Most Linux distributions install their own set of firewall scripts by default. This is a nice ges-ture, and they do work; however, when it comes to security, we feel that you should manually configure your own version of the firewall. If you are interested in reviewing these pre-installed
145
Configuring the Firewall
scripts, check the following files: /etc/rc.d/init.d/iptables, /etc/sysconfig/iptables, and /etc/sysconfig/iptables-config. However, we will not utilize these scripts.
Your first step is to create a script that will contain all of the rules needed to run your firewall.
This script will define which ports you want open on your server and restrict unwanted access from penetrating into your ports.
We prefer to save our firewall script somewhere like /usr/local/etc, so let’s move into that directory and begin working.
We use pico as our command-line editor of choice, so let’s get started. Run pico /usr/
local/etc/firewall. Now you can begin coding the script.
In Listing 6.3, you will see the full script. After the listing, we will explain each element for you.
➲
Listing 6.3 Firewall Rules Script#!/bin/sh
# Change the part after the = to the where you
# IPTABLES is on your system
IPTABLES=/sbin/iptables
# Flush existing rules
$IPTABLES -F INPUT
# Allow connections going outbound
# from this machine to reply back
$IPTABLES -A INPUT -j ACCEPT -m state -–state \ ESTABLISHED -i eth0 -p icmp
$IPTABLES -A INPUT -j ACCEPT -m state -–state \ ESTABLISHED -i eth0 -p tcp
$IPTABLES -A INPUT -j ACCEPT -m state --state \ ESTABLISHED -i eth0 -p udp
#Allow incoming SSH requests
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
#Allow incoming DNS
$IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT
#Allow incoming HTTP requests (to Web server)
4337Book.fm Page 145 Saturday, June 19, 2004 5:24 PM
$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 443 -j ACCEPT
#Allow Ping echo
$IPTABLES -A INPUT -p icmp -j ACCEPT
# Load Modules
insmod ip_conntrack_ftp insmod ipt_LOG
insmod ipt_REJECT insmod ipt_limit insmod ipt_state
# The logging is set so if more than 5 packets are dropped
# in three seconds they will be ignored. This
# helps to prevent a DOS attack
# crashing the computer the firewall is running on
$IPTABLES -A INPUT -m limit --limit 3/second \ --limit-burst 5 -i ! lo -j LOG
# Drop and log all other data
$IPTABLES -A INPUT -i ! lo -j DROP
Let’s begin to understand the firewall script in Listing 6.3. The first line is our bash shell line.
It’s called the shebang and might be required by some systems to run properly:
#!/bin/sh
Next, you will see some comments throughout the script. This helps keep track of what you’re doing and is a simple way to take notes. Sometimes in scripting, you will have so much code that keeping notes helps you refresh your memory later. Simply put a comment symbol (#) in front of each line on a comment to prevent the script from attempting to execute your comments when it is run:
# Change the part after the = to the where you
# IPTABLES is on your system
Now you are going to create a variable, or a shortcut, to your iptables executable. This vari-able prevents you from having to type the full command each time you need it. In this case, you are going to create $IPTABLES with the value of /sbin/iptables:
IPTABLES=/sbin/iptables
Your next task is to flush out any existing rules from your INPUT chain. This enables you to clear out any old information before you attempt to set up your rules. The –F option is really
147
Configuring the Firewall
useful when you make a change to this script and delete a rule, so next time all you have to do is run this script again, and all of the old rules will be removed and any new rules will be entered:
# Flush existing rules
$IPTABLES -F INPUT
Your firewall will be set up to block anything coming in on a port that you have not defined as open. This could cause some problems because now if you send a response by using a par-ticular program and that response comes back into your machine, it could be blocked by the firewall. This is where the ESTABLISHED state option comes in.
Using the ESTABLISHED state option basically says, “If I send a response out on port 99, allow the response to come back into my machine on port 99 even though I have not specifically opened that port for public access.” So based on this, you are going to include the next three rules to allow Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP) responses to come back to you:
# Allow connections going outbound
# from this machine to reply back
$IPTABLES -A INPUT -j ACCEPT -m state -–state \ ESTABLISHED -i eth0 -p icmp
$IPTABLES -A INPUT -j ACCEPT -m state -–state \ ESTABLISHED -i eth0 -p tcp
$IPTABLES -A INPUT -j ACCEPT -m state --state \ ESTABLISHED -i eth0 -p udp
The next rule allows SSH access via the TCP protocol through port 22. To better describe this, you call the $IPTABLES executable and then append to the INPUT chain by using –A INPUT. You describe the type of request as TCP by using the –p tcp option, and then indicate that the destination port is 22 by using the --dport 22 option. The last option is –j, which indicates
“what to do with it,” and here you are saying ACCEPT the request. Opposite of the ACCEPT option is DROP, which would disallow that port specifically.
#Allow incoming SSH requests
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
Next you are going to allow DNS requests to be handled by this machine. Note that there are two rules: one is for TCP, and the other is for UDP because DNS uses UDP in some cases:
#Allow incoming DNS
$IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT
4337Book.fm Page 147 Saturday, June 19, 2004 5:24 PM
The last set of rules is for your web server access. This is really not important at this moment, but we’re going to go ahead and include it now because you’ll be setting up HTTP access shortly. Notice the two rules: one is for normal HTTP responses on port 80, and the other is for secure web server HTTPS responses on port 443:
#Allow incoming HTTP requests (to Web server)
$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 443 -j ACCEPT
One of the simplest diagnostic tools is the ping command. However, when your firewall is set up, you must allow your system to respond to your ping commands. The next rule takes care of that:
#Allow Ping echo
$IPTABLES -A INPUT -p icmp -j ACCEPT
The next section is important. It allows built-in kernel modules to be loaded and executed by iptables. In this case, you are loading the FTP, logging, reject, limit, and state modules into your firewall configuration. If you decide to install an FTP server later on, you will need this module loaded to allow FTP connectivity through the firewall. So for now, we will go ahead and load the FTP module along with the other modules we need:
# Load Modules
insmod ip_conntrack_ftp insmod ipt_LOG
insmod ipt_REJECT insmod ipt_limit insmod ipt_state
A valuable rule to have is one that will log any traffic that is getting bounced off of your firewall.
The logging helps you figure out whether you need other ports open when trying to connect to your system.
This next rule takes care of the logging for you. However, it’s limited to five packets every three seconds to prevent your system from crashing in the event of a DOS attack in which packets are getting bounced off and the logging is going crazy:
# The logging is set so if more than 5 packets are dropped
# in three seconds they will be ignored. This
# helps to prevent a DOS attack
# crashing the computer the firewall is running on
$IPTABLES -A INPUT -m limit --limit 3/second \ --limit-burst 5 -i ! lo -j LOG
149
Configuring the Firewall
WARNING After your firewall has been configured, tested, and it works properly, you may comment the previous logging line out to prevent logging to your system log. If you need to troubleshoot your firewall, you can enable it again and then disable it after everything is working properly.
The next line is extremely important because you want to close any other ports that you have not defined to be open in this script:
# Drop and log all other data
$IPTABLES -A INPUT -i ! lo -j DROP
Now that you understand what this script is doing, save the file and then give it executable permissions. Simply chmod the script to read/write/execute permissions for only root:
chmod 700 /usr/local/etc/firewall
Before you run the script, take a look at the current firewall settings. You can do this by run-ning the list option in iptables:
iptables –L
You should see something like this:
Chain INPUT (policy ACCEPT)
target prot opt source destination Chain FORWARD (policy ACCEPT)
target prot opt source destination Chain OUTPUT (policy ACCEPT)
target prot opt source destination Chain RH-Firewall-1-INPUT (0 references)
target prot opt source destination
The preceding listing means that there are no current firewall rules configured and your system is wide open at the moment. If this is the case, you’re ready to start your firewall.
Otherwise, you should run the following to clean out the firewall settings that were set up during the installation of Linux:
/etc/init.d/iptables stop
You might also want to disable the iptables in the ntsysv because you are going to run your own startup script.
Now you can run your new firewall settings for the first time. Simply execute the script you created:
/usr/local/etc/firewall
4337Book.fm Page 149 Saturday, June 19, 2004 5:24 PM
You should see your system run through the modules as they are loaded. If you have already loaded your firewall since you have rebooted, iptables might output something about mod-ules already being loaded. This is not an error and it is not a problem; it’s simply a notification, and the firewall will run properly. Next, run the iptables –L command again and see what’s happening with your firewall. See Listing 6.4 for the output.
➲
Listing 6.4 Firewall OutputChain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere state ESTABLISHED ACCEPT tcp -- anywhere anywhere state ESTABLISHED ACCEPT udp -- anywhere anywhere state ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT icmp -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 3/sec burst 5 LOG level warning DROP all -- anywhere anywhere
Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT)
target prot opt source destination Chain RH-Firewall-1-INPUT (0 references) target prot opt source destination
If your firewall output matches this one, then congratulations, you have a firewall running!