Integrated Portable Solutions, LLC: Article

Host based firewalling under Linux

It seems that more and more people are now using Linux for their desktop machines. While I think that using Linux for the desktop is great it also means that many end users may be exposing themselves to a good deal of attacks while out on the internet. It is therefore important to ensure that these end-users are as well protected as possible while being connected to a generally unprotected and sometimes hostile network. The other major consideration is to make the firewalling on the users' machine liberal enough as to allow the end user enough freedom to perform their work. Otherwise you'll wind up with a bunch of users who completely disable their firewalling because of unpleasant experiences.

If this can be accomplished than the network itself will be more protected. In many environments, such as universities, this can dramatically reducing the threat from end-user machines that have been compromised and start attacking the servers within your environment. While host-based firewalling shouldn't be your only answer to security it certainly can help when you cannot possibly take care of every workstation on the network. It is important to note that things like making sure patches are up to date and unncessary services are turned off and disabled.

As of the 2.4 series kernels in Linux a brand new type of firewalling called NetFilter has been introduced. There are signifcant advantages with NetFilter, the most prominent being connection tracking. Whereas in the 2.2 Linux kernels the userland firewalling tool was called ipchains the tool now used is known as iptables. With Iptables we can limit all incoming connections to the user's machine and then use iptables to keep state on all outgoing connections so that they may return unimpeded.

While this isn't necessarily the most secure way of firewalling I believe that it is a good balance between security and user's needs. At the end of the day it's my job to make sure that the network and systems are as secure as possible while making sure that everyone is still able to perform their job functions.

Since a good deal of our "new to Linux" users select Redhat and Mandrake as the distribution of choice I'll describe how to ensure the iptables rules are setup within these distros. Users of other linux distributions should be able to follow along without a problem. If you have any questions please feel free to email me.

The file:

/etc/sysconfig/iptables

can be used to store iptables rules that are already in memory so that when the machine is rebooted it is not necessary to retype the rules over and over again. Since this is a host and not performing any routing we will only need to deal with the INPUT and OUTPUT chains and not the FORWARD. As a matter of policy I always set the default policy to DROP so that if I've missed anything in a ruleset then the machine is a bit more protected then if I were to ALLOW everything as the default ruleset. Remember that the default rule is the last encountered rule so it acts as a catchall when none of the previous rules match the packet being examined.

The ruleset is defined as follows:

# Start by defining out default policies to drop everything
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT DROP
/sbin/iptables -P FORWARD DROP
#
# Make sure we can always talk on the loopback device
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
#
# Now let all connections outbound and keep state
/sbin/iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j
ACCEPT
#
# Control what actually comes back into the host
/sbin/iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -m state --state INVALID -j DROP
#
# All done

After these commands are entered, and you're satisfied, you can use iptables-save to save them to a file so that you don't have to retype them each time. To get iptables to start on boot the following steps need to be performed:

/sbin/iptables-save > /etc/sysconfig/iptables
chkconfig --level 2345 iptables on

Hopefully that's all there is to firewalling your hosts. I would really like to here how other people are accomplishing this and whether or not these rules work well in your environment. Any changes you can think of would be great as well.