Linux firewall for network

Security — Firewall

The Linux kernel includes the Netfilter subsystem, which is used to manipulate or decide the fate of network traffic headed into or through your server. All modern Linux firewall solutions use this system for packet filtering.

The kernel’s packet filtering system would be of little use to administrators without a userspace interface to manage it. This is the purpose of iptables: When a packet reaches your server, it will be handed off to the Netfilter subsystem for acceptance, manipulation, or rejection based on the rules supplied to it from userspace via iptables. Thus, iptables is all you need to manage your firewall, if you’re familiar with it, but many frontends are available to simplify the task.

ufw — Uncomplicated Firewall

The default firewall configuration tool for Ubuntu is ufw. Developed to ease iptables firewall configuration, ufw provides a user-friendly way to create an IPv4 or IPv6 host-based firewall.

ufw by default is initially disabled. From the ufw man page:

“ufw is not intended to provide complete firewall functionality via its command interface, but instead provides an easy way to add or remove simple rules. It is currently mainly used for host-based firewalls.”

The following are some examples of how to use ufw:

    First, ufw needs to be enabled. From a terminal prompt enter:

sudo ufw insert 1 allow 80 
sudo ufw allow proto tcp from 192.168.0.2 to any port 22 
 sudo ufw --dry-run allow http 
*filter :ufw-user-input - [0:0] :ufw-user-output - [0:0] :ufw-user-forward - [0:0] :ufw-user-limit - [0:0] :ufw-user-limit-accept - [0:0] ### RULES ### ### tuple ### allow tcp 80 0.0.0.0/0 any 0.0.0.0/0 -A ufw-user-input -p tcp --dport 80 -j ACCEPT ### END RULES ### -A ufw-user-input -j RETURN -A ufw-user-output -j RETURN -A ufw-user-forward -j RETURN -A ufw-user-limit -m limit --limit 3/minute -j LOG --log-prefix "[UFW LIMIT]: " -A ufw-user-limit -j REJECT -A ufw-user-limit-accept -j ACCEPT COMMIT Rules updated 

Note

If the port you want to open or close is defined in /etc/services , you can use the port name instead of the number. In the above examples, replace 22 with ssh.

This is a quick introduction to using ufw. Please refer to the ufw man page for more information.

ufw Application Integration

Applications that open ports can include an ufw profile, which details the ports needed for the application to function properly. The profiles are kept in /etc/ufw/applications.d , and can be edited if the default ports have been changed.

    To view which applications have installed a profile, enter the following in a terminal:

ufw allow from 192.168.0.0/24 to any app Samba 

Replace Samba and 192.168.0.0/24 with the application profile you are using and the IP range for your network.

Note There is no need to specify the protocol for the application, because that information is detailed in the profile. Also, note that the app name replaces the port number.

Not all applications that require opening a network port come with ufw profiles, but if you have profiled an application and want the file to be included with the package, please file a bug against the package in Launchpad.

Читайте также:  Install linux mint iso

IP Masquerading

The purpose of IP Masquerading is to allow machines with private, non-routable IP addresses on your network to access the Internet through the machine doing the masquerading. Traffic from your private network destined for the Internet must be manipulated for replies to be routable back to the machine that made the request. To do this, the kernel must modify the source IP address of each packet so that replies will be routed back to it, rather than to the private IP address that made the request, which is impossible over the Internet. Linux uses Connection Tracking (conntrack) to keep track of which connections belong to which machines and reroute each return packet accordingly. Traffic leaving your private network is thus “masqueraded” as having originated from your Ubuntu gateway machine. This process is referred to in Microsoft documentation as Internet Connection Sharing.

ufw Masquerading

IP Masquerading can be achieved using custom ufw rules. This is possible because the current back-end for ufw is iptables-restore with the rules files located in /etc/ufw/*.rules . These files are a great place to add legacy iptables rules used without ufw, and rules that are more network gateway or bridge related.

The rules are split into two different files, rules that should be executed before ufw command line rules, and rules that are executed after ufw command line rules.

    First, packet forwarding needs to be enabled in ufw. Two configuration files will need to be adjusted, in /etc/default/ufw change the DEFAULT_FORWARD_POLICY to “ACCEPT”:

DEFAULT_FORWARD_POLICY="ACCEPT" 
net/ipv6/conf/default/forwarding=1 
# nat Table rules *nat :POSTROUTING ACCEPT [0:0] # Forward traffic from eth1 through eth0. -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE # don't delete the 'COMMIT' line or these nat table rules won't be processed COMMIT 

The comments are not strictly necessary, but it is considered good practice to document your configuration. Also, when modifying any of the rules files in /etc/ufw , make sure these lines are the last line for each table modified:

# don't delete the 'COMMIT' line or these rules won't be processed COMMIT 

For each Table a corresponding COMMIT statement is required. In these examples only the nat and filter tables are shown, but you can also add rules for the raw and mangle tables.

Note In the above example replace eth0, eth1, and 192.168.0.0/24 with the appropriate interfaces and IP range for your network.

sudo ufw disable && sudo ufw enable 

IP Masquerading should now be enabled. You can also add any additional FORWARD rules to the /etc/ufw/before.rules . It is recommended that these additional rules be added to the ufw-before-forward chain.

iptables Masquerading

iptables can also be used to enable Masquerading.

    Similar to ufw, the first step is to enable IPv4 packet forwarding by editing /etc/sysctl.conf and uncomment the following line:

net.ipv6.conf.default.forwarding=1 
sudo iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o ppp0 -j MASQUERADE 
  • -t nat – the rule is to go into the nat table
  • -A POSTROUTING – the rule is to be appended (-A) to the POSTROUTING chain
  • -s 192.168.0.0/16 – the rule applies to traffic originating from the specified address space
  • -o ppp0 – the rule applies to traffic scheduled to be routed through the specified network device
  • -j MASQUERADE – traffic matching this rule is to “jump” (-j) to the MASQUERADE target to be manipulated as described above
sudo iptables -A FORWARD -s 192.168.0.0/16 -o ppp0 -j ACCEPT sudo iptables -A FORWARD -d 192.168.0.0/16 -m state \ --state ESTABLISHED,RELATED -i ppp0 -j ACCEPT 
iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o ppp0 -j MASQUERADE 

Logs

Firewall logs are essential for recognizing attacks, troubleshooting your firewall rules, and noticing unusual activity on your network. You must include logging rules in your firewall for them to be generated, though, and logging rules must come before any applicable terminating rule (a rule with a target that decides the fate of the packet, such as ACCEPT, DROP, or REJECT).

Читайте также:  Virtualbox настройка гостевой linux

If you are using ufw, you can turn on logging by entering the following in a terminal:

To turn logging off in ufw, simply replace on with off in the above command.

If using iptables instead of ufw, enter:

sudo iptables -A INPUT -m state --state NEW -p tcp --dport 80 \ -j LOG --log-prefix "NEW_HTTP_CONN: " 

A request on port 80 from the local machine, then, would generate a log in dmesg that looks like this (single line split into 3 to fit this document):

[4304885.870000] NEW_HTTP_CONN: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 DF PROTO=TCP SPT=53981 DPT=80 WINDOW=32767 RES=0x00 SYN URGP=0 

The above log will also appear in /var/log/messages , /var/log/syslog , and /var/log/kern.log . This behavior can be modified by editing /etc/syslog.conf appropriately or by installing and configuring ulogd and using the ULOG target instead of LOG. The ulogd daemon is a userspace server that listens for logging instructions from the kernel specifically for firewalls, and can log to any file you like, or even to a PostgreSQL or MySQL database. Making sense of your firewall logs can be simplified by using a log analyzing tool such as logwatch, fwanalog, fwlogwatch, or lire.

Other Tools

There are many tools available to help you construct a complete firewall without intimate knowledge of iptables. A command-line tool with plain-text configuration files:

References

  • The Ubuntu Firewall wiki page contains information on the development of ufw.
  • Also, the ufw manual page contains some very useful information: man ufw .
  • See the packet-filtering-HOWTO for more information on using iptables.
  • The nat-HOWTO contains further details on masquerading.
  • The IPTables HowTo in the Ubuntu wiki is a great resource.

Источник

How to configure a firewall on Linux with firewalld

Learn how to install, configure, and use firewalld to restrict or allow a computer’s access to services, ports, networks, subnets, and IP addresses.

Читайте также:  Удалил линукс grub rescue

Stop worrying and love systemd

Firewalld is an open source, host-based firewall that seeks to prevent unauthorized access to your computer. A firewall is usually a minimum requirement by any information security team at any modern organization, but it’s also a good idea for general computer use.

Training & certification

Firewalld can restrict access to services, ports, and networks. You can block specific subnets and IP addresses.

As with any firewall, firewalld inspects all traffic traversing the various interfaces on your system. The traffic is allowed or rejected if the source address network matches a rule.

Firewalld uses the concept of zones to segment traffic that interacts with your system. A network interface is assigned to one or more zones, and each zone contains a list of allowed ports and services. A default zone is also available to manage traffic that does not match any zones.

Firewalld is the daemon’s name that maintains the firewall policies. Use the firewall-cmd command to interact with the firewalld configuration.

Check the firewalld configuration

Before getting started, confirm that firewalld is running:

The output is either running or not running. To start your firewall if it’s not running, use systemctl :

$ sudo systemctl --enable --now firewalld

View zones

To view all zones on a system, use the —get-zones option:

$ sudo firewall-cmd --get-zones

To display the default zone, use —get-default-zone :

$ sudo firewall-cmd --get-default-zone

By default, if firewalld is enabled and running and in the public zone, all incoming traffic is rejected except SSH and DHCP.

Allow a port

To allow traffic from any IP through a specific port, use the —add-port option along with the port number and protocol:

$ sudo firewall-cmd --add-port=80/tcp

This rule takes effect immediately but only lasts until the next reboot. Add the —permanent flag to make it persistent:

$ sudo firewall-cmd --add-port=80/tcp --permanent

Reload firewalld

I prefer to reload my firewall after making changes. To reload firewalld and all permanent rules:

Add a service

There are predefined services you can allow through your firewall. To see all predefined services available on your system:

$ sudo firewall-cmd --get-services

For example, to add the HTTP service to your firewall permanently, enter:

$ sudo firewall-cmd --add-service=http --permanent $ sudo firewall-cmd --reload

IT Automation ebook

Specify traffic by subnet

You can assign traffic coming from a particular subnet to a specific zone (which allows specific ports and services, possibly unique to just that zone).

For example, to assign the network 172.16.1.0/24 to the internal zone and to allow the Jenkins service:

$ sudo firewall-cmd --zone=internal \ --add-source=172.16.1.0/24 --permanent $ sudo firewall-cmd --add-service=jenkins --permanent $ sudo firewall-cmd --reload

List ports and services

You can list all ports and services allowed in the default zone using the —list-all option:

To view all settings for all zones, use —list-all-zones :

$ sudo firewall-cmd --list-all-zones

Know your firewall

A good firewall is an essential feature on modern computer systems, and firewalld is one of the most convenient available. Its commands are intuitive and clear, and its ability to report useful descriptions of its policies makes it easy to understand. Review your firewall settings, and try out some firewall-cmd commands today.

Источник

Оцените статью
Adblock
detector