Linux 2.4's Firewalling

A reader writes "Dave Wreski finished an article for linuxsecurity.com on the security improvements available in the new 2.4 kernel packet mangling/filtering" This is a fairly basic level newbie type article (assuming you at least have a pocketfull of networking experience) and is worth reading to bring you up to speed on whats new and exciting.

Re:Are there good pre-made firewalls for 2.4?

[korpiq]

Why would you need anything more than iptables?

Below is a server filter configuration of mine. Add NAT if needed. Any weaknesses? (I have chrooted normal users' ssh; unchrooted ssh is available from administrators' home addresses through the telnet port)


#!/bin/sh

# we write log of what we do here
LOG="/var/log/iptables.log"
# local IPv4 addresses:
MYIP="`ifconfig | sed -ne 's/.*addr:\([0-9.]*\).*/\1/p'`"
# Allow incoming traffic for these
TCPOK="ftp-data ftp ssh nameserver domain www pop3 https cvspserver 6667"
UDPOK="domain"
# Addresses allowed to "telnet" (ssh to root dir)
TELNETOK="12.34.56.78/29 12.34.56.90/29"

echo "`/bin/date '+[%x %X]'` $0 $*" >>$LOG

# set up policy
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# clear filter tables
iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT

# drop all custom tables
for c in `iptables -L -n | sed -ne 's/^Chain \([a-z]*\) .*/\1/p'`;
do
echo "Dropping iptable $c" >>$LOG
iptables -F $c
iptables -X $c
done

# create custom tables
iptables -N rootssh # root ssh; default DROP
iptables -N icmps # icmp traffic; default DROP (weakish)
iptables -N foreign # incoming traffic; default DROP

# rootssh: ssh through telnet port to root dir
# accept from local addresses
for A in $MYIP; do iptables -A rootssh -s $A -i lo -j ACCEPT; done
# accept from specified external addresses
for A in $TELNETOK; do iptables -A rootssh -s $A -i eth0 -j ACCEPT; done

iptables -A rootssh -m limit -j LOG
iptables -A rootssh -j DROP

# icmps: restrict ICMP protocol usage ### TODO: learn to do this right
# accept all except "redirect" ICMP messages
iptables -A icmps -p icmp --icmp-type ! redirect -j ACCEPT

iptables -A icmps -m limit -j LOG
iptables -A icmps -j DROP

# foreign: traffic coming from outside
# accept established traffic:
iptables -A foreign -p tcp --dport 1024: -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A foreign -p udp --dport 1024: -m state --state RELATED,ESTABLISHED -j ACCEPT
# accept explicitly specified traffic
for A in $TCPOK; do iptables -A foreign -p tcp --dport $A -j ACCEPT; done
for A in $UDPOK; do iptables -A foreign -p udp --dport $A -j ACCEPT; done

iptables -A foreign -m limit -j LOG
iptables -A foreign -j DROP

# filter table

# handle icmp traffic and root ssh separately
iptables -A INPUT -p icmp -j icmps
iptables -A INPUT -p tcp --dport telnet -j rootssh
# accept local traffic
for A in $MYIP; do iptables -A INPUT -s $A -i lo -j ACCEPT; done
# handle external traffic separately
iptables -A INPUT -i eth0 -s ! localhost -j foreign

iptables -A INPUT -m limit -j LOG
# default policy was to drop.

# done configuring

# log configuration
iptables -L -n >>$LOG

looks interesting but NO CAN-DO

[gbd]

hi all (george here)

really this linux 2.4 firewall looks VERY INTERESTING but i cannot bring myself to actually create one, i have been told by VERY reputable sources that this would threaten the AMERICAN WAY

your bud

Re:NAT: Linux vs. W2k

[Hardwyred]

It has been a long time since I have played with a MS OS, never mind packet forwarding on one, so I may be pulling all of this out of my ass. Linux can
...

Forward internal IPSec traffic

support games and services that arent designed to operate behind a firewall, e.g. ICU

TOS baby TOS

Easy plugin interface makes for a nice road to add new services support

Run on hardware that you wouldnt use even as a doorstop And last but not least

costs you nothing
Now the last time I tried to do this in windows you still had to buy 3rd party apps, so if Im wrong on any of these points, please someone correct me. www.cyborgworkshop.com ...and the geek shall inherit the earth...

Firewalling is only a piece

[matman]

I've been getting more into host security over the past few months... and especially on linux. Anyone that's at all an expert, will tell you that firewalling is only one of many measures that can improve your security; its not even a very big one. Linux is STILL waiting for ACLs, file access auditing, wide use of capabilities (and through them the reduction of the need to have root do things). ACL support in ext2 (according to a post to the linux-kernel mailing list) was dropped in exchange for large file support. You can get patches for the kernel to support ACLs in other ways (often loading ALL ACLs into kernel memory). And, appart from running something like tripwire, how are you going to know if /etc/password gets opened in write mode? or if anything but login/pam (or whatever other program) opens /etc/shadow? Linux really needs to get these things into the official kernel. I want them! They're as important to me as firewalling. (sorry, I dont know enough C yet to write any of this within the next year or two ;)

NAT: Linux vs. W2k

[a.out]

Here's a question that's been bugging me for a while. What is the advantages of NAT in Linux and W2k for a home network? My friend who works at Microsoft want's to know what Linux NAT can do that W2k can't and I want to show him the light .. but I'm not that educated on the matter.

Is security a linux problem?

[dasunt]

I'm a linux "newbie", I have to admit. I have found that my lack of knowledge does seem to offend a significant section of the 31337 linux community. Unfortunately, until they develope a method if transmitting knowledge directly to the brain, my method of learning is going to continue to be installing a system (RH 6.2, since I have a disk handy), and playing with it until I understand what I'm doing.

Unfortunately, I believe my Win98 box with Zonealarm is probably more secure then my linux box at the moment. I'm not worried about my windows box being hacked anytime soon, but I do worry about my linux box. I'll admit, I don't know jack about linux security, and it isn't the easiest subject to pick up through self-teaching. Asking for help in the linux community gets mixed results, ranging from outright refusal (because I'm a newbie, remember), to those that seem a tad paranoid about security (what do you mean, I shouldn't be able to telnet into the box remotely?).

Therefore, I get mixed feelings about the usefulness of my linux box. I'm in love with the bash shell, (re)compiling programs is rather nifty, symlinks rock, and other attributes make linux fun to play and work with, but the security issue still scares me. My networking experience is limited to setting up a small LAN here and there, and I have no background in security. Trying to do research into the issue of linux security brings up plenty of FUD, out-of-date information, and information that assumes that I have more knowledge then I do. I am not an idiot, but I am ignorant. I need my information in small, easily digestable chunks, and based on the assumption that I know nothing. But I'm not finding any information in that format. Which means that my linux box I play with is still probably pretty insecure.

Re:Is security a linux problem?

[whydna]

there's a really good book that you can find online (at www.linuxdoc.org under the guides section) called "Securing and Optimizing Linux - Redhat Edition". It's a pretty big doc (pdf is about 5Mb, if I recall correctly, almost 500 pages too). It may be a tad more paranoid that you think. But between that guide and a normal basic-linux-commands-type book, I think you'd be on your way.

As for telnetting into your box remotely, that has to do with "sniffing". Basically, Evil People(tm) could watch all the traffic on your network connection and simply grab your username/password as you type it. But, if you're not analy paranoid, and/or you don't share a connection with other people, and/or you trust your ISP... you'll be fine. As for RedHat 6.2, be absolutely sure you grab the updated RPM for wu-ftpd (the ftp server), it has a commonly exploited hole.

From what you say, you don't sound like you need to be running things like, a web server, ftp server, dns server, nfs server, etc, etc. So, don't. The guide tells you how to disable all that stuff. Most of it is what gets you in trouble. Also, I highly recommend PortSentry from www.psionic.com. It's kinda like ZoneAlarm... it'll identify people that are trying to attack you (well, port scan at least), and block them from connecting. It works very well.

Good luck!

I want IP Personality

[whydna]

There was a project started some time ago called IP Personality. It was supposed to help hide from os fingerprinting (ala nmap). The project seems to be defunct now... which sucks... I was really looking forward to this. It used IP mangling to make your packets look like other OSs (such as Windows, amiga, etc).

Sure, it probably won't keep the real bad guys out forever, but it'll certainly throw off the script kiddies. If anybody knows the status of the project, or other similar projects, it'd be great to hear something.

IMHO Rusty's filtering HOWTO is very clear.

[korpiq]

http://netfilter.kernelnotes.org/unreliable-guides /packet-filtering-HOWTO/index.html

It's well written, short, to the point. What else would you need?