Linux Firewall – What is a firewall, iptables, ports, NAT, IP forwarding
Comments (1) In a typical networking environment the following components will be in place:
a) WAN (Connection to the Internet or another third party)
b) DMZ (demilitarized Zone). Location of your your web and/or mail server or any other servers you want the outside world to have access to
c) LAN (”internal” or Local area network.) workstations and servers that are not connected directly to the Internet. They have access to the DMZ and WAN but can’t be accessed from the WAN or DMZ.
d) ROUTER gateway to another network. Typically this would be the link between your company and your ISP (Internet Service Provider).
e) LINUX FIREWALL. Firewall protection for the LAN and DMZ
What is a firewall?
Simply put, a firewall protects your LAN from the outside world while filtering packets and allowing selected Internet or WAN traffic through. Your LAN should be protected in such a way that no unwanted traffic should be allowed access it from the DMZ or Internet. You LAN, however, will need access to the DMZ and the Internet.
Your DMZ will need to be accessed by the Internet and your LAN. All the services that need to be accessed by the Internet, like mail and web servers, should be located in the DMZ. Everything else should be on the LAN
IPTABLES
Linux uses “iptables” to provide this functionality.
Filtering and blocking of ports and protocols. This is for both “outbound” and “inbound” network traffic to and from the LAN and DMZ.
With IP tables we can match traffic based on source and destination address, source and destination port; and protocol (ip, tcp, udp and so on). To filter connections based on ports, network, IP Addresses, interfaces and protocols we use INPUT, OUTPUT and FORWARD tables.
Input and output tables
INPUT and OUTPUT tables are used for connections to the local computer running the firewall, for services originating from the computer and services accepting connections. An example of this would be the sshd daemon on the server running the firewall.
Forward table
The FORWARD table is used for filtering connections passing through the firewall but not originating on the server running the firewall.
An example of this would be LAN users connecting through the firewall to the Internet.
Network Address translation (NAT)
NAT does the following on the firewall:
DNAT
Redirecting of “inbound” network traffic to”Internal” Computers within the DMZ. In other words we can change the destination address of a packet. For example, if someone on the Internet wanted to browse your web site, the destination address would be your public IP address. This destination IP address would have to be changed, “pre-routing” to the IP address of your web server in the DMZ, which has a Private IP address. Another term synonymous with this is “DNAT” (Destination NAT).
SNAT
Masquerading “outbound” connections behind a single “public” IP address. In other words we can change the source address of a packet, making it appear to be coming from another source. If you only had one public IP address, you can make it appear that all your LAN users are browsing from the on public IP address. Another term synonymous with this is “SNAT” (Source NAT).
Ports
There are around 65535 ports that can be used in a Linux environment some of which are reserved for specific service and programs. Ports are used to distinguish different connections between two computers and provides mapping between the application and a service. Some of these ports are listed below:
pop3 = 110
smtp = 25
Printing = 631
proxy = 3128 or 8080
Web = 80, 8080 or 443 for secure sites
ftp = 21
telnet = 23
ssh = 22
Samba file sharing = 137, 138 , 139 and 445
You can use the “nmap” tool to check which ports are open on a system by typing the following at the shell.
nmap -v
NB: be aware that you should ask permission before running this program to scan for open ports. Some companies have policies which forbid employees from running these types of tools. Even if you can’t get fired, most companies would view the using of such programs in a dim light.
IP Forwarding
Just a brief note on IP forwarding. If you have two or more network cards on your computer you will have to enable “ip forwarding”. This has to be enabled for your firewall to work correctly, forwarding traffic between two network cards. To accomplish this you will need to type the following at the command prompt:
echo “1″ > /proc/sys/net/ipv4/ip_forward
NB Please note that this will not be a persistent change. You will either need to add this to a start up script. Or make it persistent by editing the /etc/sysctl.conf file and make sure there is a line that reads: “net.ipv6.conf.all.forwarding = 1″
The above is not necessary if you only have one network cards.
Planning your firewall
Take some time to review your company security policies and planning your firewall. What is it you need to accomplish?
Default Policy
Your default policy should be leaning to the side of caution. In other words, block everything and allowing ONLY the ports and protocols needed. In order to do this the first thing to put in your firewall script is the “blocking of everything”. Once everything is blocked you can go about “allowing” and “filtering” as needed.
Setting up the firewall
a) The first thing in your firewall script should include a “flushing” of any previous firewall settings.
b) The next thing is to set up your firewall by allowing ports needed and setting up NAT filters. The following represents the structure of your firewall script.
Flush all previous settings
Block all ports (inbound and outbound)
Open ports needed
Set NAT filters (SPORT & DPORT)
In the ideal world companies should have at least 3 network interfaces on their Linux firewall. These would be arranged as follows:
Interface 1 = Internet (Public IP address)
Interface 2 = DMZ (Private IP address)
Interface 3 = LAN (Private IP address)
Network Interface naming convention:
You will need to know how Linux refers to your Network Cards and Internet when setting up your firewall. Most networks have 3 network cards, although some Linux firewalls have a modem or some such device. In this regard the following will apply:
Network cards are referred to as eth0, eth1, eth2 and so on
Internet connections that use Modems etc can be called pppoe0, pppoe1, dsl0, dsl1 or similar.
To view current configuration
For viewing the current firewall configuration on your computer you can use the “iptables” command as follows:
iptables -L -n -v
By default this command only shows the”FILTER” table. If you want to see one of the other tables you can specify the table with the “-t
