Firewalls are great. Firewalls can now be found on almost any modern operating system. Firewalls are only one step to a secure computer.
A prefect firewall would only allow the good stuff through and stop the bad stuff. The problem is how do you define the good stuff. Is one port or packet better/safer than another? Is this good looking packet carrying some dangerous data? This is why a firewall can stop everything. It can only stop some bad things. So remember firewalls are only one tool in the IT security toolbox.
A prefect firewall would only allow the good stuff through and stop the bad stuff. The problem is how do you define the good stuff. Is one port or packet better/safer than another? Is this good looking packet carrying some dangerous data? This is why a firewall can stop everything. It can only stop some bad things. So remember firewalls are only one tool in the IT security toolbox.
Iptables:
Iptables is found on Linux and functions as its standard firewall. Iptables uses a ruleset to define what is allowed and what is denied. Don't assume that since you have iptables installed that it will deny incoming packets by default. Some Linux distributions have iptables set to allow incoming traffic as default. Now down to some iptable rules.
Iptables is found on Linux and functions as its standard firewall. Iptables uses a ruleset to define what is allowed and what is denied. Don't assume that since you have iptables installed that it will deny incoming packets by default. Some Linux distributions have iptables set to allow incoming traffic as default. Now down to some iptable rules.
The iptables ruleset starts out by defining what iptables is going to do. The ruleset can have both a NAT section and filter section. Usually you will only see the filter section.
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
This part of the filter section defines the default policies for incoming, outgoing, and forwarded packets. In this example all incoming and forwarded packets are dropped by default. This is what you want because you wouldn't want the firewall to allow just any packet on any port from any IP. Having all outgoing packets allowed is fine unless you really what to lock down the system then dropping by default is probably what you will want. Just make sure you create rule to allow outgoing traffic.
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
These two rules allows incoming traffic from the loopback and traffic to port 22. The -i defines the incoming interface. The -p and --dport define the protocol and the destination port.
Now the way iptables works is that it goes down the ruleset until it find a match. If it never finds a matching rule then is should use the default but its better safe than sorry. So what we do is add a drop rule at the end of the ruleset. It is also a good idea to log the dropped packets so that you know what is trying to access the system and on what ports. To do this we add a log rule just before the drop rule.
-A INPUT -j LOG --log-prefix "iptables: " --log-level 4
-A INPUT -j DROP
The first line the the log rule. Each packet that doesn't meet the the previous rules is logged and as a prefix of iptables: so it will be easier to identify and if using rsyslog easier to create a log file just for iptables. The log level is the kernel logging level. In this case 4 is kern.warn.
That is a real basic iptables ruleset. I did leave out a few common things like established states. Most of the time there is a simple ruleset on the Linux system already with the most common rules defined for you.
Logging:
Now that we have iptables configured and set to log dropped packets we need to configure the logging system to handle the data from iptables. If your using syslog then setting up the iptables log is fairly simple. Add kern.warn logfile destination to syslog.conf. The issue I have with using syslog for iptables is that iptables will also be logged into the messages log. I'm sure there is a way to configure syslog so that iptables is only logged to the iptables log but I haven't found one and rsyslog is becoming very common.
For rsyslog I suggest creating an iptables.conf file in rsyslog.d. This just makes it easier to configure rsyslog later on when adding other log configurations. In iptables.conf add :msg, startswith, "iptables: " -/var/log/iptables.log. If you are using a RHEL 5 based system there are some configurations that needs to be made to /etc/sysconfig/rsyslog and /etc/rsyslog.conf before rsyslog will be able to properly log iptables with the iptable log config. In sysconfig/rsyslog change -m 0 to -c 3 and in /etc/rsyslog.conf add $IncludeConfig /etc/rsyslog.d/*.conf.
Some systems have log rotation configured and its usually on every boot. When you have a system that is up for long periods of time, say months, an on boot log rotation can get messy. To control the log rotation I use logrotate to manage when to rotate the logs. Here is a config file I used for the iptables log.
/var/log/iptables.log
{
rotate 7
daily
missingok
notifempty
dateext
delaycompress
compress
postrotate
invoke-rc.d rsyslog reload > /dev/null
endscript
}
The log is rotated daily for 7 rotations and the older logs are compressed.
In my example setup iptables will drop all incoming packets except those that are from the loopback or going to port 22. It will also log all the dropped packets in /var/log/iptables.log. The log file iptables.log is rotated everyday and only 7 rotations are kept.
