Certification Objective 15.02-Firewalls and Packet Filtering Using netfilter

A firewall sits between your company's internal LAN and an outside network. A firewall can be configured to examine every network packet that passes into or out of your LAN. When configured with appropriate rules, it can filter out those packets that may pose a security risk to your system.

To understand how packet filtering works, you have to understand a little bit about how information is sent across networks.

Before you send a message over a network, the message is broken down into smaller units called packets. Administrative information, including the type of data, the source address, and destination address, is added to each packet. The packets are reassembled when they reach the destination computer. A firewall examines these administrative fields in each packet to determine whether to allow the packet to pass.

Red Hat Enterprise Linux comes with everything you need to configure a system to be a firewall, including the iptables command.

Configuring iptables

The philosophy behind iptables is based on "chains." These are sets of rules applied to each network packet. Each rule does two things: it specifies the conditions a packet must meet to match the rule, and it specifies the action if the packet matches.

The iptables command uses the following basic format:

 iptables -t tabletype <action direction> <packet pattern> -j <what to do> 

Now analyze this command, step by step. First is the -t tabletype switch. There are two basic tabletype options for iptables:

• filter Sets a rule for filtering packets.

• nat Configures Network Address Translation, also known as masquerading, discussed later in this chapter.

The default is filter; if you don't specify a -t tabletype, the iptables command assumes that you're trying to affect a filtering rule.

Next is the <action direction>. There are four basic actions associated with iptables rules:

• -A (--append) Appends a rule to the end of a chain.

• -D (--delete) Deletes a rule from a chain. Specify the rule by the number or the packet pattern.

• -L (--list) Lists the currently configured rules in the chain.

• -F (--flush) Flushes all of the rules in the current iptables chain.

If you're appending to (-A) or deleting from (-D) a chain, you'll want to apply it to network data traveling in one of three directions:

• INPUT All incoming packets are checked against the rules in this chain.

• OUTPUT All outgoing packets are checked against the rules in this chain.

• FORWARD All packets being sent to another computer are checked against the rules in this chain.

Next, you need to configure a <packet pattern>. All iptables firewalls check every packet against this pattern. The simplest pattern is by IP address:

• -s ip_address All packets are checked for a specific source IP address.

• -d ip_address All packets are checked for a specific destination IP address.

Packet patterns can be more complex. In TCP/IP, packets are transported using the TCP, UDP, or ICMP protocol. You can specify the protocol with the -p switch, followed by the destination port (--dport). For example, the -p tcp --dport 80 extension affects users outside your network who are trying to use an HTTP connection.

Once the iptables command finds a packet pattern match, it needs to know what to do with that packet, which leads to the last part of the command, -j <what to do>. There are three basic options:

• DROP The packet is dropped. No message is sent to the requesting computer.

• REJECT The packet is dropped. An error message is sent to the requesting computer.

• ACCEPT The packet is allowed to proceed as specified with the -A action: INPUT, OUTPUT, or FORWARD.

Take a look at some examples of how you can use iptables commands to configure a firewall. The first step is always to see what is currently configured, with the following command:

 # iptables -L 

If iptables is properly configured, it should return chain rules in three different categories: INPUT, FORWARD, and OUTPUT.

The following command defines a rule that rejects all traffic from the 192.168.75.0 subnet, and it sends a "destination unreachable" error message back to any client that tried to connect:

 # iptables -A INPUT -s 192.168.75.0/24 -j REJECT 

This rule stops users from the computer with an IP address of 192.168.25.200 from "pinging" your system (remember that the ping command uses the ICMP protocol):

 # iptables -A INPUT -s 192.168.25.200 -p icmp -j DROP 

The following command guards against TCP SYN attacks from outside your network. Assume that your network IP address is 192.168.1.0. The exclamation point (!) inverts the meaning; in this case, the command applies to all IP addresses except those with a 192.168.1.0 network address (and a 255.255.255.0 subnet mask).

 # iptables -A INPUT -s !192.168.1.0/24 -p tcp -j DROP 

Then, if you want to delete the rule related to the ping command in this list, use the following command:

 # iptables -D INPUT -s 192.168.25.200 -p icmp -j DROP 

The default rule for INPUT, OUTPUT, and FORWARD is to ACCEPT all packets. One way to stop packet forwarding is to add the following rule:

 # iptables -A FORWARD -j DROP 

Maintaining Netfilter Rules

Once you've added the iptables commands of your choice, the following command saves your new firewall configuration to a file:

 # service iptables save 

This saves your chains in the /etc/sysconfig/iptables configuration file. The iptables service script then reads this file, if it is active for the appropriate runlevel when you start Linux. You can configure iptables so that it is active for all network runlevels (2, 3, 4, and 5) with the chkconfig command, as follows:

 # chkconfig iptables on # chkconfig --list iptables iptables        0:off   1:off   2:on   3:on   4:on   5:on   6:off 

Knowing how to secure a Red Hat Enterprise Linux system against unauthorized access is critical. Be sure you understand the concepts and commands discussed in this chapter.

The Red Hat Firewall Configurator

You can automate the process of configuring a firewall. RHEL includes the Security Level Configuration tool. You can start it with the system-config-securitylevel command or by clicking System | Administration | Security Level. This is a straightforward tool, as shown in Figure 15-1.

Figure 15-1: The Security Level Configuration tool

If you've installed RHEL before, this menu should look familiar; the choices are identical to those shown during the standard RHEL First Boot process. There is a similar text-based version of this tool, which can be started with the system-config-securitylevel-tui command.

Red Hat has changed this tool for RHEL 5; as you'll see toward the end of this chapter, it can now only set SELinux to run in Enforcing, Permissive, or Disabled mode. (SELinux configuration is now the province of the SELinux Management Tool.) It also supports easy configuration of other ports; just click Add, specify the port number in the text box that appears, set the protocol to TCP or UDP, and click OK. The Security Level Configuration tool automatically adds the port to what's allowed through the firewall.

• The default RHEL firewall allows external users to apply the ping command, access to external e-mail and DNS servers, and support of the Internet Printer Protocol (IPP). If you want to secure your firewall from these services, you'll have to modify the /etc/sysconfig/iptables file after closing the Security Level Configuration tool.

• The default RHEL firewall blocks all inbound request traffic unless requested from within the network. For example, DNS replies are allowed.

As shown in Figure 15-1, you can allow incoming traffic to a number of services. For example, if you select WWW (HTTP), others can connect to a Web server on your computer. With the available settings, you can also allow incoming connections to:

• An FTP server such as the vsFTP service, by activating the FTP option.

• Mail services through the sendmail or Postfix services described in Chapter 12, by activating the Mail (SMTP) option.

• Shared NFS directories, by activating the NFS4 option. This assumes fixed ports for NFS communication, as described in the discussion on the NFS Server Configuration tool in Chapter 10.

• A Secure Shell (SSH) service, by activating the SSH option. This is a common method for administering remote Linux computers, as described in Chapter 13.

• Shared directories over Microsoft Windows-based networks, using the Samba option.

• A Secure Web server, by activating the Secure WWW (HTTPS) option.

• Telnet, by activating the Telnet option. This also works with the Kerberos-based Telnet service described earlier in this chapter.

• A Web server, by activating the WWW (HTTP) option.

The settings that you create are documented in /etc/sysconfig/iptables. But there may be more firewall rules. You may have added some firewall chains with an iptables command.

As you can see in Figure 15-2, you can use the Port(s) text box to allow data to come through using other incoming TCP/IP ports.

Figure 15-2: Customizing using the Red Hat Security Level Configuration tool

For example, if you wanted to allow access to a proxy server through your firewall, you could enter port 3128, using the TCP protocol, in the Add Port dialog box. As noted in /etc/services (and /etc/squid/squid.conf), this opens communication through the TCP/IP port associated with the Squid Web proxy server, and is equivalent to the following iptables command:

 # iptables -A INPUT -p tcp --dport 3128 -j ACCEPT