Linux Troubleshooting Make Easy.

Linux Learning & Troubleshooting Make Easy.

Linux Firewall Tips

Firewalls are an useful way of adding some security to your system, but they are not a panacea. A properly configured firewall can make it much harder to break into your system, and in some cases can even protect you from mistakes or misconfigurations elsewhere in the system, but should not be viewed as the sole, or even the main, defense against hacking, but merely one of a system of defenses. Regular and frequent patching and updates are still essential.

First, you may want to look at your existing ruleset:
#  /sbin/iptables -L




You can save a copy of it with the commands:
#  /etc/init.d/iptables save

To take a backup of your firewall rules:
#  cp /etc/sysconfig/iptables BACKUPFILE

These commands all need to be run as root. If you copy the backup file back to /etc/sysconfig/iptables and reboot, the old firewall rules will be back in effect.

Our first step is to clear out the existing rules, and set up the chain structure desired:

To opens the firewall up completely:

#  iptables --policy INPUT ACCEPT
#  iptables --policy OUTPUT ACCEPT
#  iptables --flush
#  iptables --delete-chain

Commands to creates a chain called existing-connections to allow your machine to talk to itself, and allow you to get responses to connections you start:

#  iptables --new-chain existing-connections
#  iptables --append INPUT -j existing-connections
#  iptables --append existing-connections --in-interface lo -j ACCEPT
#  iptables --append existing-connections -m state --state ESTABLISHED -j ACCEPT
#  iptables --append existing-connections -m state --state RELATED -j ACCEPT

Commands to create an empty chain called allowed. If there are any services you need to be accessible on your machine from the internet, you can add them to this chain. Opening ports on the allowed chain:

#  iptables --new-chain allowed
#  iptables --append INPUT -j allowed

Commands to tightens up the security again:

#  iptables --policy OUTPUT ACCEPT
#  iptables --policy INPUT DROP
#  iptables --policy FORWARD DROP



The result is all outgoing packets (i.e. anything sent from your machine to someplace else, either initiated by you or in response to something else) are allowed. Incoming packets (i.e. anything being sent to your machine from the outside, whether in response to a request from you or not) are rejected unless:

1. They are in response to or otherwise part of a session you initiated
2. They are from your own machine
3. You allowed for it in the allowed chain.

For a basic desktop, you generally can just leave the allowed chain empty.
Opening ports on the allowed chain

If you want your machine to respond to requests initiated from elsewhere on the internet, in effect to be a server, you need to open the required ports. To do this properly, you need to know:

1. What service you want to open up?
2. Whether it is a tcp or udp service?
3. What port number(s) it uses?

You may also wish to think about restricting access to certain machines; e.g. if you only want people in the Physics building or on campus to access the machine.

For example, to enable ssh access to your box from anywhere on campus, you could use something like:

#  iptables -A allowed -p tcp --dport 22 -s 129.2.0.0/16 -j ACCEPT
#  iptables -A allowed -p udp --dport 22 -s 129.2.0.0/16 -j ACCEPT
#  iptables -A allowed -p tcp --dport 22 -s 128.8.0.0/16 -j ACCEPT
#  iptables -A allowed -p udp --dport 22 -s 128.8.0.0/16 -j ACCEPT

This allows both udp and tcp traffic from either of the two campus class B networks to access port 22 on your machine. Of course, you need to have an sshd daemon running as well for this to work; the code above merely punches the required holes in the firewall.

No comments: