Linux 2.4's Firewalling

A reader writes "Dave Wreski finished an article for linuxsecurity.com on the security improvements available in the new 2.4 kernel packet mangling/filtering" This is a fairly basic level newbie type article (assuming you at least have a pocketfull of networking experience) and is worth reading to bring you up to speed on whats new and exciting.

Re:Are there good pre-made firewalls for 2.4?

[korpiq]

Why would you need anything more than iptables?

Below is a server filter configuration of mine. Add NAT if needed. Any weaknesses? (I have chrooted normal users' ssh; unchrooted ssh is available from administrators' home addresses through the telnet port)


#!/bin/sh

# we write log of what we do here
LOG="/var/log/iptables.log"
# local IPv4 addresses:
MYIP="`ifconfig | sed -ne 's/.*addr:\([0-9.]*\).*/\1/p'`"
# Allow incoming traffic for these
TCPOK="ftp-data ftp ssh nameserver domain www pop3 https cvspserver 6667"
UDPOK="domain"
# Addresses allowed to "telnet" (ssh to root dir)
TELNETOK="12.34.56.78/29 12.34.56.90/29"

echo "`/bin/date '+[%x %X]'` $0 $*" >>$LOG

# set up policy
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# clear filter tables
iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT

# drop all custom tables
for c in `iptables -L -n | sed -ne 's/^Chain \([a-z]*\) .*/\1/p'`;
do
echo "Dropping iptable $c" >>$LOG
iptables -F $c
iptables -X $c
done

# create custom tables
iptables -N rootssh # root ssh; default DROP
iptables -N icmps # icmp traffic; default DROP (weakish)
iptables -N foreign # incoming traffic; default DROP

# rootssh: ssh through telnet port to root dir
# accept from local addresses
for A in $MYIP; do iptables -A rootssh -s $A -i lo -j ACCEPT; done
# accept from specified external addresses
for A in $TELNETOK; do iptables -A rootssh -s $A -i eth0 -j ACCEPT; done

iptables -A rootssh -m limit -j LOG
iptables -A rootssh -j DROP

# icmps: restrict ICMP protocol usage ### TODO: learn to do this right
# accept all except "redirect" ICMP messages
iptables -A icmps -p icmp --icmp-type ! redirect -j ACCEPT

iptables -A icmps -m limit -j LOG
iptables -A icmps -j DROP

# foreign: traffic coming from outside
# accept established traffic:
iptables -A foreign -p tcp --dport 1024: -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A foreign -p udp --dport 1024: -m state --state RELATED,ESTABLISHED -j ACCEPT
# accept explicitly specified traffic
for A in $TCPOK; do iptables -A foreign -p tcp --dport $A -j ACCEPT; done
for A in $UDPOK; do iptables -A foreign -p udp --dport $A -j ACCEPT; done

iptables -A foreign -m limit -j LOG
iptables -A foreign -j DROP

# filter table

# handle icmp traffic and root ssh separately
iptables -A INPUT -p icmp -j icmps
iptables -A INPUT -p tcp --dport telnet -j rootssh
# accept local traffic
for A in $MYIP; do iptables -A INPUT -s $A -i lo -j ACCEPT; done
# handle external traffic separately
iptables -A INPUT -i eth0 -s ! localhost -j foreign

iptables -A INPUT -m limit -j LOG
# default policy was to drop.

# done configuring

# log configuration
iptables -L -n >>$LOG

looks interesting but NO CAN-DO

[gbd]

hi all (george here)

really this linux 2.4 firewall looks VERY INTERESTING but i cannot bring myself to actually create one, i have been told by VERY reputable sources that this would threaten the AMERICAN WAY

your bud

What else would be required?

[korpiq]

- set up packet filtering,
- include the rudimentary protective measeures against spoofing and flooding in above
- chroot daemons
- enforce hard-to-guess passwords
- ban telnet, use ssh

What more could you reasonably expect from an administrator?

Well, ok, there's
- md5sums
- external logging

What else? Would you expect these from everybody?
Remember, a networked workstation is effectively in the same position as any server: "networked" is "vulnerable". All practical security piled on top of that is just patching. Important patching, though, unless you want to risk your data and being used for attacks.

Re:What else would be required?

[Elbereth]

Here's some more:

• Use an ultra-secure kernel, where even root's permissions are limited
  
• Don't use Sendmail, wuftpd, or other commonly hacked daemons.
  
• Make a hardcopy version of your syslog using a printer
  
• Don't use the Intel x86 architecture
  
• Use the immutable flag
  
• Don't allow remote power-cycling, reboots, etc
  

Some of this is actually security through obscurity (such as not using Intel x86), but it works sometimes. Also, you lose some functionality, such as remote manageability, but you always have to make trade-offs for a truly secure machine.

Don't forget to remove the floppy drive, CDROM, and all other bootable media.

Re:NAT: Linux vs. W2k

[Hardwyred]

It has been a long time since I have played with a MS OS, never mind packet forwarding on one, so I may be pulling all of this out of my ass. Linux can
...

Forward internal IPSec traffic

support games and services that arent designed to operate behind a firewall, e.g. ICU

TOS baby TOS

Easy plugin interface makes for a nice road to add new services support

Run on hardware that you wouldnt use even as a doorstop And last but not least

costs you nothing
Now the last time I tried to do this in windows you still had to buy 3rd party apps, so if Im wrong on any of these points, please someone correct me. www.cyborgworkshop.com ...and the geek shall inherit the earth...

Re:Performance and minimum hardware?

[AntiBasic]

You're right. He doesn't mention it because it was an article written primarily for newbies and PHB's.

If you're firewalling a 1Mbps Internet link, there are many nanoseconds between packets. With 1KB per packet, there are only 100 packets per second at most (1Mbps/1Kbps/10bits-per-byte). Not much computer time is needed for this type of processing.

You might wanna check out ipf or ipfw for stateless firewalling. They've been around a while longer.

Oops, read your question wrong

[korpiq]

Shouldn't skip so much... Your question was more like whether there would be any good tool for making easy use of iptables. Well, as you can see, I'm not that much after such tools :) Thus that script is not what you asked for: to change the rules, you need to change the script itself - and it uses only some of the most basic methods of iptables.

Anyway, I'd like some discussion about real-life examples like the one in my lengthy post above.

Re:Performance and minimum hardware?

[garver]

In my experience iptables with connection tracking enabled eats up a ton more CPU than ipchains. That said, you can always run without connection tracking.

As a data point, we are running a linux firewall/edge router on a K6-2/400 We are pushing around 3-4k packets/second during peak. When running 2.2 and ipchains, this box was 99.99% idle. It was bored! We upgraded to 2.4 and enable connection tracking. While we were at it, we added a good bit of infrastructure to the chains to make administration easier (dedicated chains for accounting, another for the webcache, etc.), thus increasing processing time for filtering. Now, we are only about 94.5% idle. I'm pretty sure that connection tracking accounts for the vast majority of this increase. Nevertheless, this still is not a big deal when the whole system costs $300.

Firewalling is only a piece

[matman]

I've been getting more into host security over the past few months... and especially on linux. Anyone that's at all an expert, will tell you that firewalling is only one of many measures that can improve your security; its not even a very big one. Linux is STILL waiting for ACLs, file access auditing, wide use of capabilities (and through them the reduction of the need to have root do things). ACL support in ext2 (according to a post to the linux-kernel mailing list) was dropped in exchange for large file support. You can get patches for the kernel to support ACLs in other ways (often loading ALL ACLs into kernel memory). And, appart from running something like tripwire, how are you going to know if /etc/password gets opened in write mode? or if anything but login/pam (or whatever other program) opens /etc/shadow? Linux really needs to get these things into the official kernel. I want them! They're as important to me as firewalling. (sorry, I dont know enough C yet to write any of this within the next year or two ;)

Re:I want IP Personality

[AntiBasic]

Whats your point? I want a big mac and two dozen chicks in tight shorts. It ain't gonna happen any time soon.

WRONG! (Re:iptables vs ipchains)

[chromatix]

The syntax is very similar. However the behaviour of iptables is very different to ipchains. For example, packets now go through more than one "table" on their way to, from or through the machine, instead of just the INPUT, OUTPUT or FORWARD chains. I got very confused when my firewall started doing "interesting" things I wasn't expecting - because I'd expected it to be very siilar to ipchains in functionality as well as syntax.

Re:NAT: Linux vs. W2k

[Fast+Ben]

I've been running Linux NAT on a 486/66 for about 3 years now (and, as cdipierr said in a previous post, try that with Win2K), and have never had a problem.
I recently purchased a little ip sharing device made by Netlux that does the NAT for me now. This thing does port forwarding as well (port specific or range of ports), and running ipchains on the Linux box behind it secures me pretty well I think.
It uses very little power as well compared to my old 486, and being located in California (the light at the end of the tunnel will be turned off until further notice) with the current power crisis going on, this saves me a few bucks as well.
I know all this may sound like a plug, but it's worked out great for me.

Re:Is security a linux problem?

[dschl]

One word: Bastille.

November 2000 Interview of the project leaders on /.

Bastille-Linux homepage. I believe it now installs on non-virgin Redhat and Mandrake systems, and 6.2 is definitely included in the list. All of the other links are great for learning to do it yourself, but in the meantime, you can lock down your box quite nicely with Bastille.

I have used it for a year or so, and highly recommend it.

iptables vs ipchains: Not all that new

[redelm]

One statement I didn't see in this article is that the new `iptable` tool is very similar to the previous `ipchains` tool.

They were even originally written by the same author. Yes, ipchains has advanced functionality.
But the change in more evolutionary rather than revolutionary. AFAIK, the tool name was only changed because some options are different.

Performance and minimum hardware?

[inkydoo]

All the new features (particularly statefulness) of NetFilter sound great. The only question I have is whether I can still run a firewall on an old 486 w/ 16M of RAM? He points out that this is an advantage of ipchains (stateless) filtering, but then doesn't mention how big an impact IPtable will have on older hardware.

NAT: Linux vs. W2k

[a.out]

Here's a question that's been bugging me for a while. What is the advantages of NAT in Linux and W2k for a home network? My friend who works at Microsoft want's to know what Linux NAT can do that W2k can't and I want to show him the light .. but I'm not that educated on the matter.

Is security a linux problem?

[dasunt]

I'm a linux "newbie", I have to admit. I have found that my lack of knowledge does seem to offend a significant section of the 31337 linux community. Unfortunately, until they develope a method if transmitting knowledge directly to the brain, my method of learning is going to continue to be installing a system (RH 6.2, since I have a disk handy), and playing with it until I understand what I'm doing.

Unfortunately, I believe my Win98 box with Zonealarm is probably more secure then my linux box at the moment. I'm not worried about my windows box being hacked anytime soon, but I do worry about my linux box. I'll admit, I don't know jack about linux security, and it isn't the easiest subject to pick up through self-teaching. Asking for help in the linux community gets mixed results, ranging from outright refusal (because I'm a newbie, remember), to those that seem a tad paranoid about security (what do you mean, I shouldn't be able to telnet into the box remotely?).

Therefore, I get mixed feelings about the usefulness of my linux box. I'm in love with the bash shell, (re)compiling programs is rather nifty, symlinks rock, and other attributes make linux fun to play and work with, but the security issue still scares me. My networking experience is limited to setting up a small LAN here and there, and I have no background in security. Trying to do research into the issue of linux security brings up plenty of FUD, out-of-date information, and information that assumes that I have more knowledge then I do. I am not an idiot, but I am ignorant. I need my information in small, easily digestable chunks, and based on the assumption that I know nothing. But I'm not finding any information in that format. Which means that my linux box I play with is still probably pretty insecure.

Re:Is security a linux problem?

[whydna]

there's a really good book that you can find online (at www.linuxdoc.org under the guides section) called "Securing and Optimizing Linux - Redhat Edition". It's a pretty big doc (pdf is about 5Mb, if I recall correctly, almost 500 pages too). It may be a tad more paranoid that you think. But between that guide and a normal basic-linux-commands-type book, I think you'd be on your way.

As for telnetting into your box remotely, that has to do with "sniffing". Basically, Evil People(tm) could watch all the traffic on your network connection and simply grab your username/password as you type it. But, if you're not analy paranoid, and/or you don't share a connection with other people, and/or you trust your ISP... you'll be fine. As for RedHat 6.2, be absolutely sure you grab the updated RPM for wu-ftpd (the ftp server), it has a commonly exploited hole.

From what you say, you don't sound like you need to be running things like, a web server, ftp server, dns server, nfs server, etc, etc. So, don't. The guide tells you how to disable all that stuff. Most of it is what gets you in trouble. Also, I highly recommend PortSentry from www.psionic.com. It's kinda like ZoneAlarm... it'll identify people that are trying to attack you (well, port scan at least), and block them from connecting. It works very well.

Good luck!

I want IP Personality

[whydna]

There was a project started some time ago called IP Personality. It was supposed to help hide from os fingerprinting (ala nmap). The project seems to be defunct now... which sucks... I was really looking forward to this. It used IP mangling to make your packets look like other OSs (such as Windows, amiga, etc).

Sure, it probably won't keep the real bad guys out forever, but it'll certainly throw off the script kiddies. If anybody knows the status of the project, or other similar projects, it'd be great to hear something.

IMHO Rusty's filtering HOWTO is very clear.

[korpiq]

http://netfilter.kernelnotes.org/unreliable-guides /packet-filtering-HOWTO/index.html

It's well written, short, to the point. What else would you need?

Are there good pre-made firewalls for 2.4?

[VValdo]

I know there are a bunch of great firewall generating scripts and pre-made firewalls for 2.0x and 2.2x such as phpfwgen and PMFirewall but does such a thing exist for 2.4 that supports all the new stuff?

I'd like to find, you know, a "normal" firewall for using maybe with IP masquerading at home. Something that will make my IP look more or less invisible.

Anyone got any recommendations?

W
-------------------