Forgot your password?
typodupeerror
Linux Software

Linux 2.4's Firewalling 52

Posted by CmdrTaco
from the these-are-a-few-of-my-favorite-things dept.
A reader writes "Dave Wreski finished an article for linuxsecurity.com on the security improvements available in the new 2.4 kernel packet mangling/filtering" This is a fairly basic level newbie type article (assuming you at least have a pocketfull of networking experience) and is worth reading to bring you up to speed on whats new and exciting.
This discussion has been archived. No new comments can be posted.

Linux 2.4's Firewalling

Comments Filter:

  • Why would you need anything more than iptables?

    Below is a server filter configuration of mine. Add NAT if needed. Any weaknesses? (I have chrooted normal users' ssh; unchrooted ssh is available from administrators' home addresses through the telnet port)


    #!/bin/sh

    # we write log of what we do here
    LOG="/var/log/iptables.log"
    # local IPv4 addresses:
    MYIP="`ifconfig | sed -ne 's/.*addr:\([0-9.]*\).*/\1/p'`"
    # Allow incoming traffic for these
    TCPOK="ftp-data ftp ssh nameserver domain www pop3 https cvspserver 6667"
    UDPOK="domain"
    # Addresses allowed to "telnet" (ssh to root dir)
    TELNETOK="12.34.56.78/29 12.34.56.90/29"

    echo "`/bin/date '+[%x %X]'` $0 $*" >>$LOG

    # set up policy
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT ACCEPT

    # clear filter tables
    iptables -F INPUT
    iptables -F FORWARD
    iptables -F OUTPUT

    # drop all custom tables
    for c in `iptables -L -n | sed -ne 's/^Chain \([a-z]*\) .*/\1/p'`;
    do
    echo "Dropping iptable $c" >>$LOG
    iptables -F $c
    iptables -X $c
    done

    # create custom tables
    iptables -N rootssh # root ssh; default DROP
    iptables -N icmps # icmp traffic; default DROP (weakish)
    iptables -N foreign # incoming traffic; default DROP

    # rootssh: ssh through telnet port to root dir
    # accept from local addresses
    for A in $MYIP; do iptables -A rootssh -s $A -i lo -j ACCEPT; done
    # accept from specified external addresses
    for A in $TELNETOK; do iptables -A rootssh -s $A -i eth0 -j ACCEPT; done

    iptables -A rootssh -m limit -j LOG
    iptables -A rootssh -j DROP

    # icmps: restrict ICMP protocol usage ### TODO: learn to do this right
    # accept all except "redirect" ICMP messages
    iptables -A icmps -p icmp --icmp-type ! redirect -j ACCEPT

    iptables -A icmps -m limit -j LOG
    iptables -A icmps -j DROP

    # foreign: traffic coming from outside
    # accept established traffic:
    iptables -A foreign -p tcp --dport 1024: -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A foreign -p udp --dport 1024: -m state --state RELATED,ESTABLISHED -j ACCEPT
    # accept explicitly specified traffic
    for A in $TCPOK; do iptables -A foreign -p tcp --dport $A -j ACCEPT; done
    for A in $UDPOK; do iptables -A foreign -p udp --dport $A -j ACCEPT; done

    iptables -A foreign -m limit -j LOG
    iptables -A foreign -j DROP

    # filter table

    # handle icmp traffic and root ssh separately
    iptables -A INPUT -p icmp -j icmps
    iptables -A INPUT -p tcp --dport telnet -j rootssh
    # accept local traffic
    for A in $MYIP; do iptables -A INPUT -s $A -i lo -j ACCEPT; done
    # handle external traffic separately
    iptables -A INPUT -i eth0 -s ! localhost -j foreign

    iptables -A INPUT -m limit -j LOG
    # default policy was to drop.

    # done configuring

    # log configuration
    iptables -L -n >>$LOG

  • by gbd (242931) on Thursday February 15, 2001 @11:58AM (#428670)
    hi all (george here)

    really this linux 2.4 firewall looks VERY INTERESTING but i cannot bring myself to actually create one, i have been told by VERY reputable sources that this would threaten the AMERICAN WAY

    your bud

  • - set up packet filtering,
    - include the rudimentary protective measeures against spoofing and flooding in above
    - chroot daemons
    - enforce hard-to-guess passwords
    - ban telnet, use ssh

    What more could you reasonably expect from an administrator?

    Well, ok, there's
    - md5sums
    - external logging

    What else? Would you expect these from everybody?
    Remember, a networked workstation is effectively in the same position as any server: "networked" is "vulnerable". All practical security piled on top of that is just patching. Important patching, though, unless you want to risk your data and being used for attacks.

  • Al here: Piss off, Dubyah - I invented firewalling and I say it stays! --Al P.S. You can reach me in Canada. Screw you and your dad's death squads!
  • I was amazed to find configuration tools already out for iptables, but all you need to do is a search at Freshmeat ][ [freshmeat.net].

    I, too, would like to see some fairly robust front ends come out with support for IPTables, but I think it will take some time. I expect something like this when the distributions start incorporating the 2.4 kernel (i.e. firewall-config under RH 7.0).

    In the meantime, realized that 2.4 includes backwards support for IPChains as long as you compile it into the kernel.

  • read ipchains howto at www.linuxdoc.org
    ___
  • that is the best thing I have ever seen ever.
  • by Hardwyred (71704) on Thursday February 15, 2001 @05:52PM (#428676) Homepage
    It has been a long time since I have played with a MS OS, never mind packet forwarding on one, so I may be pulling all of this out of my ass. Linux can
    ...

    Forward internal IPSec traffic

    support games and services that arent designed to operate behind a firewall, e.g. ICU

    TOS baby TOS

    Easy plugin interface makes for a nice road to add new services support

    Run on hardware that you wouldnt use even as a doorstop And last but not least

    costs you nothing
    Now the last time I tried to do this in windows you still had to buy 3rd party apps, so if Im wrong on any of these points, please someone correct me. www.cyborgworkshop.com ...and the geek shall inherit the earth...

  • You're right. He doesn't mention it because it was an article written primarily for newbies and PHB's.

    If you're firewalling a 1Mbps Internet link, there are many nanoseconds between packets. With 1KB per packet, there are only 100 packets per second at most (1Mbps/1Kbps/10bits-per-byte). Not much computer time is needed for this type of processing.

    You might wanna check out ipf or ipfw for stateless firewalling. They've been around a while longer.

  • Actually, I run an apache+php/mysql server for developement on my windows box currently. (Ignore the warning in the win32 binary of apache, it has yet to crash on me for simple php development work yet). FTP isn't a big deal for me atm, I have a nice windows program (warFTP, yes, patched to remove the security hole) when I do want to share files with friends (which is occasionally), however, I don't have the FTP program up most of the time since I am limited to a dialup connected. Ironically, if I had a full time connection to the internet, I would want to have a small ftp daemon up, since I know the usefulness of being able to send stuff remotely to my computer, even though a perminate connection does put me at more of a risk. I also would like to move a small MUD over to the linux machine which would open up another port. I suppose mysql could be limited to be accessed by the current machine (since there is no reason that I would have to use it remotely), and apache could be limited to my home network (since I want to be able to test web pages with both window and linux binaries of browsers). But for the rest of it, I agree, if I am not using it, then I should get rid of it, since it only sucks up resources and presents a security risk.

    Thanks for the advice though, I will grab the docs you mention. Atm, the linux machine isn't connected to the internet, but I am planning to add it later.

  • Shouldn't skip so much... Your question was more like whether there would be any good tool for making easy use of iptables. Well, as you can see, I'm not that much after such tools :) Thus that script is not what you asked for: to change the rules, you need to change the script itself - and it uses only some of the most basic methods of iptables.

    Anyway, I'd like some discussion about real-life examples like the one in my lengthy post above.
  • In my experience iptables with connection tracking enabled eats up a ton more CPU than ipchains. That said, you can always run without connection tracking.

    As a data point, we are running a linux firewall/edge router on a K6-2/400 We are pushing around 3-4k packets/second during peak. When running 2.2 and ipchains, this box was 99.99% idle. It was bored! We upgraded to 2.4 and enable connection tracking. While we were at it, we added a good bit of infrastructure to the chains to make administration easier (dedicated chains for accounting, another for the webcache, etc.), thus increasing processing time for filtering. Now, we are only about 94.5% idle. I'm pretty sure that connection tracking accounts for the vast majority of this increase. Nevertheless, this still is not a big deal when the whole system costs $300.

  • by matman (71405) on Thursday February 15, 2001 @08:06PM (#428681)
    I've been getting more into host security over the past few months... and especially on linux. Anyone that's at all an expert, will tell you that firewalling is only one of many measures that can improve your security; its not even a very big one. Linux is STILL waiting for ACLs, file access auditing, wide use of capabilities (and through them the reduction of the need to have root do things). ACL support in ext2 (according to a post to the linux-kernel mailing list) was dropped in exchange for large file support. You can get patches for the kernel to support ACLs in other ways (often loading ALL ACLs into kernel memory). And, appart from running something like tripwire, how are you going to know if /etc/password gets opened in write mode? or if anything but login/pam (or whatever other program) opens /etc/shadow? Linux really needs to get these things into the official kernel. I want them! They're as important to me as firewalling. (sorry, I dont know enough C yet to write any of this within the next year or two ;)
  • Whats your point? I want a big mac and two dozen chicks in tight shorts. It ain't gonna happen any time soon.
  • For a nice ipchains firewall setup, go to linux-firewall-tools.com [linux-firewall-tools.com].
    This site will generate a nicely working ipchains firewall script in a few minutes.
  • The syntax is very similar. However the behaviour of iptables is very different to ipchains. For example, packets now go through more than one "table" on their way to, from or through the machine, instead of just the INPUT, OUTPUT or FORWARD chains. I got very confused when my firewall started doing "interesting" things I wasn't expecting - because I'd expected it to be very siilar to ipchains in functionality as well as syntax.
  • bah. cheap talk from anonymous cowards.
  • Can you do port forwarding in W2K (without 3rd party software)? If you can, I haven't been able to figure out how.
  • Hi,
    I have lately been using kernel 2.2.x with IPChains and the patch advertised in the "Bridging+Firewalling" [linuxdoc.org] mini-HowTO.
    So what I want to know now is: How can I do something similar with kernel 2.4.x and IPTables?

    Are there any patches for this or does kernel 2.4.support the same thing natively?

    RFC :)
  • I've been running Linux NAT on a 486/66 for about 3 years now (and, as cdipierr said in a previous post, try that with Win2K), and have never had a problem.
    I recently purchased a little ip sharing device made by Netlux [yahoo.com] that does the NAT for me now. This thing does port forwarding as well (port specific or range of ports), and running ipchains on the Linux box behind it secures me pretty well I think.
    It uses very little power as well compared to my old 486, and being located in California (the light at the end of the tunnel will be turned off until further notice) with the current power crisis going on, this saves me a few bucks as well.
    I know all this may sound like a plug, but it's worked out great for me.
  • Thanks. I did get a '404 Not Found' with that lin though...
  • But there are interesting litte differences that make it a whole lot easier to do what you want.

    For instance, packets due to be forwarded also hit the input chain. Now they don't. As a result, its a lot easier to write firewall rules that are different for forwarded packets to ones reaching the firewall box.

    There are other differences too.

  • "Unfortunately, I believe my Win98 box with Zonealarm is probably more secure then my linux box at the moment."

    If you want to keep everyone out, create a text file called fwscript with the following lines:

    iptables -F
    iptables -A INPUT -i ppp0 -m state --state NEW,INVALID -j DROP

    If you don't know how to add it to rc.local, when you boot your machine, log in as root and type sh fwscript. Or do a chmod +x on the file and you can leave out the sh.

    The -F command flushes everything. The next line says to drop all new or invalid connections coming in over your ppp0. If you don't have a dial up, change the ppp0 to eth0 or whatever you are connecting to the internet with.
  • Argh. I think it's the style sheets or the courier font used for the tags. Try this:

    http://www.linuxsecurity.com/fwdoc.html [linuxsecurity.com]

  • One word: Bastille.

    November 2000 Interview [slashdot.org] of the project leaders on /.

    Bastille-Linux [bastille-linux.org] homepage. I believe it now installs on non-virgin Redhat and Mandrake systems, and 6.2 is definitely included in the list. All of the other links are great for learning to do it yourself, but in the meantime, you can lock down your box quite nicely with Bastille.

    I have used it for a year or so, and highly recommend it.
  • by Anonymous Coward
    ... does it run on Beowulf?

    Thanks in advance.

    -- Patrick Bateman, Esq.
  • One statement I didn't see in this article is that the new `iptable` tool is very similar to the previous `ipchains` tool.

    They were even originally written by the same author. Yes, ipchains has advanced functionality.
    But the change in more evolutionary rather than revolutionary. AFAIK, the tool name was only changed because some options are different.
  • It's well written, short, to the point. What else would you need?

    Someone to do it for you [sourceforge.net]?
  • this is certainly interesting, but i am worried about the stupid network admins, who might just set up a filter like this, and nothing else.

    C:\
    C:\Dos
    C:\dos\run
  • Because I've seen it pop up new versions on freshmeat within the last month.

    "just connect this to..."
    BZZT.

  • All the new features (particularly statefulness) of NetFilter sound great. The only question I have is whether I can still run a firewall on an old 486 w/ 16M of RAM? He points out that this is an advantage of ipchains (stateless) filtering, but then doesn't mention how big an impact IPtable will have on older hardware.
  • http://www.astaro.com/products/index.html - It's pretty schweet!
  • I can't seem to find it anywhere in the docs. But will the new 2.4 stuff properly route IPSec and PPTP VPN traffic with having to patch it or compile in module?

  • by a.out (31606) <bradNO@SPAMsarsfield.ca> on Thursday February 15, 2001 @12:41PM (#428703)
    Here's a question that's been bugging me for a while. What is the advantages of NAT in Linux and W2k for a home network? My friend who works at Microsoft want's to know what Linux NAT can do that W2k can't and I want to show him the light .. but I'm not that educated on the matter.
  • Wawawawawawawaweeeeeeeeeeeee!

    BOOM!

    Inappropriate!

    ------

  • I see. I assume then that inodes for directories and files are of the same structure? (have fields useful for directories, and some for files, so some dont ever get used in each role?)
  • by dasunt (249686) on Thursday February 15, 2001 @12:43PM (#428706)
    I'm a linux "newbie", I have to admit. I have found that my lack of knowledge does seem to offend a significant section of the 31337 linux community. Unfortunately, until they develope a method if transmitting knowledge directly to the brain, my method of learning is going to continue to be installing a system (RH 6.2, since I have a disk handy), and playing with it until I understand what I'm doing.

    Unfortunately, I believe my Win98 box with Zonealarm is probably more secure then my linux box at the moment. I'm not worried about my windows box being hacked anytime soon, but I do worry about my linux box. I'll admit, I don't know jack about linux security, and it isn't the easiest subject to pick up through self-teaching. Asking for help in the linux community gets mixed results, ranging from outright refusal (because I'm a newbie, remember), to those that seem a tad paranoid about security (what do you mean, I shouldn't be able to telnet into the box remotely?).

    Therefore, I get mixed feelings about the usefulness of my linux box. I'm in love with the bash shell, (re)compiling programs is rather nifty, symlinks rock, and other attributes make linux fun to play and work with, but the security issue still scares me. My networking experience is limited to setting up a small LAN here and there, and I have no background in security. Trying to do research into the issue of linux security brings up plenty of FUD, out-of-date information, and information that assumes that I have more knowledge then I do. I am not an idiot, but I am ignorant. I need my information in small, easily digestable chunks, and based on the assumption that I know nothing. But I'm not finding any information in that format. Which means that my linux box I play with is still probably pretty insecure.
  • denying all ICMP packeting. You will not even be able to ping the box.

    try dropping this into your rc.local config for RH 6.x
    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
    also syn cookies
    echo 1 > /proc/sys/net/ipv4/tcp_syncookies

    This will not make your IP invisible, but your box will be.

  • Run on a 486-50 /w 8mb of RAM.
  • Nice to see Dave Wresky on Slashdot. He is one of the good guys, and you should use his company Guardian Digital if you need consulting. He is smart, nice and a technical whiz. I've heard Paul "Rusty" Russel give him a solid thumbs up... Security doesn't get better than having the guy who wrote all the firewall code give you an endorsement! see linuxsecurity.com [linuxsecurity.com]
  • Right. Good point.

    Also remember there are the smaller shops who want to grab a spare obsolete PC and turn it into a firewall. This obviously saves money and saving your company looks good on your annual review. As a side note: for many, this is their first foray into using Linux in a corporate enviroment. Also think of all the landfill space we save thanks to Linux.

    I hope that we don't forget that one of the benefits of Linux (and the open source BSD's) is that they are less demanding on hardware requirements thus making reusing old PC's possible. I've got a few throwaways from past clients in my home machine room serving internal DHCP and home automation.

    You may say, "yeah but get a *real* computer", but I deal with a lot of mom-and-pop businesses that want a cheap, secure firewall solution for their office. I rather not lose this option or the client.
  • by whydna (9312) <`moc.liamtoh' `ta' `andyhw'> on Thursday February 15, 2001 @05:27PM (#428711)
    there's a really good book that you can find online (at www.linuxdoc.org under the guides section) called "Securing and Optimizing Linux - Redhat Edition". It's a pretty big doc (pdf is about 5Mb, if I recall correctly, almost 500 pages too). It may be a tad more paranoid that you think. But between that guide and a normal basic-linux-commands-type book, I think you'd be on your way.

    As for telnetting into your box remotely, that has to do with "sniffing". Basically, Evil People(tm) could watch all the traffic on your network connection and simply grab your username/password as you type it. But, if you're not analy paranoid, and/or you don't share a connection with other people, and/or you trust your ISP... you'll be fine. As for RedHat 6.2, be absolutely sure you grab the updated RPM for wu-ftpd (the ftp server), it has a commonly exploited hole.

    From what you say, you don't sound like you need to be running things like, a web server, ftp server, dns server, nfs server, etc, etc. So, don't. The guide tells you how to disable all that stuff. Most of it is what gets you in trouble. Also, I highly recommend PortSentry from www.psionic.com. It's kinda like ZoneAlarm... it'll identify people that are trying to attack you (well, port scan at least), and block them from connecting. It works very well.

    Good luck!
  • Here's some more:

    • Use an ultra-secure kernel, where even root's permissions are limited
    • Don't use Sendmail, wuftpd, or other commonly hacked daemons.
    • Make a hardcopy version of your syslog using a printer
    • Don't use the Intel x86 architecture
    • Use the immutable flag
    • Don't allow remote power-cycling, reboots, etc


    Some of this is actually security through obscurity (such as not using Intel x86), but it works sometimes. Also, you lose some functionality, such as remote manageability, but you always have to make trade-offs for a truly secure machine.

    Don't forget to remove the floppy drive, CDROM, and all other bootable media.
  • by szo (7842)
    The printel friendly version is not at all printer friendly :-(
    Sux :-(

    Szo
  • That you've had so much trouble getting help from the Linux community. It sometimes makes me sick, the way we treat people. You're getting some good advice from the replies to your post, so just allow me to apologize for the elitist, arrogant morons who mistreated you earlier. I hope you get more familiar with Linux and grow to love it the way we do. Cheers.
  • nothing beats www.linuxnewbie.org. The help is great, and easy to read. Helped me when i first got into linux 2 years ago
  • Is there some reason I can't read the article? I can't even connect to it...

    Dancin Santa
  • Why are you wasting your time? Its all over. Didn't you hear? Linux is a communist plot, damn Finish (spelling?).

    For the corprate types: NO this is not a flame, it's a joke, Lawyers/linux zelots need not read the above


    ________

  • by whydna (9312) <`moc.liamtoh' `ta' `andyhw'> on Thursday February 15, 2001 @11:53AM (#428718)
    There was a project started some time ago called IP Personality [sourceforge.net]. It was supposed to help hide from os fingerprinting (ala nmap). The project seems to be defunct now... which sucks... I was really looking forward to this. It used IP mangling to make your packets look like other OSs (such as Windows, amiga, etc).

    Sure, it probably won't keep the real bad guys out forever, but it'll certainly throw off the script kiddies. If anybody knows the status of the project, or other similar projects, it'd be great to hear something.

  • http://netfilter.kernelnotes.org/unreliable-guides /packet-filtering-HOWTO/index.html [kernelnotes.org]

    It's well written, short, to the point. What else would you need?
  • I know there are a bunch of great firewall generating scripts and pre-made firewalls for 2.0x and 2.2x such as phpfwgen [sourceforge.net] and PMFirewall [pmfirewall.com] but does such a thing exist for 2.4 that supports all the new stuff?

    I'd like to find, you know, a "normal" firewall for using maybe with IP masquerading at home. Something that will make my IP look more or less invisible.

    Anyone got any recommendations?

    W
    -------------------

Don't steal; thou'lt never thus compete successfully in business. Cheat. -- Ambrose Bierce

Working...