Section 8.11. My Firewall Blocks My Internet Access


8.11. My Firewall Blocks My Internet Access

Linux firewalls can be difficult to configure. The commands appear complex. While the iptables command is powerful, it cannot hide the complexity of risks that Internet-connected systems face. Therefore, customized firewalls that allow users on your network the access they desire can include dozens of commands.

This annoyance includes a basic overview of the current iptables firewall tool. There are many good sources for additional information, including Purdy's Linux iptables Pocket Reference (O'Reilly). One interesting iptables web site is Ziegler's Linux Firewall and Security Site at http://www.linux-firewall-tools.com/linux, which can help you customize a firewall.

In this annoyance, we'll review the basics of iptables, show you how to prevent the "ping of death," and, finally, review the firewall configuration tools from Red Hat/Fedora, SUSE, and Debian. If you use these tools to configure your firewall, you should have no problems accessing the Internet from within your network.

8.11.1. Basic iptables Commands

Before you're overwhelmed with iptables commands, it's time for a quick review. There is a basic format associated with iptables:

 iptables -t table option pattern -j target 

There are two basic alternatives for a table in the -t option: nat and filter. A nat table is associated with Network Address Translation. The default is filter.

I'll start by describing a basic masquerading command, which can help you configure a private network for your LAN. Then I'll illustrate one basic command that you can use to block traffic. Because you may not want to block all traffic from outside your network, I'll show you how you can let through one specific type of traffic. Finally, I'll show you the command that can help you fight the so-called "ping of death." Naturally, these commands are rich and complex; for more information, see the references described at the start of this annoyance.

8.11.1.1. Masquerading

A proper iptables -t nat command allows IP addresses on one side of a firewall, even private IP addresses, to masquerade as a different address. For example, the following command allows the computers on a private 192.168.0.0/24 network to masquerade as the IP address associated with eth1. In this case, eth1 is configured as the NIC that represents your LAN on outside networks such as the Internet.

 iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth1 -j MASQUERADE 

The other computers on the 192.168.0.0/24 network should be connected to a different network device, such as eth0.

8.11.1.2. Blocking

In contrast, the following iptables command rejects all TCP-based connection requests from outside the network:

 iptables -A INPUT -p tcp --syn -j REJECT 

You can also affect traffic going to the outside network:

 iptables -A OUTPUT -p tcp --syn -j REJECT 

Or block traffic going through your computer as a gateway:

 iptables -A FORWARD -p tcp --syn -j REJECT 

These commands reject TCP connection requests that expect an acknowledgment, which are indicated here as a synchronous (--syn) reply. Such traffic is rejected with a message to the sender. You can also reject UDP traffic. If you're willing to let the message hang for the sender, you can replace REJECT with DROP.

8.11.1.3. Letting traffic through

Naturally, if you want to make any sort of connection, you'll want to let some traffic through your firewall. For example, the following command accepts (-j ACCEPT) DNS traffic (--sport 53) from a server on 192.168.0.1, to any destination address (-d 0/0):

 iptables -A INPUT -p udp -m udp -s 192.168.0.1 --sport 53 \          -d 0/0 -j ACCEPT 

8.11.1.4. Stopping the "ping of death"

One older but still common attack on the Internet is the so-called "ping of death." It's a ping command configured in a "flood" so severe that it slows or even stops a web server from responding to legitimate requests. Thus, it's one of many possible DoS attacks. For more information, see http://www.attrition.org/security/denial. Stopping all DoS attacks is well beyond the scope of this book.

Generally, you do not want to stop others from using ping on your web site. The ping command is an important test of connectivity. If an administrator can't test connectivity to your site with a ping, she may assume, incorrectly, that your site and associated computers are down. She may then look for alternatives.

You can prevent ping floods by using your firewall to regulate the rate at which your computer accepts ping requests. The following command is one example, which limits ping commands to one per second.

 iptables -A INPUT -p icmp --icmp-type echo-request -m limit 1/s -j ACCEPT 

If you're having trouble and are willing to stop ping commands completely, you can delete the limit and change -j ACCEPT to -j REJECT. If you administer a web site on the Internet, it's important to test a ping flood on your system. You can do so with the ping -f computername command.

Do not test the ping -f command on someone else's web site. You could flood that web site with packets. In some jurisdictions, there may be legal consequences.


8.11.2. Red Hat/Fedora

Starting with Red Hat Enterprise Linux 3 and Fedora Core 1, Red Hat helped users to configure a default firewall with the Security Level Configuration tool, which you can start from a GUI command line with the system-config-securitylevel command (redhat-config-securitylevel through Red Hat Enterprise Linux 3).

As you can see in Figure 8-5, Red Hat's tool allows you to configure:


Trusted devices

These are NICs on which the firewall does not block any traffic. It's common to designate an internal network device on a gateway computer as a trusted device. The firewall you create would then block trouble from an outside network such as the Internet.


Trusted services

A trusted service is one that you want to make available through the firewall. As shown in Figure 8-5, you can select some common services.

Figure 8-5. Red Hat Security Level Configuration tool


The result is saved in /etc/sysconfig/iptables. If you want to enable additional services through the firewall, you can edit this file manually, despite the warning in the version of this file created with the Security Level Configuration tool.

If you want to allow other services through your firewall, you'll need the appropriate TCP/IP port numbers. They're available on most Linux distributions in /etc/services.

8.11.3. SUSE

Naturally, SUSE includes its firewall configuration tool as part of YaST. Start YaST, and you can access this tool under the Security and Users Firewall menu.

The SUSE firewall configuration tool starts by asking you to define your network devices as internal and external interfaces. SUSE assumes that you'll apply the firewall only to the external interface. Next, this tool displays the screen shown in Figure 8-6, where SUSE allows you to customize your firewall.

Figure 8-6. Customizing a firewall in SUSE YaST


YaST saves the firewall commands in /etc/sysconfig/SuSEfirewall2. Read it carefully; it includes comments that can help you further customize your firewall.

8.11.4. Debian

While Debian uses the standard iptables command to configure firewalls, the distribution also supports a wide variety of tools. Try them out, but be careful to install only one on your system for production use. Otherwise, you may end up with a firewall that takes commands from several different configuration files. The effects may not be easy to predict.

If you're familiar with slightly older versions of Red Hat Linux, you can install a familiar tool, lokkit, with the following command:

 apt-get install lokkit gnome-lokkit 

Once it's installed, run lokkit in a command-line interface. Look at the labels. You'll see that Debian supports a tool originally developed by Red Hat. No shock here, as lokkit was released under an open source license. Alternatively, you can start the GNOME frontend with the gnome-lokkit command. The result is stored in /etc/default/lokkit.

A simple search for Debian firewall tools reveals others, including:


FireHOL

You can start the FireHOL tool with the firehol-wizard command. If you've configured IP forwarding, it proceeds with a series of questions to help you secure your network. It saves its firewall configuration to /etc/firehol/firehol.conf.


Guarddog

Guarddog is a KDE-based firewall configuration utility. It works well in GNOME. It's a fairly impressive tool that allows you to configure a firewall based on known applications, as shown in Figure 8-7. It saves its configuration in /etc/rc.firewall.

Figure 8-7. The Guarddog firewall tool




Linux Annoyances for Geeks
Linux Annoyances for Geeks: Getting the Most Flexible System in the World Just the Way You Want It
ISBN: 0596008015
EAN: 2147483647
Year: 2004
Pages: 144
Authors: Michael Jang

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net