3.255.
-m state --state NEW
matches only packets that have a status of NEW. This can be anyone
of or a comma separated list of the four possible states.
-p tcp
apply this rule to packets using the TCP protocol only. This can be
anyone of tcp, udp, icmp or all (default). The exclamation mark can
be used to invert the match.
--dport 80 (or --destination-port)
matches a packet trying to connect to port 80. The exclamation mark
can be used to invert this match also. A range of ports can be
given in the format begin:end.
-i eth0 (or --in-interface eth0)
name of an interface via which a packet is going to be received.
Possible interfaces on your computer can be found using the command
'ifconfig'. In this example your computer is connected to
the Internet through the first (or only) ethernet card.
-j ACCEPT
the target. In this case, if the incoming packet is creating a new
TCP connection from anywhere to port 80 on your computer through
the first ethernet card, we will allow it through.
Note that these are examples using eth0 and an assumed ip address of 1.2.3.4; you would of course need to use the appropriate network interface name and ip address for your situation
the rules themselves are stored in a file named “iptables” that file may be in different locations depending on your distribution. On my RHEL server it is in /etc/sysconfig/iptables.
The essential elements of this file are:
(I have added the line numbers below for purposes of the comments below; in the actual iptables file there would not be line numbers)
1 # Firewall configuration
2 *filter
3 :INPUT
4 :FORWARD
5 :OUTPUT
6
7 # your rules here
8
9 COMMIT
Line 2 of this file tells iptables that the following rules apply to the filter table. The next three lines (3-5) define the default targets for the three chains. We place our rules after these and before COMMIT, which does just that; commits our rules to the firewall.
Each packet traverses the rules of the appropriate chain from the first to the last. If a packet matches a rule then it stops traversing the chain at that rule and its fate is decided by that rule's target. If the packet does not match any rule then its fate is the default target of its chain.
I would recommend using the following skeleton configuration for all your firewalls:
1 *filter
2 :INPUT DROP [0:0]
3 :FORWARD DROP [0:0]
4 :OUTPUT ACCEPT [0:0]
5
6 # allow local loopback connections
7 -A INPUT -i lo -j ACCEPT
8
9 # drop INVALID connections
10 -A INPUT -m state --state INVALID -j DROP
11 -A OUTPUT -m state --state INVALID -j DROP
12 -A FORWARD -m state --state INVALID -j DROP
13
14 # allow all established and related
15 -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
16
17 # add anymore rules here
18
19 COMMIT
In lines 2-4 you will see that the default target for INPUT and FORWARD chains is set to DROP, while outgoing connections are set to accept. In most cases for home, personal or workstation use you want to start by denying anything from coming in from outside and establishing a new connection. On my systems I default to blocking everything and then add exceptions for specifically those things I want to allow. This does mean you have to determine what traffic each individual application requires but it is far more secure to default to the “allow by exception” rather than “block by exception” model. Now in this example I allow all outgoing connections from the computer which is my default for end user computers as their usage tends to be a lot more random but in server environments I lock down outbound packets as well and allow only those things that are specifically needed by the server.
In line 7 you will see a rule that tells iptables to allow all connections originating from the local loopback network interface. Many applications use the loopback address for communication to the local computer; In most cases you will find that you need to permit these connections.
Lines 10-12 drop all connections with a state of INVALID.
Line 15 should allows all incoming previously established or related connections through the firewall. For a connection to become established or related it must have already had a previous packet that went through the rules and passed with a state of NEW and been allowed though the firewall via a matching rule (If it had not been allowed through it would have been dropped by default and could not result in a established or related connection state).
Example 2 shows an example of a situation from a higher risk environment.
1 *filter
2 :INPUT DROP [0:0]
3 :FORWARD DROP [0:0]
4 :OUTPUT DROP [0:0]
5
6 # allow local loopback connections
7 -A INPUT -i lo -j ACCEPT
8
9 # drop INVALID connections
10 -A INPUT -m state --state INVALID -j DROP
11 -A OUTPUT -m state --state INVALID -j DROP
12 -A FORWARD -m state --state INVALID -j DROP
13
14 # allow all established and related
15 -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
16 -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
17
18 # allow connections to my ISP's DNS servers
19 -A OUTPUT -d 2.3.4.10 -m state --state NEW -p udp --dport 53 -o eth0 -j ACCEPT
20 -A OUTPUT -d 2.3.4.11 -m state --state NEW -p udp --dport 53 -o eth0 -j ACCEPT
21
22 # allow outgoing connections to web servers
23 -A OUTPUT -d 0/0 -m state --state NEW -p tcp --dport http -o eth0 -j ACCEPT
24 -A OUTPUT -m state --state NEW -p tcp --dport https -o eth0 -j ACCEPT
25
26 # allow outgoing mail connections to my ISP's SMTP and POP3 server only
27 -A OUTPUT -d 2.3.4.5 -m state --state NEW -p tcp --dport smtp -o eth0 -j ACCEPT
28 -A OUTPUT -d 2.3.4.5 -m state --state NEW -p tcp --dport pop3 -o eth0 -j ACCEPT
29
30 # log all other attempted out going connections
31 -A OUTPUT -o eth0 -j LOG
32 # default is to DROP out-going connections
33
34 COMMIT
This example defaults to the “Deny everything” principle and only allows those specific exceptions that we explicitly define rules for. Line 16 for instance adds a second rule very similar to the one in line 15 but it is on the OUTPUT chain instead. This is necessary as the default rule of the OUTPUT chain is DROP. Also note that when we specifying the interface for the OUTPUT chain rules we use -o (or --out-interface) as opposed to -i.
The first rules new rules we have added (lines 19 and 20) allow outbound connections to your ISP's DNS server; (This example assumes that your ISP uses '2.3.4.10' and '2.3.4.11' for the DNS servers. DNS lookups are usually done via the UDP protocol. Unless you are doing anything out of the ordinary this should be sufficient.
Lines 23 and 24 allow your browser to connect to any website using both the normal and the encrypted protocols. You'll notice that I have used http and https to specify the ports here instead of 80 and 443. This makes the rules more readable and you can substitute the service name for any port so long as it appears in the file /etc/services. You may also notice that in the second rule I did not mention the destination IP mask; this is equivalent to writing 'match any destination IP' (-d 0/0). In my real examples I normally include that for readability but in this example I left it off for instructional purposes.
Also I could have combined these two rules into a single line using :
-A OUTPUT -m state --state NEW -p tcp -m multiport --dport http,https -o eth0 -j ACCEPT
E-mail requires two services: SMTP (port 25) to send mail and POP3 (port 110) (or IMAP in some cases) to receive mail. Lines 27 and 28 show the rules to allow those services. Note that I use an assumed ip address for the mail server of 2.3.4.5 however most ISPs expect you to use the mail servers host name and they may have multiple hosts providing that mail so a better way to write that rules would be like this example below:
-A OUTPUT -d mail.isp.com -m state --state NEW -p tcp --dport smtp -o eth0 -j ACCEPT
-A OUTPUT -d mail.isp.com -m state --state NEW -p tcp --dport pop3 -o eth0 -j ACCEPT
line 31 shows a rule with “LOG” as the target. This results in any packet that has not matched a previous rule to get logged The log target does not terminate the processing of rules, it simply logs the packet and continues processing rules. As there are no further rules then the packet would end up 'dropped' since that is the default target. You can review the log with the dmesg command or via syslogd. There is also a called logwatch that is in some distro's but also available from sourceforge which will format these reports into an e-mail and send it to the root account.
If you use any other services, such as Jabber, IRC, file sharing clients, etc., you will have to add rules for these also. Just follow the above example. If you don't know what ports to open and you can't find it in /etc/services, then add a logging rule at the beginning of the rules, e.g.
-A OUTPUT -i eth0 -j LOG
and examine the output of the command dmesg (look for the destination port, DPT=???).
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=6bedb441-371f-4dc4-9308-335778d45647)
And a good video on the use of iptables
No comments:
Post a Comment