[Glastonbury] Firewalls

Kelvin McNulty kelvin24 at gcircle.co.uk
Thu Nov 13 08:01:31 GMT 2003 

Dear Everyone,

I discovered how to set up a firewall using a simple script that came out of 
the Firewalls HOWTO using iptables. I tested it on grc.com and was so 
DELIGHTED to get a result showing stealth on every commonly used port. Then 
came the issue of fixing it so it is there automatically on bootup. I did 
this using the SuSE bootup procedure by putting the script in /etc/init.d 
with a link from /etc/init.d/rc5.d named S23kmfirewall so it runs it on start 
up.

I pushed myself into this after trying to get the SuSE Firewall to work and it 
just would not do anything. It gave all the signals from the SuSE Control 
Centre that it was set up and working but it was not! I ask myself what is 
the point in having something flashy and complex that looks like it works but 
actually doesn't, that takes megabytes of graphical bloat to work and can be 
replaced with a script containing a few iptables commands. Granted that one 
has to be careful with iptables commands as getting it wrong could leave one 
wide open.

If anyone has any feedback about this, do let me know. My main query being 
that all the scripts in the bootup folders have links that are called on 
bootup (starting with letter S) and links called to kill them on shutdown 
(starting with letter K) and I have chosen not to bother with a K one as what 
the script does is simply set some entries in iptables and I can see no 
reason why one should unset them before shutting down the system. But if 
anyone knows otherwise, do let me know. Doing it like this means the script 
is simpler as it does not have to bother trying to process the parameter 
start or stop. I do like to keep things simple, especially in the realm of 
security, as the simpler it is, the easier it is to understand, and the more 
likely it is to work the way one thinks it will.

And of course do try if yourselves, I'd like to know how you get on with it.

I log what's trying to find me and/or get into my system and there's something 
(usually a ping) about every 20 seconds! DO NOT go on the Internet without a 
firewall!

After some resistance to learning all the above (it's so simple in Windoze 3.1 
and MS-DOS, just add lines to autoexec.bat) I realised that one is into the 
system at the level where it is setting itself up, the equivalent in Windoze 
being all the stuff it does invisibly. In Linux, open source, it's all 
visible. I do love that!

Additions to the script below are needed if you're running any kind of 
network, or offering any services (http, ftp, ssh, etc.) to the public.

And do, of course, take care in adding things to the bootup process. I thought 
about it and read and re-read various README files and other documentsation, 
and checked the Web, quite a few times before doing it. Otherwise you might 
end up with an unbootable system. You need to know that the way I did it 
(putting the link to the script in /etc/init.d/rc5.d ) causes the script to 
be run on entering run level 5 - the one where networking and X are 
activated. Cannot see any point in putting it in before that.

Best,

Kelvin

To check if you have a firewall, do this as root:

iptables -L

It will give an indication of the rules it has in iptables.

iptables -L -v is a little clearer. I have to say that the listings given by 
the above commands are not very clear but they do tell you if you have some 
sort of protection.

When I do that after running the script below, I get the output:

______________________________
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
block      all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
block      all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain block (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere           state 
RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere           state NEW
LOG        all  --  anywhere             anywhere           LOG level warning
DROP       all  --  anywhere             anywhere
__________________ end of output

which clearly (! well not obviously, until you have read some of the 
documention on iptables) shows that the BLOCK chain has been set up, that all 
the packets that hit the INPUT and FORWARD chains get passed to the BLOCK 
chain, and (this is where the output is really not very clear to me) shows 
that the BLOCK chain will accept packets from outside relating to ones sent 
by this system, as well as new packets sent by this system.

The final proof that it works, though, is probing from the outside.

Go to

http://www.grc.com

click Shields Up, then the Shields Up Port Authority edition link, then test 
all the ports. If you get ALL GREEN, you are STEALTH (invisible) on all the 
common ports - i.e. the system is dropping all the probe packets.

Or use some other probe or scanner software to probe your system from outside.

And, of course, check that everything you need to do does work... putting 
resctrictive firewall rules in the wrong place would prevent you from surfing 
the Web, for example.

____________________ firewall script:
#WARNING check wrap. Every active line starts with the word iptables.

# Firewall from iptables/firewall HOWTO
# Blocks EVERYTHNG that tries to access this system from outside.

# NB this script is only called on boot. It ignores the start and stop
# parameters sent to it by init.

# Insert connection-tracking modules (not needed if built into kernel).
# insmod ip_conntrack
# insmod ip_conntrack_ftp

# Create chain which blocks new connections, except if coming from inside.
# Create the chain
iptables -N block
#Add rule to accept packets relating to established connections
iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
#Add rule to accept packets relating to new connections that come from inside
iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT
#Add rule to log all packets that did not pass the above rules
#Comment this out if not needed else look in /var/log/warn for results (may be
# differenet in your system)
# Use the command tail -f /var/log/warn and keep an eye on size of that file
iptables -A block -j LOG
#Add rule to drop all packets that did not pass the above rules
iptables -A block -j DROP

# Jump to chain BLOCK from INPUT and FORWARD chains.
iptables -A INPUT -j block
iptables -A FORWARD -j block

# In future may need some rules on the OUTPUT chain to catch anything that
# ought not to send just in case some worm gets onto the system. This would
# be done by setting up an ACCEPT rule for each service that you want to use
# based on either the port number or the address or both.

More information about the Glastonbury mailing list