Rob's web

Firewall

Home - Techniek - Computer - Servers - Firewall


The firewall uses iptables.

iptables is a user-space utility program that allows a system administrator to configure the tables provided by the Linux kernel firewall (implemented as different Netfilter modules) and the chains and rules it stores. Different kernel modules and programs are currently used for different protocols; iptables applies to IPv4, ip6tables to IPv6, arptables to ARP, and ebtables to Ethernet frames.

iptables requires elevated privileges to operate and must be executed by user root, otherwise it fails to function. On most Linux systems, iptables is installed as /usr/sbin/iptables and documented in its man pages, which can be opened using man iptables when installed. It may also be found in /sbin/iptables, but since iptables is more like a service rather than an "essential binary", the preferred location remains /usr/sbin.

Installing and first configuration must be done on the console. When SSH is available then you can use a SSH-client. I let you know when you can start with SSH.

Installing

Iptables is installed by default in the first install.

Configuration

[root@server1 ~]# service iptables stop
[root@server1 ~]# service ip6tables stop
[root@server1 ~]# cd /etc/sysconfig
[root@server1 ~]# vi iptables-config

The changes made are in bold.

# Load additional iptables modules (nat helpers)
#   Default: -none-
# Space separated list of nat helpers (e.g. 'ip_nat_ftp ip_nat_irc'), which
# are loaded after the firewall rules are applied. Options for the helpers are
# stored in /etc/modprobe.conf.
IPTABLES_MODULES="nf_conntrack_ftp nf_conntrack_netbios_ns"

# Unload modules on restart and stop
#   Value: yes|no,  default: yes
# This option has to be 'yes' to get to a sane state for a firewall
# restart or stop. Only set to 'no' if there are problems unloading netfilter
# modules.
IPTABLES_MODULES_UNLOAD="yes"

# Save current firewall rules on stop.
#   Value: yes|no,  default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets stopped
# (e.g. on system shutdown).
IPTABLES_SAVE_ON_STOP="yes"

# Save current firewall rules on restart.
#   Value: yes|no,  default: no
# Saves all firewall rules to /etc/sysconfig/iptables if firewall gets
# restarted.
IPTABLES_SAVE_ON_RESTART="yes"

# Save (and restore) rule and chain counter.
#   Value: yes|no,  default: no
# Save counters for rules and chains to /etc/sysconfig/iptables if
# 'service iptables save' is called or on stop or restart if SAVE_ON_STOP or
# SAVE_ON_RESTART is enabled.
IPTABLES_SAVE_COUNTER="no"

# Numeric status output
#   Value: yes|no,  default: yes
# Print IP addresses and port numbers in numeric format in the status output.
IPTABLES_STATUS_NUMERIC="yes"

# Verbose status output
#   Value: yes|no,  default: yes
# Print info about the number of packets and bytes plus the "input-" and
# "outputdevice" in the status output.
IPTABLES_STATUS_VERBOSE="no"

# Status output with numbered lines
#   Value: yes|no,  default: yes
# Print a counter/number for every rule in the status output.
IPTABLES_STATUS_LINENUMBERS="yes"

Now do the same with ip6tables-config.

With this condiguration the iptables will be saved on stop and restart.

When we add a rule to the iptable it is active after we hit the <Enter>-key. So a restart is not necessary. But after a power loss the tables are not saved.

When we omit the table name the filter table is used.

Creating iptables

IPv4 and IPv6 has there own iptables.

After we changed the iptables-config files we start the iptables.

[root@server1 ~]# service iptables start
[root@server1 ~]# service ip6tables start

By default all policys are ACCEPT, so there is no firewall protectection.

To check the rules type:

[root@server1 ~]# cat /etc/sysconfig/iptables

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
.......
COMMIT

The iptables where created when linux was installed, so we need to change it to our needs. We start with dropping input and forwarding.

First we change the policies. We are running a server with firewall not a router/firewall, so we do not need FORWARD. We want only allow incoming traffic to certain ports.

[root@server1 ~]# iptables -P INPUT DROP
[root@server1 ~]# iptables -P FORWARD DROP
[root@server1 ~]# ip6tables -P INPUT DROP
[root@server1 ~]# ip6tables -P FORWARD DROP

[root@server1 ~]# service iptables save
[root@server1 ~]# service ip6tables save

After save you can check the files again.

[root@server1 ~]# cat /etc/sysconfig/iptables
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [743:927236]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth+ -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
......

Check if the 4 -A lines are there. If not create them.

iptables -A ..........

Do the same with the ip6tables.

[root@server1 ~]# cat /etc/sysconfig/ip6tables

The -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT line tells that when a connection is made the rest of its packets are accepted.

-A INPUT -p icmp -j ACCEPT allows all icmp traffic.

SSH

Check for -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT. If not add it to the tables.

[root@server1 ~]# iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
[root@server1 ~]# ip6tables -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

[root@server1 ~]# service iptables save
[root@server1 ~]# service ip6tables save

We can now install the SSH deamon if its not already installed.

When the ssh deamon is installed you can test it on a separated pc/laptop/tablet with a ssh-client. When this works you can close the console and work on the server with a remote machine.

Starting the firewall

There are 2 firewalls, so manage them both.

[root@server1 ~]# service iptables start
[root@server1 ~]# service ip6tables start

[root@server1 ~]# chkconfig iptables on
[root@server1 ~]# chkconfig ip6tables on

The firewall starts now on boottime.

When you install a server then you need to add new rules, which are mentioned in the article for that deamon.

Blacklists

You may need to install the epel-release package first.

[root@server1 ~]# yum install ipset

The blacklists are stored in memory and not in files. The blacklist should be saved on stop or restart of the iptables and reloaded on start.

Now we have to create the actual blacklists.

Creating blacklists

[root@server1 ~]# ipset create blacklist4 hash:ip hashsize 4096
[root@server1 ~]# ipset create blacklist6 hash:net hashsize 4096 family inet6

Now add to the firewall rules:

[root@server1 ~]# iptables -I INPUT -m set --match-set blacklist4 src -j DROP
[root@server1 ~]# ip6tables -I INPUT -m set --match-set blacklist6 src -j DROP

Now we have a IPv4 and IPv6 blacklist.

Adding to the blacklists

To add a single IPv4 address to the blacklist enter:

[root@server1 ~]# ipset add blacklist4 192.168.1.100

To add a group of IPv4 addresses to the blacklist enter:

[root@server1 ~]# ipset add blacklist4 192.168.1.0/24

To add a IPv6 address to the blacklist enter the prefix only:

[root@server1 ~]# ipset add blacklist6 2001:0db8::/64

Saving the blacklists

After adding ip-addresses save them.

For IP4 addresses type:

[root@server1 ~]# service ipset save

I made a script for adding and safing IPv4 addresses.

#! /bin/bash
# Add a ip4 address to the blacklist.

ipset add blacklist4 $1
service ipset save

For IP6 addresses type:

[root@server1 ~]# service ipset save

Restoring blacklists

Restoring will be done at start of restart of the service. At boottime it is started before ip(6)tables.

Final

After you have added the firewall rules and tested it on you LAN, you can do portforwarding in your ISP-router to your server per service or put the server in the DMZ (can only be done with one server and is less save). So don't use DMZ but port forwarding.