A Basic Firewall Script, Linux as a Workstation

an article added by: Philip A Clare at 04092007


In: Categories » Computers and technology » Linux » A Basic Firewall Script, Linux as a Workstation

So far, we've learned mostly about the usage of iptables filtering options. I will now build up a small firewall script that I think should be default when installing any Linux distribution.
By default, all Linux distributions have the default policy ACCEPT on all filter chains. Also, on a default installation, most Linux distributions leave a lot of services running. If you install an old Linux distribution and decide to go for lunch after you have just booted up without any firewall and with a public IP address, good chances are that by the time you've eaten your soup, a rootkit is already installed on your computer.
Let's take a look at the following simple script:

#!/bin/bash
#assign variable $IPT with the iptables command
IPT=/sbin/iptables
#set policies on each chain
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT #default, but set it anyway
#flush all rules in the filter table
$IPT -F
#allow traffic on the loopback interface
$IPT -A INPUT -i lo -j ACCEPT
#allow icmp traffic
$IPT -A INPUT -p icmp -j ACCEPT
#allow incoming DNS traffic
$IPT -A INPUT -p udp --sport 53 -j ACCEPT
#allow established TCP connections
$IPT -A INPUT -p tcp ! --syn -j ACCEPT

So, what we did here was to set the INPUT and FORWARD chains policy to DROP. The OUTPUT chain policy is set to ACCEPT, which is the default policy for this chain.
We will not append any rules in the FORWARD chain because this is a personal computer and not a router, and so the forwarding will be off. We will also not append any rules in the OUTPUT chain—anything we originate is OK.
Next, we flush all existing rules out from the filter table. At this point, nothing really works. Some applications use TCP/IP connections on the loopback interface; so it's safe to allow packets that come in on the interface "lo".
We learned about ICMP attacks in Article 2. However, it is my opinion that ICMP should be allowed. Filtering ICMP will not allow you to test your internet connection using ping, traceroute, mtr, etc., and also path MTU discovery will not work, which is a very important protocol in many cases.

DNS responses use the UDP protocol and source port 53. Keep in mind that the line:

$IPT -A INPUT -p udp --sport 53 -j ACCEPT

is a potential security breach. We left it like this because we earlier stated that this is what we think the default firewall should look like. However, if you're not running a DNS server (which is not recommended for a personal computer), accept incoming UDP connections with source port 53 only from your provider's DNS servers (the ones you have in /etc/resolv.conf). For example, if the provider's DNS servers are 1.1.1.1 and 1.1.2.1, replace the earlier line with:

$IPT -A INPUT –s 1.1.1.1 -p udp --sport 53 -j ACCEPT
$IPT -A INPUT –s 1.1.2.1 -p udp --sport 53 -j ACCEPT

This way, you will be safer.

 

The last thing we need for our internet connection to work is to allow incoming TCP traffic for already established TCP connections. Better phrased, deny any incoming TCP traffic that doesn't belong to a TCP connection that this computer initiated (deny TCP SYN packets).


iproute2 and Traffic Control

iproute2 is a software package that provides various tools for advanced routing, tunnels, and traffic control.
iproute2 was originally designed by Alexey Kuznetsov, and is well known for implementing QoS in Linux kernels and is now maintained by Stephen Hemminger. The primary site for iproute2 is http://linux-net.osdl.org/index.php/Iproute2  and its main documentation site is http://www.lartc.org.
The most important tools that iproute2 provides are ip and tc.
Network Configuration: "ip" Tool

The ip tool provides most of the networking configuration a Linux box needs. You can configure interfaces, ARP, policy routing, tunnels, etc.
Now, with IPv4 and IPv6, ip can do pretty much anything (including a lot that we don't need in our particular situations). The syntax of ip is not difficult, and there is a lot of documentation on this subject. However, the most important thing is knowing what we need and when we need it.
First of all, ip is the main tool we need for dynamic routing protocols (BGP, OSPF, and RIP) on Linux provided by Zebra, which will be discussed later in this article.
Let's have a look at the ip command help to see what ip knows:

root@router:~# ip help

The ip link command shows the network device's configurations that can be changed with ip link set. This command is used to modify the device's proprieties and not the IP address.
The IP addresses can be configured using the ip addr command. This command can be used to add a primary or secondary (alias) IP address to a network device (ip addr add), to display the IP addresses for each network device (ip addr show), or to delete IP addresses from interfaces (ip addr del). IP addresses can also be flushed using different criteria, e.g. ip addr flush dynamic will flush all routes added to the kernel by a dynamic routing protocol.
Neighbor/Arp table management is done using ip neighbor, which has a few commands expressively named add, change, replace, delete, and flush.
ip tunnel is used to manage tunneled connections. Tunnels can be gre, ipip, and sit. We will include an example later in the article on how to build IP tunnels.
The ip tool offers a way for monitoring routes, addresses, and the states of devices in real-time. This can be accomplished using ip monitor, rtmon, and rtacct commands included in the iproute2 package.
One very important and probably the most used object of the ip tool is ip route, which can do any operations on the kernel routing table. It has commands to add, change, replace, delete, show, flush, and get routes.
One of the things iproute2 introduced to Linux that ensured its popularity was policy routing. This can be done using ip rule and ip route in a few simple steps.

Traffic Control: tc

The tc command allows administrators to build different QoS policies in their networks using Linux instead of very expensive dedicated QoS machines. Using Linux, you can implement QoS in all the ways any dedicated QoS machine can and even more. Also, one can make a bridge using a good PC running Linux that can be transformed into a very powerful and very cheap dedicated QoS machine.
For that, QoS support must be configured in the Linux kernel (CONFIG_NET_QOS="Y" and CONFIG_NET_SCHED="Y").

Classless Queuing Disciplines (Classless qdiscs)

Classless qdiscs are the simplest ones because they only accept, drop, delay or reschedule data. They can be attached to one interface and can only shape the entire interface.

There are several qdisc implementations on Linux, most of them included in the Linux kernel.

  1. FIFO (pfifo and bfifo): The simplest qdisc, which functions by the First In, First Out rule. FIFO algorithms have a queue size limit (buffer size), which can be defined in packets for pfifo or in bytes for bfifo.
  2. pfifo_fast: The default qdisc on all Linux interfaces. It's important to know how pfifo_fast works; so we'll explain it soon.
  3. Token Bucket Filter (tbf): A simple qdisc that is perfect for slowing down an interface to a specified rate. It can allow short bursts over the specified rate and is very processor friendly.
  4. Stochastic Fair Queuing (SFQ): One of the most widely used qdiscs. SFQ tries to fairly distribute the transmitting data among a number of flows.
  5. Enhanced Stochastic Fair Queuing (ESFQ): Not included in the Linux kernel, it works in the same manner as SFQ with the exception that the user can control more of the algorithm's parameters such as depth (flows) limit, hash table size options (hardcoded in original SFQ) and hash types.
  6. Random Early Detection and Generic Random Early Detection (RED and GRED): qdiscs suitable for backbone data queuing, with data rates over 100 Mbps.

There are more qdiscs than the ones I have stated here. However, from my experience, SFQ and ESFQ do a great job, and are the qdiscs that I have got the best results with.
As I said earlier, the default qdisc on Linux for all interfaces is pfifo_fast. Normally, one would think that this is just like pfifo, meaning there is a buffer and packets pass through the buffer using the First In First Out rule. Actually, it's not quite true. pfifo_fast has 3 bands—0, 1, and 2—in which packets are placed according to their TOS byte. Packets are sent out from those bands as follows:

  1. Packets in the 0 band have the highest priority
  2. Packets in the 1 band are sent out only if there aren't any packets in the 0 band
  3. Packets in the 2 band have the lowest priority and are sent out only if there aren't any packets in the 0 and 1 bands.

It's important to know this because this can be a way to optimize how packets travel through the network interfaces of our Linux routers.

legal notice

Our website is not responsible for the information contained by this article. Web-articles is a free articles resource.
Suggestion: If you need fresh, daily updated content for your website, feel free to use our service. Click here for more information.

Useful tools and features

Link to this article from your page    Send this article to you or to a friend
If you like this article (tutorial), please link to it from your web page using the information above.

related articles

1. TCP IP Protocols
Let's think about one world-wide service that wouldn't have been possible without standardization, like email services. There are so many email client software applications out there, and all of them use the same protocols to transmit and receive data. Let's say you are in a company LAN and you want to send an email. Layer 7: You use an email client (like Outlook Express for example), which has SMTP and POP3 functions according to OSI Layer 7 (application). Layer 6: You send t...

2. The TCP/IP Internet Layer
The Internet layer in the TCP/IP model has the functions of OSI Layer 3 network. The purpose for the Internet layer is to select a path (preferably the best path) in the network for end-to-end delivery. The main protocol found at the Internet layer is IP (Internet Protocol), which provides connectionless, best-effort delivery routing of packets. IP handles logical addressing, and its primary concern is to find the best path between the endpoints, without caring about the contents of the packet. IP does not perform error checking and...

3. IP Addressing, IP Subnetting, and IP Supernetting
The Internet Protocol (IP) found at OSI Layer 3 is responsible for end-to-end delivery of data between computers in an IP network (the Internet). To find a path between two computers in a large network such as the Internet, computers must be uniquely identified. To do that, the Internet Protocol defines IP Addresses, which are unique 32 bit sequences of one and zeros. For example, 11000000101010000000000100000001 is a valid IP address. For the ease of use, IP addresses are represented in a form called the dotted decimal forma...

4. Public and Private IP Addresses
The Internet is a public network, and therefore a device connected directly to the Internet has a public IP address. Those IP addresses must be administered by someone in such way that two devices connected to the public network don't use the same IP address or that two networks don't have the same network address. This job was done by InterNIC (Internet Network Information Center), which has been succeeded by IANA (Internet Assigned Numbers Authority). IANA makes sure to provide unique IP network addresses to Internet Service Provide...

5. IP Supernetting or CIDR
CIDR stands for "Classless Inter-Domain Routing". It is a new addressing scheme for the Internet, intended to replace the old classful (Class A, B, C) address scheme. CIDR allows a more efficient allocation of IP addresses and uses routing aggregation for minimizing the routing table entries, and is also called supernetting. A recapitulation of classful IP addressing shows us the following: Address ...

6. Linux Security Threats
Creating firewalls may block some malicious attempts on your network, but this step is far from running an entirely secure network. As a network administrator or security consultant, to design a proper firewall for your network you need to know what you defend your network from. We cannot fully discuss this topic, even in 1000 pages, but we want to explain some principles that you should consider in running a safe network. As hard as it may seem to protect your network from the outside world, the most dangerous threats always come f...

7. IP Spoofing
An attacker might spoof a trusted IP address when communicating to a host in order to gain unauthorized access on that host. There are a variety of tools that can be found on the Internet to do IP spoofing. Using IP spoofing, attackers can also initiate Denial of Service by sending data with the source IP spoofed to the attacked IP address. The receiver then sends back replies that can contain large amounts of data to the attacked IP address resulting in...

8. BIND Domain Name System DNS
BIND (Berkley Internet Name Domain) is the most used DNS server on the Internet. Nowadays, every Linux distribution has a BIND package for DNS services. The problem with BIND and any DNS server is that in order to be able to translate names into IP addresses it has to communicate with a whole lot of other DNS servers, and so, filtering DNS packets is not possible. DNS services are vital for internet connection; so in order to disrupt services to victims, attackers have a great interest in bringing down DNS servers. Although BIN...

9. Simple Network Management Protocol SNMP
These days, most network devices use SNMP for remote monitoring and configuration. SNMP is a simple protocol used usually to create monitoring software that can retrieve information such as network traffic, CPU load, disk load, etc., and also to modify configuration of devices such as wireless equipment, broadband routers, etc. Most SNMP implementations on those kinds of network devices use version 1 or version 2, which have a very weak authentication method. SNMP version 1 contains a set of bugs in the way SNMP traps and reques...