Section 9.4. iptables


9.4. iptables

iptables is the name of the standard Linux firewall. A firewall limits incoming network connections to your machine by blocking or limiting traffic to certain network ports ; this makes it impossible for a cracker to connect to a port that a system administrator hasn't left open. Firewall configuration can be very complex, but fortunately there are some graphical tools that make the process considerably simpler.

You're already familiar with the Security Level Configuration tool , which includes a simple GUI for editing the iptables configuration, but it's not really appropriate for setting up complex firewall rules. Here, we'll take a look at Firestarter, a more advanced iptables configuration tool.

9.4.1. Firestarter

Firestarter is available for download with yum in Fedora Core 4; just enter yum install firestarter at the command line.

9.4.2.1. Setting Up Firestarter

Once Firestarter is installed, you can run the program by accessing Applications > System Tools > Firestarter. When you launch Firestarter, you'll be asked if you want to run the program with administrative privileges (that is, run it as root), or run it without privileges, as the dialog in Figure 9-1 shows. Firestarter will not run correctly without root permission, so you'll need to run it with administrative privileges.

Figure 9-1. The Firestarter Query dialog.


Firestarter's initial configuration is achieved using the wizard shown in Figure 9-2.

Figure 9-2. The first screen of the Firestarter Firewall Wizard.


The wizard is very helpfully put together, and explains exactly what it is you're configuring at each step. Options and checkboxes are accompanied by explanatory tooltips that appear when you hover your cursor over them.

In the next configuration screen of the wizard, shown in Figure 9-3, the network card has been correctly detected . Firestarter now needs to be told whether or not it should get the network card's IP address from DHCP.

Figure 9-3. The second screen of the Firestarter Firewall Wizard.


The next screen of the wizard, depicted in Figure 9-4, allows you to share your connection to the Internet. Since this machine is a LAMP server, it's not acting as a gateway (you may well have a gateway machine , but this LAMP server should not be it), so leave Enable Internet connection sharing unchecked and move on.

The configuration wizard then completes, giving you the option to start the firewall now, shown in Figure 9-5; check the box and click Save.

Figure 9-4. The third screen of the Firestarter Firewall Wizard.


Figure 9-5. The final screen of the Firestarter Firewall Wizard.


9.4.2.2. Using Firestarter

Firestarter's main window has three tabs: Status, Events, and Policy. Status and Events are for monitoring the firewall; they show whether it is currently enabled, which network traffic it has blocked, and so on. Policy displays the existing firewall rules, and allows you to configure new ones. By looking at the policy screen shown in Figure 9-6, we can see that no rules are currently definedall traffic is blocked.

Figure 9-6. The Firestarter Policy screen.


If you try to log into the computer via SSH or load up the Website hosted on this computer, the blocked requests will be listed in the Events screen , as shown in Figure 9-7.

Figure 9-7. The Firestarter Events screen.



Note: Firestarter will only display connection requests, not existing connections. This means that existing SSH connections won't be terminated, but new SSH sessions won't be allowed until you explicitly allow them.

The easiest way to allow these blocked connections is to right-click on the blocked connection and select either Allow Connections From Source, Allow Inbound Service for Everyone, or Allow Inbound Service for Source.

For example, you may only want to allow SSH connections from a particular IP address. To allow this, locate a blocked SSH connection from this IP address, right click and select Allow Inbound Service for Source. Similarly, you'll probably want to allow HTTP requests from any address; locate an HTTP request, right click on it and select Allow Inbound Service for Everyone. As you define rules using this method, they will appear in the Policy screen, which you can use to manage your rules.


Warning: Be very careful if you're configuring the firewall on a machine remotely from a different computer, since a mistake in firewall configuration can lock out the remote connection, leaving you unable to connect back to the server to correct the mistake!

There are two types of rules that apply to incoming connections: those that allow connections only from certain machinesallow all connections from your main desktop machine, for examplewhich are displayed in the top half of the window, and those that allow connections only to certain ports such as port 80 for Web serverswhich are displayed in the bottom half of the window. This second type can be restricted to allow connections to a certain port from a certain address, too.

Figure 9-8. The Add new inbound rule dialog.


Let's add a rule to allow all connections to port 80. Click the bottom white area, and then click the Add Rule button to bring up the Add new inbound rule dialog shown in Figure 9-8.

Enter the port number, 80, in the Port box. Firestarter will then attempt to guess which service you mean; in this case, it will correctly write HTTP in the Name box. You could change the name of this port, but that's not recommended for standard ports. You want to allow connections to this newly opened port from anywhere, so leave Anyone selected. Add a comment if you feel one is required, and click Add.Figure 9-9 shows that the rule has been added.

Figure 9-9. The new rule has been added.


Now, imagine you want to set a second required rule, because you want to be able to connect to this machine from your home computer in order to administer it. Your home computer has the address mymac.yourisp.net. Click the white area in the top half of the window and click Add Rule again, which will bring up the Add new inbound rule dialog.

Once you have successfully added all the rules you require, as shown in Figure 9-10, you must remember to click Apply Policy to put the rules into effect.

Figure 9-10. Adding a new rule to the new inbound rule dialog.





Run Your Own Web Server Using Linux & Apache
Run Your Own Web Server Using Linux & Apache
ISBN: 0975240226
EAN: 2147483647
Year: 2006
Pages: 92

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net