Linux 2.4's Firewalling 52
A reader writes "Dave Wreski finished an article for linuxsecurity.com on the security
improvements available in the new 2.4
kernel packet mangling/filtering" This is a fairly basic level newbie type article (assuming you at least have a pocketfull of
networking experience) and is worth reading to bring you up to speed on whats new and exciting.
Re:Are there good pre-made firewalls for 2.4? (Score:3)
Why would you need anything more than iptables?
Below is a server filter configuration of mine. Add NAT if needed. Any weaknesses? (I have chrooted normal users' ssh; unchrooted ssh is available from administrators' home addresses through the telnet port)
#!/bin/sh
# we write log of what we do here
LOG="/var/log/iptables.log"
# local IPv4 addresses:
MYIP="`ifconfig | sed -ne 's/.*addr:\([0-9.]*\).*/\1/p'`"
# Allow incoming traffic for these
TCPOK="ftp-data ftp ssh nameserver domain www pop3 https cvspserver 6667"
UDPOK="domain"
# Addresses allowed to "telnet" (ssh to root dir)
TELNETOK="12.34.56.78/29 12.34.56.90/29"
echo "`/bin/date '+[%x %X]'` $0 $*" >>$LOG
# set up policy
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# clear filter tables
iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT
# drop all custom tables
for c in `iptables -L -n | sed -ne 's/^Chain \([a-z]*\)
do
echo "Dropping iptable $c" >>$LOG
iptables -F $c
iptables -X $c
done
# create custom tables
iptables -N rootssh # root ssh; default DROP
iptables -N icmps # icmp traffic; default DROP (weakish)
iptables -N foreign # incoming traffic; default DROP
# rootssh: ssh through telnet port to root dir
# accept from local addresses
for A in $MYIP; do iptables -A rootssh -s $A -i lo -j ACCEPT; done
# accept from specified external addresses
for A in $TELNETOK; do iptables -A rootssh -s $A -i eth0 -j ACCEPT; done
iptables -A rootssh -m limit -j LOG
iptables -A rootssh -j DROP
# icmps: restrict ICMP protocol usage ### TODO: learn to do this right
# accept all except "redirect" ICMP messages
iptables -A icmps -p icmp --icmp-type ! redirect -j ACCEPT
iptables -A icmps -m limit -j LOG
iptables -A icmps -j DROP
# foreign: traffic coming from outside
# accept established traffic:
iptables -A foreign -p tcp --dport 1024: -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A foreign -p udp --dport 1024: -m state --state RELATED,ESTABLISHED -j ACCEPT
# accept explicitly specified traffic
for A in $TCPOK; do iptables -A foreign -p tcp --dport $A -j ACCEPT; done
for A in $UDPOK; do iptables -A foreign -p udp --dport $A -j ACCEPT; done
iptables -A foreign -m limit -j LOG
iptables -A foreign -j DROP
# filter table
# handle icmp traffic and root ssh separately
iptables -A INPUT -p icmp -j icmps
iptables -A INPUT -p tcp --dport telnet -j rootssh
# accept local traffic
for A in $MYIP; do iptables -A INPUT -s $A -i lo -j ACCEPT; done
# handle external traffic separately
iptables -A INPUT -i eth0 -s ! localhost -j foreign
iptables -A INPUT -m limit -j LOG
# default policy was to drop.
# done configuring
# log configuration
iptables -L -n >>$LOG
looks interesting but NO CAN-DO (Score:4)
really this linux 2.4 firewall looks VERY INTERESTING but i cannot bring myself to actually create one, i have been told by VERY reputable sources that this would threaten the AMERICAN WAY
your bud
What else would be required? (Score:2)
- set up packet filtering,
- include the rudimentary protective measeures against spoofing and flooding in above
- chroot daemons
- enforce hard-to-guess passwords
- ban telnet, use ssh
What more could you reasonably expect from an administrator?
Well, ok, there's
- md5sums
- external logging
What else? Would you expect these from everybody?
Remember, a networked workstation is effectively in the same position as any server: "networked" is "vulnerable". All practical security piled on top of that is just patching. Important patching, though, unless you want to risk your data and being used for attacks.
Re:looks interesting but NO CAN-DO (Score:1)
Re:Are there good pre-made firewalls for 2.4? (Score:1)
I, too, would like to see some fairly robust front ends come out with support for IPTables, but I think it will take some time. I expect something like this when the distributions start incorporating the 2.4 kernel (i.e. firewall-config under RH 7.0).
In the meantime, realized that 2.4 includes backwards support for IPChains as long as you compile it into the kernel.
Re:Is security a linux problem? (Score:1)
___
Re:OK to the people that dont get this (Score:1)
Re:NAT: Linux vs. W2k (Score:3)
...
Forward internal IPSec traffic
support games and services that arent designed to operate behind a firewall, e.g. ICU
TOS baby TOS
Easy plugin interface makes for a nice road to add new services support
Run on hardware that you wouldnt use even as a doorstop And last but not least
costs you nothing ...and the geek shall inherit the earth...
Now the last time I tried to do this in windows you still had to buy 3rd party apps, so if Im wrong on any of these points, please someone correct me. www.cyborgworkshop.com
Re:Performance and minimum hardware? (Score:2)
If you're firewalling a 1Mbps Internet link, there are many nanoseconds between packets. With 1KB per packet, there are only 100 packets per second at most (1Mbps/1Kbps/10bits-per-byte). Not much computer time is needed for this type of processing.
You might wanna check out ipf or ipfw for stateless firewalling. They've been around a while longer.
Re:Is security a linux problem? - more info (Score:1)
Thanks for the advice though, I will grab the docs you mention. Atm, the linux machine isn't connected to the internet, but I am planning to add it later.
Oops, read your question wrong (Score:2)
Shouldn't skip so much... Your question was more like whether there would be any good tool for making easy use of iptables. Well, as you can see, I'm not that much after such tools
Anyway, I'd like some discussion about real-life examples like the one in my lengthy post above.
Re:Performance and minimum hardware? (Score:2)
In my experience iptables with connection tracking enabled eats up a ton more CPU than ipchains. That said, you can always run without connection tracking.
As a data point, we are running a linux firewall/edge router on a K6-2/400 We are pushing around 3-4k packets/second during peak. When running 2.2 and ipchains, this box was 99.99% idle. It was bored! We upgraded to 2.4 and enable connection tracking. While we were at it, we added a good bit of infrastructure to the chains to make administration easier (dedicated chains for accounting, another for the webcache, etc.), thus increasing processing time for filtering. Now, we are only about 94.5% idle. I'm pretty sure that connection tracking accounts for the vast majority of this increase. Nevertheless, this still is not a big deal when the whole system costs $300.
Firewalling is only a piece (Score:4)
Re:I want IP Personality (Score:2)
Re:Is security a linux problem? (Score:1)
This site will generate a nicely working ipchains firewall script in a few minutes.
WRONG! (Re:iptables vs ipchains) (Score:2)
Re:Ah... (Score:1)
Re:NAT: Linux vs. W2k (Score:1)
Bridging and stuff (Score:1)
I have lately been using kernel 2.2.x with IPChains and the patch advertised in the "Bridging+Firewalling" [linuxdoc.org] mini-HowTO.
So what I want to know now is: How can I do something similar with kernel 2.4.x and IPTables?
Are there any patches for this or does kernel 2.4.support the same thing natively?
RFC
Re:NAT: Linux vs. W2k (Score:2)
I recently purchased a little ip sharing device made by Netlux [yahoo.com] that does the NAT for me now. This thing does port forwarding as well (port specific or range of ports), and running ipchains on the Linux box behind it secures me pretty well I think.
It uses very little power as well compared to my old 486, and being located in California (the light at the end of the tunnel will be turned off until further notice) with the current power crisis going on, this saves me a few bucks as well.
I know all this may sound like a plug, but it's worked out great for me.
Re:Is security a linux problem? (Score:1)
Re:iptables vs ipchains: Not all that new (Score:1)
For instance, packets due to be forwarded also hit the input chain. Now they don't. As a result, its a lot easier to write firewall rules that are different for forwarded packets to ones reaching the firewall box.
There are other differences too.
Re:Is security a linux problem? (Score:1)
If you want to keep everyone out, create a text file called fwscript with the following lines:
iptables -F
iptables -A INPUT -i ppp0 -m state --state NEW,INVALID -j DROP
If you don't know how to add it to rc.local, when you boot your machine, log in as root and type sh fwscript. Or do a chmod +x on the file and you can leave out the sh.
The -F command flushes everything. The next line says to drop all new or invalid connections coming in over your ppp0. If you don't have a dial up, change the ppp0 to eth0 or whatever you are connecting to the internet with.
Re:one question (Score:1)
http://www.linuxsecurity.com/fwdoc.html [linuxsecurity.com]
Re:Is security a linux problem? (Score:2)
November 2000 Interview [slashdot.org] of the project leaders on
Bastille-Linux [bastille-linux.org] homepage. I believe it now installs on non-virgin Redhat and Mandrake systems, and 6.2 is definitely included in the list. All of the other links are great for learning to do it yourself, but in the meantime, you can lock down your box quite nicely with Bastille.
I have used it for a year or so, and highly recommend it.
The most important question... (Score:1)
Thanks in advance.
-- Patrick Bateman, Esq.
iptables vs ipchains: Not all that new (Score:2)
They were even originally written by the same author. Yes, ipchains has advanced functionality.
But the change in more evolutionary rather than revolutionary. AFAIK, the tool name was only changed because some options are different.
Re:IMHO Rusty's filtering HOWTO is very clear. (Score:1)
Someone to do it for you [sourceforge.net]?
Interesting (Score:1)
C:\
C:\Dos
C:\dos\run
I don't think it's dead... (Score:1)
"just connect this to..."
BZZT.
Performance and minimum hardware? (Score:2)
I foresee a different headline in the future: (Score:1)
Re:Are there good pre-made firewalls for 2.4? (Score:1)
one question (Score:1)
NAT: Linux vs. W2k (Score:3)
Inappropriate! (Score:1)
BOOM!
Inappropriate!
------
Re:ACL support not dropped (Score:1)
Is security a linux problem? (Score:3)
Unfortunately, I believe my Win98 box with Zonealarm is probably more secure then my linux box at the moment. I'm not worried about my windows box being hacked anytime soon, but I do worry about my linux box. I'll admit, I don't know jack about linux security, and it isn't the easiest subject to pick up through self-teaching. Asking for help in the linux community gets mixed results, ranging from outright refusal (because I'm a newbie, remember), to those that seem a tad paranoid about security (what do you mean, I shouldn't be able to telnet into the box remotely?).
Therefore, I get mixed feelings about the usefulness of my linux box. I'm in love with the bash shell, (re)compiling programs is rather nifty, symlinks rock, and other attributes make linux fun to play and work with, but the security issue still scares me. My networking experience is limited to setting up a small LAN here and there, and I have no background in security. Trying to do research into the issue of linux security brings up plenty of FUD, out-of-date information, and information that assumes that I have more knowledge then I do. I am not an idiot, but I am ignorant. I need my information in small, easily digestable chunks, and based on the assumption that I know nothing. But I'm not finding any information in that format. Which means that my linux box I play with is still probably pretty insecure.
Re:Are there good pre-made firewalls for 2.4? (Score:1)
try dropping this into your rc.local config for RH 6.x /proc/sys/net/ipv4/icmp_echo_ignore_all
/proc/sys/net/ipv4/tcp_syncookies
echo 1 >
also syn cookies
echo 1 >
This will not make your IP invisible, but your box will be.
Re:NAT: Linux vs. W2k (Score:1)
Dave rules. (Score:1)
Re:Performance and minimum hardware? (Score:1)
Also remember there are the smaller shops who want to grab a spare obsolete PC and turn it into a firewall. This obviously saves money and saving your company looks good on your annual review. As a side note: for many, this is their first foray into using Linux in a corporate enviroment. Also think of all the landfill space we save thanks to Linux.
I hope that we don't forget that one of the benefits of Linux (and the open source BSD's) is that they are less demanding on hardware requirements thus making reusing old PC's possible. I've got a few throwaways from past clients in my home machine room serving internal DHCP and home automation.
You may say, "yeah but get a *real* computer", but I deal with a lot of mom-and-pop businesses that want a cheap, secure firewall solution for their office. I rather not lose this option or the client.
Re:Is security a linux problem? (Score:4)
As for telnetting into your box remotely, that has to do with "sniffing". Basically, Evil People(tm) could watch all the traffic on your network connection and simply grab your username/password as you type it. But, if you're not analy paranoid, and/or you don't share a connection with other people, and/or you trust your ISP... you'll be fine. As for RedHat 6.2, be absolutely sure you grab the updated RPM for wu-ftpd (the ftp server), it has a commonly exploited hole.
From what you say, you don't sound like you need to be running things like, a web server, ftp server, dns server, nfs server, etc, etc. So, don't. The guide tells you how to disable all that stuff. Most of it is what gets you in trouble. Also, I highly recommend PortSentry from www.psionic.com. It's kinda like ZoneAlarm... it'll identify people that are trying to attack you (well, port scan at least), and block them from connecting. It works very well.
Good luck!
Re:What else would be required? (Score:2)
Some of this is actually security through obscurity (such as not using Intel x86), but it works sometimes. Also, you lose some functionality, such as remote manageability, but you always have to make trade-offs for a truly secure machine.
Don't forget to remove the floppy drive, CDROM, and all other bootable media.
Beware (Score:1)
Sux
Szo
I'm sorry... (Score:1)
Re:Is security a linux problem? (Score:1)
Strange... (Score:1)
Dancin Santa
Come on (Score:1)
For the corprate types: NO this is not a flame, it's a joke, Lawyers/linux zelots need not read the above
________
I want IP Personality (Score:4)
Sure, it probably won't keep the real bad guys out forever, but it'll certainly throw off the script kiddies. If anybody knows the status of the project, or other similar projects, it'd be great to hear something.
IMHO Rusty's filtering HOWTO is very clear. (Score:5)
http://netfilter.kernelnotes.org/unreliable-guide
It's well written, short, to the point. What else would you need?
Are there good pre-made firewalls for 2.4? (Score:2)
I'd like to find, you know, a "normal" firewall for using maybe with IP masquerading at home. Something that will make my IP look more or less invisible.
Anyone got any recommendations?
W
-------------------