Technical Recipes

How to set up firewall on Linux hosting site (part I)

Firewalls are one of the core components of a network security implementation. Firewalls can be stand-alone hardware solutions or proprietary software solutions.

The Linux kernel features a networking subsystem called Netfilter. The Netfilter subsystem provides stateful or stateless packet filtering as well as NAT and IP masquerading services. Netfilter also has the ability to mangle IP header information for advanced routing and connection state management. Netfilter is controlled using the iptables tool.

iptables features advanced logging, pre- and post-routing actions, network address translation, and port forwarding, all in one command line interface.

1. Firewall types

   There are three common types of firewalls:

   1.1 NAT (Network Address Translation)

        NAT places private IP sub-network behind one or a small poor of public IP addresses, masquerading all requests to one source rather than several. The Linux kernel has built-in NAT functionality through the Netfilter kernel subsystem.

   1.2 Packet Filter

        A packet filter firewall reads each data packet that passes through a LAN. It can read and process packets by header information and filter the packet based on sets of programmable rules implemented by the firewall administrator. The Linux kernel has built-in packet filtering functionality through the Netfilter kernel subsystem.

        The Netfilter facility is built in to the Linux kernel, and has five built-in tables or rules lists, as follows: filter, nat, mangle, raw, security.

   1.3 Proxy

        Proxy firewalls filter all request of a certain protocol or type from LAN clients t a proxy machine, which then makes those requests to the internet on behalf of the local client. A proxy machine acts as a buffer between malicious remote users and the internal network client machines.

2. iptables command syntax

    Many iptables commands have the following structure:

    iptables [-t <table-name>] <command> <chain-name> <parameter-1> <option-1> <parameter-n> <option-n>

    iptables -A <chain> -j <target>

    2.1 built-in chains

        The three built-in chains for filter table are INPUT, OUTPUT, and FORWARD.

        The three built-in chains for NAT table are PROROUTING, OUTPUT, POSTROUTING

        These chains are permanent and cannot be deleted. The chain specifies the point at which a packet is manipulated.

    2.2 Target options

    	The following are the standard targets:

    	- ACCEPT: Allows the packet through to its destination or to another chain
    	- DROP: Drops the packet without responding to the requester
    	- REJECT: Denies access and returns a connection refused error to users who attempt to connect to the service
    	- QUEUE: The packet is queued for handling by a user-space application
    	- RETURN: Stops checking the packet against rules in the current chain. If the packet with a RETURN target matches a rule in a chain called from another chain, the packet is returned to the first chain to resume rule checking where it left off. If the RETURN rule is used on a built-in chain and the packet cannot move up to its previous chain, the default target for the current chain is used.
    	- LOG: Logs all packets that match this rule. Because the packets are logged by the kernel, the /etc/syslog.conf file determines where these log entries are written. By default, they are placed in the /var/log/messages file

    2.3 iptables options

        -A: Append he rule to the end of the specified chain
        -D: Delete this rule definition from the ruleset
        -I [<integer>]: Inserts the rule in the specified chain at a point specified by a user-defined integer argument. If no argument is specified, the rule is inserted at the top of the chain
        -P: Set Policy e.g. iptables -P INPUT DROP
        -F: Flush the selected chain, which effectively delete every rules in the chain. If no chain is specified, this command flushes every rule from every chain
        -L: Lists all of the rules in the chain specified after the command. To list all rules in all chains in the default filter table, do not specify a chain or table. Otherwise, the following syntax should be used to list the rules in a specific chain in a particular table
        -X: Delete a user-specified chain

        -i: incoming network interface
        -o: outgoing network interface
        -s: Source Address 
        -d: Destination Address 
        -p: Protocol 
        --dport: Destination Port
        --sport:  Source port
        -j: Jumps to the specified target when a packet matches a particular rule. The standard targets are ACCEPT, REJECT, DROP, QUEUE, and RETURN
        -t: table
        -m: module

        The iptables program has an extensive collection of modules, to use different criteria to evaluate packets. There are modules for protocols, logging, states of the connection, etc. Modules may have parameters (-m module_name --parameter_name parameter_arguments).

3. Basic firewall rules

    Each iptables chain is comprised of a default policy, and zero or more rules which work in concert with the default policy to define the overall rule set for the firewall. The default policy for a chain can be either DROP or ACCEPT.

    # iptables -P INPUT DROP
    # iptables -P OUTPUT DROP
    # iptables -P FORWARD DROP

    However, with a default policy set to block all incoming, outgoing, and forwarded packets, it is impossible for the firewall/gateway and internal LAN users to communicate with each other or with external resources.

    To allow users to perform network-related functions and to use networking applications, administrators must open certain ports for communication by appending specific rules.

    When creating an iptables rule set, order is important. If a rule specifies that any packets from the 192.168.100.0/24 subnet be dropped, and this is followed by a rule that allows packets from 192.168.100.13 (which is within the dropped subnet), then the second rule is ignored. The rule to allow packets from 192.168.100.13 must precede the rule that drops the remainder of the subnet.

4. Common iptables filtering

    4.1 Allow users to browse websites that communicate using the standard port 80

    	# iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

    4.2 Allow access to secure websites using port 443

   		# iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

    4.3 Accept connections from remote SSH clients

    	# iptables -A INPUT -p tcp --dport 22 -j ACCEPT
    	# iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT

        These rules allow incoming and outbound access for an individual system, such as a single PC directly connected to the Internet or a firewall/gateway. However, they do not allow nodes behind the firewall/gateway to access these services. To allow LAN access to these services, you can use Network Address Translation (NAT) with iptables filtering rules.

    4.4 Allow local loopback device traffic

    	# iptables -I INPUT 1 -i lo -p all -j ACCEPT

        or

    	# iptables -A INPUT -i lo -j ACCEPT

    4.5 Drop all traffic to 127/8 that does not use loopback

    	# iptables ! -i lo -d 127.0.0.0/8 -j REJECT

    4.6 Log everything for debugging

         (last of all rules, but before policy rules)
	
    # iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT  "
    # iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD"
    # iptables -A OUTPUT -j LOG --log-prefix "FIREWALL:OUTPUT "

5. FORWARD

    Edge routers (such as firewalls) can receive incoming transmissions from the Internet and route the packets to the intended LAN node. At the same time, firewalls/gateways can also route outgoing requests from a LAN node to the remote Internet service. The FORWARD chain allows an administrator to control where packets can be routed within a LAN. For example, to allow forwarding for the entire LAN (assuming the firewall/gateway is assigned an internal IP address on eth1), use the following rules:
	
    # iptables -A FORWARD -i eth1 -j ACCEPT
    # iptables -A FORWARD -o eth1 -j ACCEPT

    By default, the IPv4 policy in Red Hat Enterprise Linux kernels disables support for IP forwarding. This prevents machines that run Red Hat Enterprise Linux from functioning as dedicated edge routers. To enable IP forwarding, use the following command as the root user:

    # sysctl -w net.ipv4.ip_forward=1

    This configuration change is only valid for the current session; it does not persist beyond a reboot or network service restart. To permanently set IP forwarding, edit the /etc/sysctl.conf file and set:

    net.ipv4.ip_forward = 1

6. Postrouting and IP Masquerading

    To allow LAN nodes with private IP addresses to communicate with external public networks, configure the firewall for IP masquerading, which masks requests from LAN nodes with the IP address of the firewall's external device (in this case, eth0):

    # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

    This rule uses the NAT packet matching table (-t nat) and specifies the built-in POSTROUTING chain for NAT (-A POSTROUTING) on the firewall's external networking device (-o eth0).

7. Prerouting

    If you have a server on your internal network that you want make available externally, you can use the -j DNAT target of the PREROUTING chain in NAT to specify a destination IP address and port where incoming packets requesting a connection to your internal service can be forwarded.

    If you have a default policy of DROP in your FORWARD chain, you must append a rule to forward all incoming HTTP requests so that destination NAT routing is possible. To do this, use the following command as the root user:

    # iptables -A FORWARD -i eth0 -p tcp --dport 80 -d 172.31.0.23 -j ACCEPT

8. Reject request from external private address

    A true Firewall has two interfaces, one connected to an intranet, e.g., eth0, and one connected to the Internet, e.g., ppp0.

    Anything coming from the outside should not have a private address, this is a common attack called IP-spoofing:
	
    -A INPUT -i ppp+ -s 10.0.0.0/8     -j DROP
    -A INPUT -i ppp+ -s 172.16.0.0/12  -j DROP
    -A INPUT -i ppp+ -s 192.168.0.0/16 -j DROP

    There are other addresses that you may also want to drop: 0.0.0.0/8, 127.0.0.0/8, 224.0.0.0/3 (multicast and experimental), 169.254.0.0/16 (Link Local Networks), and 192.0.2.0/24 (IANA defined test network).