Table 48.5. Firewall Types
|NAT||Network Address Translation (NAT) places private IP subnetworks behind one or a small pool of public IP addresses, masquerading all requests to one source rather than several. The Linux kernel has built-in NAT functionality through the Netfilter kernel subsystem.|| |
|Packet Filter||A packet filtering firewall reads each data packet that passes through a LAN. It can read and process packets by header information and filters the packet based on sets of programmable rules implemented by the firewall administrator. The Linux kernel has built-in packet filtering functionality through the Netfilter kernel subsystem.|| |
|Proxy||Proxy firewalls filter all requests of a certain protocol or type from LAN clients to a proxy machine, which then makes those requests to the Internet on behalf of the local client. A proxy machine acts as a buffer between malicious remote users and the internal network client machines.|| |
48.8.1. Netfilter and IPTables
126.96.36.199. IPTables Overview
iptablesadministration tool, a command line tool similar in syntax to its predecessor,
ipchainsrequires intricate rule sets for: filtering source paths; filtering destination paths; and filtering both source and destination connection ports.
iptablesuses the Netfilter subsystem to enhance network connection, inspection, and processing.
iptablesfeatures advanced logging, pre- and post-routing actions, network address translation, and port forwarding, all in one command line interface.
iptables. For more detailed information, refer to Section 48.9, “IPTables”.
48.8.2. Basic Firewall Configuration
188.8.131.52. Security Level Configuration Tool
Figure 48.15. Security Level Configuration Tool
184.108.40.206. Enabling and Disabling the Firewall
- Disabled — Disabling the firewall provides complete access to your system and does no security checking. This should only be selected if you are running on a trusted network (not the Internet) or need to configure a custom firewall using the iptables command line tool.
WarningFirewall configurations and any customized firewall rules are stored in the
/etc/sysconfig/iptablesfile. If you choose Disabled and click , these configurations and firewall rules will be lost.
- Enabled — This option configures the system to reject incoming connections that are not in response to outbound requests, such as DNS replies or DHCP requests. If access to services running on this machine is needed, you can choose to allow specific services through the firewall.If you are connecting your system to the Internet, but do not plan to run a server, this is the safest choice.
220.127.116.11. Trusted Services
- WWW (HTTP)
- The HTTP protocol is used by Apache (and by other Web servers) to serve web pages. If you plan on making your Web server publicly available, select this check box. This option is not required for viewing pages locally or for developing web pages. This service requires that the
httpdpackage be installed.Enabling WWW (HTTP) will not open a port for HTTPS, the SSL version of HTTP. If this service is required, select the Secure WWW (HTTPS) check box.
- The FTP protocol is used to transfer files between machines on a network. If you plan on making your FTP server publicly available, select this check box. This service requires that the
vsftpdpackage be installed.
- Secure Shell (SSH) is a suite of tools for logging into and executing commands on a remote machine. To allow remote access to the machine via ssh, select this check box. This service requires that the
openssh-serverpackage be installed.
- Telnet is a protocol for logging into remote machines. Telnet communications are unencrypted and provide no security from network snooping. Allowing incoming Telnet access is not recommended. To allow remote access to the machine via telnet, select this check box. This service requires that the
telnet-serverpackage be installed.
- Mail (SMTP)
- SMTP is a protocol that allows remote hosts to connect directly to your machine to deliver mail. You do not need to enable this service if you collect your mail from your ISP's server using POP3 or IMAP, or if you use a tool such as
fetchmail. To allow delivery of mail to your machine, select this check box. Note that an improperly configured SMTP server can allow remote machines to use your server to send spam.
- The Network File System (NFS) is a file sharing protocol commonly used on *NIX systems. Version 4 of this protocol is more secure than its predecessors. If you want to share files or directories on your system with other network users, select this check box.
- Samba is an implementation of Microsoft's proprietary SMB networking protocol. If you need to share files, directories, or locally-connected printers with Microsoft Windows machines, select this check box.
18.104.22.168. Other Ports
iptables. For example, to allow IRC and Internet printing protocol (IPP) to pass through the firewall, add the following to the Other ports section:
22.214.171.124. Saving the Settings
iptablescommands and written to the
iptablesservice is also started so that the firewall is activated immediately after saving the selected options. If Disable firewall was selected, the
/etc/sysconfig/iptablesfile is removed and the
iptablesservice is stopped immediately.
/etc/sysconfig/system-config-securitylevelfile so that the settings can be restored the next time the application is started. Do not edit this file by hand.
iptablesservice is not configured to start automatically at boot time. Refer to Section 126.96.36.199, “Activating the IPTables Service” for more information.
188.8.131.52. Activating the IPTables Service
iptablesservice is running. To manually start the service, use the following command:
service iptables restart
iptablesstarts when the system is booted, use the following command:
chkconfig --level 345 iptables on
ipchainsservice is not included in Red Hat Enterprise Linux. However, if
ipchainsis installed (for example, an upgrade was performed and the system had
ipchainspreviously installed), the
iptablesservices should not be activated simultaneously. To make sure the
ipchainsservice is disabled and configured not to start at boot time, use the following two commands:
service ipchains stop
chkconfig --level 345 ipchains off
48.8.3. Using IPTables
iptablesis to start the
iptablesservice. Use the following command to start the
service iptables start
ip6tablesservice can be turned off if you intend to use the
iptablesservice only. If you deactivate the
ip6tablesservice, remember to deactivate the IPv6 network also. Never leave a network device active without the matching firewall.
iptablesto start by default when the system is booted, use the following command:
chkconfig --level 345 iptables on
iptablesto start whenever the system is booted into runlevel 3, 4, or 5.
184.108.40.206. IPTables Command Syntax
iptablescommand illustrates the basic command syntax:
iptables -A <chain> -j <target>
-Aoption specifies that the rule be appended to <chain>. Each chain is comprised of one or more rules, and is therefore also known as a ruleset.
-j <target>option specifies the target of the rule; i.e., what to do if the packet matches the rule. Examples of built-in targets are ACCEPT, DROP, and REJECT.
iptablesman page for more information on the available chains, options, and targets.
220.127.116.11. Basic Firewall Policies
iptableschain is comprised of a default policy, and zero or more rules which work in concert with the default policy to define the overall ruleset for the firewall.
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
18.104.22.168. Saving and Restoring IPTables Rules
iptablesare transitory; if the system is rebooted or if the
iptablesservice is restarted, the rules are automatically flushed and reset. To save the rules so that they are loaded when the
iptablesservice is started, use the following command:
service iptables save
/etc/sysconfig/iptablesand are applied whenever the service is started or the machine is rebooted.
48.8.4. Common IPTables Filtering
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptablesruleset, order is important.
-Ioption. For example:
iptables -I INPUT 1 -i lo -p all -j ACCEPT
iptablesto accept connections from remote SSH clients. For example, the following rules allow remote SSH access:
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
FORWARD and NAT Rules
iptablesprovides routing and forwarding policies that can be implemented to prevent abnormal usage of network resources.
FORWARDchain allows an administrator to control where packets can be routed within a LAN. For example, to allow forwarding for the entire LAN (assuming the firewall/gateway is assigned an internal IP address on eth1), use the following rules:
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -o eth1 -j ACCEPT
sysctl -w net.ipv4.ip_forward=1
/etc/sysctl.conffile as follows:
net.ipv4.ip_forward = 0
net.ipv4.ip_forward = 1
sysctl -p /etc/sysctl.conf
22.214.171.124. Postrouting and IP Masquerading
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
-t nat) and specifies the built-in POSTROUTING chain for NAT (
-A POSTROUTING) on the firewall's external networking device (
-j MASQUERADEtarget is specified to mask the private IP address of a node with the external IP address of the firewall/gateway.
-j DNATtarget of the PREROUTING chain in NAT to specify a destination IP address and port where incoming packets requesting a connection to your internal service can be forwarded.
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 172.31.0.23:80
iptables -A FORWARD -i eth0 -p tcp --dport 80 -d 172.31.0.23 -j ACCEPT
126.96.36.199. DMZs and IPTables
iptablesrules to route traffic to certain machines, such as a dedicated HTTP or FTP server, in a demilitarized zone (DMZ). A DMZ is a special local subnetwork dedicated to providing services on a public carrier, such as the Internet.
PREROUTINGtable to forward the packets to the appropriate destination:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.0.4.2:80
48.8.6. Malicious Software and Spoofed IP Addresses
iptables -A OUTPUT -o eth0 -p tcp --dport 31337 --sport 31337 -j DROP
iptables -A FORWARD -o eth0 -p tcp --dport 31337 --sport 31337 -j DROP
iptables -A FORWARD -s 192.168.1.0/24 -i eth0 -j DROP
REJECTtargets when dealing with appended rules.
REJECTtarget denies access and returns a
connection refusederror to users who attempt to connect to the service. The
DROPtarget, as the name implies, drops the packet without any warning.
REJECTtarget is recommended.
48.8.7. IPTables and Connection Tracking
iptablesuses a method called connection tracking to store information about incoming connections. You can allow or deny access based on the following connection states:
NEW— A packet requesting a new connection, such as an HTTP request.
ESTABLISHED— A packet that is part of an existing connection.
RELATED— A packet that is requesting a new connection but is part of an existing connection. For example, FTP uses port 21 to establish a connection, but data is transferred on a different port (typically port 20).
INVALID— A packet that is not part of any connections in the connection tracking table.
iptablesconnection tracking with any network protocol, even if the protocol itself is stateless (such as UDP). The following example shows a rule that uses connection tracking to forward only the packets that are associated with an established connection:
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tablescommand. In Red Hat Enterprise Linux 5, both IPv4 and IPv6 services are enabled by default.
ip6tablescommand syntax is identical to
iptablesin every aspect except that it supports 128-bit addresses. For example, use the following command to enable SSH connections on an IPv6-aware network server:
ip6tables -A INPUT -i eth0 -p tcp -s 3ffe:ffff:100::1/128 --dport 22 -j ACCEPT
48.8.9. Additional Resources
188.8.131.52. Installed Documentation
- Refer to Section 48.9, “IPTables” for more detailed information on the
iptablescommand, including definitions for many command options.
iptablesman page contains a brief summary of the various options.
184.108.40.206. Useful Websites
- http://www.netfilter.org/ — The official homepage of the Netfilter and
- http://www.tldp.org/ — The Linux Documentation Project contains several useful guides relating to firewall creation and administration.
- http://www.iana.org/assignments/port-numbers — The official list of registered and common service ports as assigned by the Internet Assigned Numbers Authority.
220.127.116.11. Related Documentation
- Red Hat Linux Firewalls, by Bill McCarty; Red Hat Press — a comprehensive reference to building network and server firewalls using open source packet filtering technology such as Netfilter and
iptables. It includes topics that cover analyzing firewall logs, developing firewall rules, and customizing your firewall using various graphical tools.
- Linux Firewalls, by Robert Ziegler; New Riders Press — contains a wealth of information on building firewalls using both 2.2 kernel
ipchainsas well as Netfilter and
iptables. Additional security topics such as remote access issues and intrusion detection systems are also covered.