8.11. My Firewall Blocks My Internet Access
Linux firewalls can be difficult to configure. The commands appear complex. While the iptables command is powerful, it cannot hide the complexity of risks that Internet-connected systems face. Therefore, customized firewalls that allow users on your network the access they desire can include dozens of commands.
This annoyance includes a basic overview of the current iptables firewall tool. There are many good sources for additional information, including Purdy's Linux iptables Pocket Reference (O'Reilly). One interesting iptables web site is Ziegler's Linux Firewall and Security Site at http://www.linux-firewall-tools.com/linux, which can help you customize a firewall.
In this annoyance, we'll review the basics of iptables, show you how to prevent the "ping of death," and, finally, review the firewall configuration tools from Red Hat/Fedora, SUSE, and Debian. If you use these tools to configure your firewall, you should have no problems accessing the Internet from within your network.
8.11.1. Basic iptables Commands
Before you're overwhelmed with iptables commands, it's time for a quick review. There is a basic format associated with iptables:
iptables -t table option pattern -j target
There are two basic alternatives for a table in the -t option: nat and filter. A nat table is associated with Network Address Translation. The default is filter.
I'll start by describing a basic masquerading command, which can help you configure a private network for your LAN. Then I'll illustrate one basic command that you can use to block traffic. Because you may not want to block all traffic from outside your network, I'll show you how you can let through one specific type of traffic. Finally, I'll show you the command that can help you fight the so-called "ping of death." Naturally, these commands are rich and complex; for more information, see the references described at the start of this annoyance.
A proper iptables -t nat command allows IP addresses on one side of a firewall, even private IP addresses, to masquerade as a different address. For example, the following command allows the computers on a private 192.168.0.0/24 network to masquerade as the IP address associated with eth1. In this case, eth1 is configured as the NIC that represents your LAN on outside networks such as the Internet.
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth1 -j MASQUERADE
The other computers on the 192.168.0.0/24 network should be connected to a different network device, such as eth0.
In contrast, the following iptables command rejects all TCP-based connection requests from outside the network:
iptables -A INPUT -p tcp --syn -j REJECT
You can also affect traffic going to the outside network:
iptables -A OUTPUT -p tcp --syn -j REJECT
Or block traffic going through your computer as a gateway:
iptables -A FORWARD -p tcp --syn -j REJECT
These commands reject TCP connection requests that expect an acknowledgment, which are indicated here as a synchronous (--syn) reply. Such traffic is rejected with a message to the sender. You can also reject UDP traffic. If you're willing to let the message hang for the sender, you can replace REJECT with DROP.
126.96.36.199. Letting traffic through
Naturally, if you want to make any sort of connection, you'll want to let some traffic through your firewall. For example, the following command accepts (-j ACCEPT) DNS traffic (--sport 53) from a server on 192.168.0.1, to any destination address (-d 0/0):
iptables -A INPUT -p udp -m udp -s 192.168.0.1 --sport 53 \ -d 0/0 -j ACCEPT
188.8.131.52. Stopping the "ping of death"
One older but still common attack on the Internet is the so-called "ping of death." It's a ping command configured in a "flood" so severe that it slows or even stops a web server from responding to legitimate requests. Thus, it's one of many possible DoS attacks. For more information, see http://www.attrition.org/security/denial. Stopping all DoS attacks is well beyond the scope of this book.
Generally, you do not want to stop others from using ping on your web site. The ping command is an important test of connectivity. If an administrator can't test connectivity to your site with a ping, she may assume, incorrectly, that your site and associated computers are down. She may then look for alternatives.
You can prevent ping floods by using your firewall to regulate the rate at which your computer accepts ping requests. The following command is one example, which limits ping commands to one per second.
iptables -A INPUT -p icmp --icmp-type echo-request -m limit 1/s -j ACCEPT
If you're having trouble and are willing to stop ping commands completely, you can delete the limit and change -j ACCEPT to -j REJECT. If you administer a web site on the Internet, it's important to test a ping flood on your system. You can do so with the ping -f computername command.
8.11.2. Red Hat/Fedora
Starting with Red Hat Enterprise Linux 3 and Fedora Core 1, Red Hat helped users to configure a default firewall with the Security Level Configuration tool, which you can start from a GUI command line with the system-config-securitylevel command (redhat-config-securitylevel through Red Hat Enterprise Linux 3).
As you can see in Figure 8-5, Red Hat's tool allows you to configure:
Figure 8-5. Red Hat Security Level Configuration tool
The result is saved in /etc/sysconfig/iptables. If you want to enable additional services through the firewall, you can edit this file manually, despite the warning in the version of this file created with the Security Level Configuration tool.
If you want to allow other services through your firewall, you'll need the appropriate TCP/IP port numbers. They're available on most Linux distributions in /etc/services.
Naturally, SUSE includes its firewall configuration tool as part of YaST. Start YaST, and you can access this tool under the Security and Users Firewall menu.
The SUSE firewall configuration tool starts by asking you to define your network devices as internal and external interfaces. SUSE assumes that you'll apply the firewall only to the external interface. Next, this tool displays the screen shown in Figure 8-6, where SUSE allows you to customize your firewall.
Figure 8-6. Customizing a firewall in SUSE YaST
YaST saves the firewall commands in /etc/sysconfig/SuSEfirewall2. Read it carefully; it includes comments that can help you further customize your firewall.
While Debian uses the standard iptables command to configure firewalls, the distribution also supports a wide variety of tools. Try them out, but be careful to install only one on your system for production use. Otherwise, you may end up with a firewall that takes commands from several different configuration files. The effects may not be easy to predict.
If you're familiar with slightly older versions of Red Hat Linux, you can install a familiar tool, lokkit, with the following command:
apt-get install lokkit gnome-lokkit
Once it's installed, run lokkit in a command-line interface. Look at the labels. You'll see that Debian supports a tool originally developed by Red Hat. No shock here, as lokkit was released under an open source license. Alternatively, you can start the GNOME frontend with the gnome-lokkit command. The result is stored in /etc/default/lokkit.
A simple search for Debian firewall tools reveals others, including:
Figure 8-7. The Guarddog firewall tool