Last modified: October 10, 2024
This article is written in: 🇺🇸
Firewalls
A firewall is like a guard for your computer. It keeps your computer safe from others who shouldn't use it. It checks the information going in and out and follows safety rules. In Linux, there are several utilities to manage your firewall, including iptables, ufw, and firewalld.
INTERNET TRAFFIC ---> |--------------------------| ---> INTERNAL NETWORK
[IP:123.45.67.89] | | [Accepted IP: 123.45.67.89]
Port 80 (HTTP) | +----------------+ | Port 80 -> Allowed
| | FIREWALL | |
| | Rules Applied: | |
[IP: 98.76.54.32] | | - Allow HTTP | | [Rejected IP: 98.76.54.32]
Port 22 (SSH) | | - Block SSH | | Port 22 -> Blocked
| +----------------+ |
| |
|--------------------------|Iptables
Iptables is a command-line utility for managing the Linux firewall. It is pre-installed on most Linux systems and lets you configure rules to control incoming and outgoing network traffic.
To view the current rules, use the -L flag:
iptables -LAn example output might look something like this:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DROP icmp -- anywhere anywhere icmp echo-request
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
LOG all -- anywhere anywhere limit: avg 10/min burst 5 LOG level debug prefix "iptables denied: "
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- 192.168.1.0/24 192.168.1.0/24
DROP all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destinationExplanation:
I. Chain Names: INPUT, FORWARD, OUTPUT are the default chains in iptables.
II. Policies: Set to ACCEPT, DROP, or REJECT. For example, the default policy for FORWARD is DROP.
III. Rules: Listed under each chain.
- Target: The action to take, e.g.,
ACCEPT,DROP,LOG. - Prot: The protocol, e.g.,
tcp,udp,icmp, orall. - Opt: Options, often includes flags like
--. - Source and Destination: IP addresses or ranges for source and/or destination.
- Additional Conditions: For example,
tcp dpt:sshmeans TCP packets destined for SSH port. - Logging: The
LOGrule can specify logging of packets, including a prefix for log messages.
To add a new rule, use the -A flag followed by the rule itself. For example, to allow incoming traffic on port 80 (used for HTTP), use:
iptables -A INPUT -p tcp --dport 80 -j ACCEPTTo delete a rule, use the -D flag followed by the rule number (as displayed by the -L flag). For example, to delete the second rule in the INPUT chain, use:
iptables -D INPUT 2🔴 Caution: Keep in mind that changes to the safety guard's rules with iptables don't last when you restart your computer. To keep the changes, save them in a file and bring them back when your computer starts.
I. On Debian-based systems, you can save the current iptables configuration with:
iptables-save > /etc/iptables/rules.v4And ensure they are reloaded on boot by installing the iptables-persistent package.
II. On Red Hat-based systems, you can save the configuration with:
service iptables saveUFW
UFW (Uncomplicated Firewall) is a user-friendly alternative to iptables for managing the Linux firewall. It is pre-installed on many Linux distributions, including Ubuntu.
To view the configured rules, use the status numbered command:
ufw status numberedAn example output of this command might look something like this:
Status: active
To Action From
-- ------ ----
[ 1] 22/tcp ALLOW IN Anywhere
[ 2] 80/tcp ALLOW IN Anywhere
[ 3] 443/tcp ALLOW IN Anywhere
[ 4] 1000:2000/tcp ALLOW IN 192.168.1.0/24
[ 5] 22/tcp ALLOW IN Anywhere (v6)
[ 6] 80/tcp ALLOW IN Anywhere (v6)
[ 7] 443/tcp ALLOW IN Anywhere (v6)Explanation:
I. Status: Indicates whether the firewall is active or inactive. In this case, it's active.
II. Columns in the Output:
- To: This column shows the port or port range and protocol (like
22/tcp) for which the rule is applied. - Action: Specifies the action (
ALLOW IN,DENY, etc.) taken by the firewall for matching traffic. - From: This column indicates the source of the traffic for which the rule is applicable. It can be an IP address, a subnet, or
Anywhere.
III. Numbered Rules: Each rule is prefixed with a number in square brackets (e.g., [ 1]). This numbering is crucial for modifying or deleting specific rules, as it allows you to reference them easily.
IV. IPv4 and IPv6 Rules: The rules apply to both IPv4 and IPv6 traffic if suffixed with (v6).
To allow incoming traffic on a specific port, use the allow command followed by the protocol and port number. For example, to allow incoming SSH connections (which use port 22 by default), use:
ufw allow sshTo block incoming traffic on a specific port, use the deny command followed by the protocol and port number. For example, to block incoming HTTP connections (which use port 80 by default), use:
ufw deny httpTo activate the firewall and apply the rules, use the enable command:
ufw enableYou can also set default policies for incoming and outgoing traffic using the default command. For example, to deny all incoming traffic and allow all outgoing traffic, use:
ufw default deny incoming
ufw default allow outgoing
ufw enableFirewalld
Firewalld is a more advanced firewall used by Fedora and other Linux distributions. It lets you configure firewalls using zones, which are collections of rules that apply to specific types of network interfaces.
To view the currently configured rules, use the --list-all flag:
firewall-cmd --list-allAn example output might look something like this:
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: ssh dhcpv6-client http https
ports: 8080/tcp 9090/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="192.168.0.0/24" accept
rule family="ipv4" source address="10.0.0.0/8" port port="443" protocol="tcp" acceptExplanation:
- Zone: The name of the zone (e.g.,
public) and its status (active). - Target: The default action for incoming traffic not matching any other rule.
- Interfaces: Network interfaces (e.g.,
eth0) associated with the zone. - Services: Predefined services allowed in this zone (e.g.,
ssh,http,https). - Ports: Custom ports that are open (e.g.,
8080/tcp,9090/tcp). - Protocols, Masquerade, Forward-ports, Source-ports, Icmp-blocks: Other network settings and rules.
- Rich Rules: More complex rules defined, like allowing specific IP ranges on certain ports. For example, the rule allowing all traffic from the
192.168.0.0/24subnet, and allowing TCP traffic on port443from the10.0.0.0/8subnet.
I. Adding Rules
To add a new rule, use the --add-service flag followed by the service name. For example, to allow incoming SSH connections, use:
firewall-cmd --permanent --add-service=sshII. Removing Rules
To remove a rule, use the --remove-service flag followed by the service name. For example, to block incoming HTTP connections, use:
firewall-cmd --permanent --remove-service=httpIII. Applying Changes
To apply the changes and reload the firewall, use the --reload flag:
firewall-cmd --reloadTo make the changes persistent across reboots, restart the firewalld.service using systemctl. For example:
systemctl restart firewalld.serviceChallenges
- Block all incoming traffic on port 80 (HTTP) while allowing all incoming traffic on port 22 (SSH). Test the configuration by attempting to access the system on both ports and verify that HTTP is blocked while SSH remains accessible. Discuss the importance of selectively blocking and allowing specific ports for securing a system.
- Configure the firewall to deny all incoming traffic by default and allow all outgoing traffic. Explain the purpose of setting default policies, and discuss how a restrictive incoming policy can improve system security by blocking unsolicited connections.
- Create a firewall rule to block incoming ICMP echo requests, effectively preventing ping requests. Test the configuration by pinging the system from another device, and discuss why blocking ICMP can be a useful security measure for preventing network reconnaissance.
- Set up a rule to allow incoming traffic on port 80 (HTTP) only from a specific IP address. Test this rule by trying to access the system from the allowed IP address and from a different IP. Discuss the use cases for restricting access to specific IP addresses and how it helps secure services exposed to the internet.
- Configure a rule to block all incoming HTTP traffic on port 80 from a specific IP address. Verify this rule by attempting to access the system on port 80 from the blocked IP. Explain how blocking specific IPs can help mitigate unauthorized access or prevent known malicious sources from reaching the server.
- Modify firewall rules to allow SSH access (port 22) only from a set of predefined IP addresses. Test access from an allowed IP and a blocked IP, and discuss the importance of limiting SSH access to trusted sources as a security best practice for remote management.
- Implement a rule to limit the rate of incoming connections on a specific port (e.g., 100 connections per minute) to mitigate potential DoS attacks. Simulate an excessive number of connections to this port, and monitor the firewall’s response. Explain how rate limiting can protect services from abuse and help maintain system availability.
- Set up the firewall to log details of all dropped packets for analysis and monitoring purposes. Review the log entries to ensure that dropped packets are being recorded, and explain how logging provides insights into unauthorized access attempts and potential threats.
- Create a rule to forward traffic incoming on a specific port (e.g., 8080) to another port (e.g., 80). Test this configuration by sending requests to port 8080 and verifying that they reach the service listening on port 80. Discuss port forwarding as a method for managing and redirecting traffic to internal services.
- Configure the firewall to block all outgoing traffic to specific domains or IP addresses. Test this by attempting to connect to the blocked addresses, and discuss scenarios where limiting outgoing connections is beneficial, such as preventing communication with known malicious domains.