Based on this information, you should be able to create some basic rules. Let’s assume that you have a server that has only one NIC. On this network card, you want to allow requests to the web server to come in and replies from it to go out. Also, you want to allow SSH traffic. For the rest, no other services are needed.
Like any other Netfilter configuration, you would start this configuration by creating some policies. Every chain needs its own policy. The following commands make sure that no packet comes in or out of your server by setting the policy for each chain to DROP:
iptables -P FORWARD DROP iptables -P INPUT DROP iptables -P OUTPUT DROP
Now that everything is blocked, you can start by allowing some packets to go in and out. First and foremost, you have to enable the loopback interface because the policies that you’ve just defined also disable all traffic on the loopback interface and that’s not good (because many services rely on the loopback interface). Without loopback interface, for example, you have no way to start the graphical environment on your machine, and many other services will fail as well. Imagine that the login process queries an LDAP server that runs on the local- host. Now open the loopback interface using the following two rules:
iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT
In these two rules, the -Aoption is used to refer to the chain the rules have to be added to. You are using -A, and so the rule is just appended to the INPUT and the OUTPUT chains. This would make the rule the last rule that is added to the chain, just before the policy that is always the last rule in a chain that is evaluated. Next, -i loand -o loare used to indicate that this rule matches to everything that happens on the loopback interface. As the third and last part of these two rules, the target is specified by using the -joption (which is short for “jump to target”). In this case, the target is to accept all matching packets. So, now you have a server that allows nothing on the external network interfaces, but the loopback interface is completely open.
Next, it’s time to do what you want to do on your server: allow incoming SSH and HTTP traffic and allow replies to the allowed incoming traffic to be returned. Note that these two requirements consist of two parts: a part that is configured in the INPUT chain and a part that is configured in the OUTPUT chain. Let’s start with some nice rules that define the input chain:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT iptables -A INPUT -j LOG --log-prefix "Dropped illegal incoming packet: "
The first rule in this INPUT chain tells Netfilter that all packets that are part of an already established or related session are allowed in. Next, for packets coming in on SSH port 22 that have a state NEW, the second rule indicates that they are allowed as well. Thirdly, packets that are sent to TCP destination port 80 (notice the combination between -p tcpand --dport 80in this rule) and have a state NEW are accepted as well. The last rule finally makes sure that all packets that didn’t match any of the earlier rules are logged before they are dropped by the policy at the end of the rule. Note that logging all dropped packets as a default may cause big problems.
■Caution
Use logging only if you need to troubleshoot your firewall. It’s generally a bad idea to switch on logging by default, because, if not done properly, it can cause huge amounts of information to be written to your log files.Now that you have defined the INPUT chain, let’s do the OUTPUT chain as well. No spe- cific services have to be allowed out, with the exception of the replies to incoming packets that were allowed, and so creating the OUTPUT chain is rather simple and consists of just two rules:
iptables -A OUTPUT -m state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -j LOG --log-prefix "Dropped illegal outgoing packet: "
The use of these two rules should be clear from the explanation earlier in this section. Note that it is a good idea to turn on logging for the OUTPUT rule (unlike for the INPUT rule).
This is because, if an illegal packet should leave your server, that would indicate that some rogue service is active on your server and you would absolutely need to know about it.
To make it a little easier to create your own Netfilter rules, Table 5-5 lists some of the port numbers that are commonly configured in a Netfilter firewall. For a complete list of all port numbers and the names of related services, check the contents of the /etc/servicesfile, which lists all known services with their default ports.
Table 5-5.Frequently Used Port Numbers Port Service 20 FTP data 21 FTP commands 22 SSH 25 SMTP 53 DNS 80 WWW 88 Kerberos authentication 110 POP3 111 RPC (used by NFS) 118 SQL databases 123 NTP Time
137–139 NetBIOS ports (used by the Samba server) 143 IMAP
161 SNMP (network management) 389 Unsecure LDAP
443 HTTPS
524 NCP (used by some native Novell services like eDirectory)
636 Secure LDAP
Let’s stop talking about Netfilter. On a server that uses Netfilter as a kind of personal firewall, this is probably all you need to know. Notice, however, that much more can be done with iptables. But discussion of all that goes beyond the scope of this book, so check www.netfilter.org/documentationfor very complete and overwhelmingly in-depth information.
■Tip
Were you looking for information on how to configure your server as a NAT firewall? Although that’s also outside the scope of this book (most people use dedicated routers for this purpose), I’d like to share the rule to do that anyway. Use iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source yourserverspublicIPaddressto make your server a NAT router. Have a lot of fun with it!Summary
In this chapter, you learned how to secure your server, and we covered the most important aspects of Linux security. I began by talking about users, groups, and permissions. After that, I introduced some advanced file-system security options: access control lists and user-extended attributes. Next, you read about some important internal mechanisms: PAM and sudo. Finally, in the last part of this chapter, you got an introduction to the configuration of a Netfilter fire- wall. Your server ought to be secure now, so let’s proceed with Chapter 6, where you’ll learn how to let the system do exactly what you want it to do. I’ll cover topics like process management, the boot procedure, and kernel management.