Firewall Configuration Tool and IPtables - Lab6 Oracle Linux 6 Basic Network Security Administr

Firewalls are one of the core components of a network security implementation. A firewall is a system designed to prevent unauthorized access to or from a private network. Firewalls help prevent unauthorized network packets from accessing the system's network interface. The firewall examines network traffic and allows or denies the traffic based on specified security criteria. If a request is made to a port that is blocked by a firewall, the request is ignored. If a service is listening on one of these blocked ports, it does not receive the packets and is effectively disabled.

Hence, you should be careful when configuring a firewall to block access to ports not in use and not block access to ports used by configured services.

On Oracle Linux 6 systems, a simple firewall configuration tool is the graphical firewall configuration tool. The Firewall Configuration Tool (system-config-firewall) creates basic iptables rules for a general-purpose firewall using a GUI interface. For advanced users and server administrators, manually configuring a firewall with ‘iptables’ tool is probably a better option. In older versions of Linux, the most

popular firewall/NAT package running on Linux was called ipchains, but it had some shortcomings. The Netfilter organization decided to create a new product called ‘iptables’. The iptables implementation is considered to be a faster and more secure alternative to ipchains and iptables has become the default firewall package

installed under RHEL 6 and Oracle Linux 6 releases. We will now introduce you to both the basic Firewall Configuration tool and the more advanced ‘iptables’ tool.

Firewall Configuration Tool:

To start the Firewall Configuration Tool, you can go to the System ->

Alternatively, you can type the ‘system-config-firewall’ command at a shell prompt. [root@examplehost /]# /usr/bin/system-config-firewall

In the following screenshot, you can see that the Firewall is enabled on this system. And you can also see that ‘ssh’ service using TCP protocol and port 22 is a trusted service on this system.

The firewall rules configuration information is stored in the

‘/etc/sysconfig/iptables’ file. If you view this file, you will see an output similar to what is shown below. You can see in the screenshot below that there is an entry for port 22 and that entry corresponds to the ‘ssh’ service.

# Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter

:INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0]

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT

-A INPUT -i lo -j ACCEPT

-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

-A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT

[root@examplehost /]#

In the Firewall Configuration window, click the Disable button and then the Apply button to disable the Firewall. Once the Firewall is disabled, you will see the grayed out GUI screen like what is shown below. When the firewall is disabled, it allows all network traffic and there is no trusted service or any blocked ports or network traffic.

And when the Firewall is disabled, there is no ‘/etc/sysconfig/iptables’ file on the system. You can verify after disabling the firewall that the ‘/etc/sysconfig/iptables’ file is no longer present.

[root@examplehost /]# ls -l /etc/sysconfig/iptables

ls: cannot access /etc/sysconfig/iptables: No such file or directory

[root@examplehost /]#

Re-enable the Firewall on your Oracle Linux 6 system by clicking the Enable and Apply buttons. Once the firewall has been enabled, add WWW (HTTP) service which runs on TCP port 80 to the listed of trusted services. See screenshots below.

Click ‘Yes’ on the following window to override any existing firewall configuration.

Once you have the WWW (HTTP) service that runs on port 80 enabled, you can verify and view the INPUT rule that it adds to the ‘/etc/sysconfig/iptables’ file on your system. See example outputs below.

[root@examplehost /]# cat /etc/sysconfig/iptables

# Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter

:INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0]

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT

-A INPUT -i lo -j ACCEPT

-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT

-A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT

[root@examplehost /]#

You can see in the above screenshot there is a new line that gets added for port 80 HTTP service in the ‘/etc/sysconfig/iptables’ file. This is the INPUT rule for the HTTP Service and makes this a trusted service which means the system will now allow connections to port 80 used by the HTTP service.

Verify that the HTTP service is running on your system. If it is not running, you can start it using the ‘service httpd start’ command.

httpd (pid 32706) is running... [root@examplehost /]#

Once you have the httpd service running, you can use the ‘netstat’ command to confirm that port 80 is open and listening for incoming connections.

[root@examplehost /]# netstat -tulpn | grep 80

tcp 0 0 :::80 :::* LISTEN 32706/httpd

[root@examplehost /]#

You can stop the HTTPD service once you have confirmed that ‘netstat’ shows port 80 is open and listening for connections.

[root@examplehost /]# service httpd stop

Stopping httpd: [ OK ]

Let us go back to the Firewall Configuration GUI and Click the ‘Other Ports’ option on the left of the screen. You will see a screen similar to what is shown below. If you setup a LDAP Directory server on a Linux system which has firewall enabled, then you would have to open the port 389 for the LDAP service on that system. Port 389 is the default LDAP server port. In this lab, we will assume that we have LDAP server installed and will open the port 389 by adding it in the list of ports that are

accessible.

Click the Add button and add Port 389 to the list of accessible ports.

In the “Port and Protocol” Window, select the LDAP port 389 and click the OK button.

You should now have the Port 389 with protocol TCP and service LDAP in the list of accessible ports in the GUI as seen below. Click the ‘Apply’ button to apply these changes.

Clicking the ‘Apply’ button will add an INPUT rule for the LDAP port 389 that we just added as a accessible port. Open (use ‘cat’) the ‘/etc/sysconfig/iptables’ file and check and confirm the rule that was added for Port 389 in this file.

[root@examplehost /]# cat /etc/sysconfig/iptables

# Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter

:INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0]

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT

-A INPUT -i lo -j ACCEPT

-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT

-A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT

-A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT

Configuration tool like marking network interfaces which are trusted, masquerading IPv4 addresses, port forwarding, etc. We will not be doing labs for these in this training.

iptables tool:

As we discussed earlier, the Firewall Configuration Tool is used for setting up basic firewall rules. If you need some advanced and complex rules, you should use

‘iptables’ tool. Actually, there are two tools available – iptables and ip6tables. The ‘iptables’ tool is for IPv4 networks and that is what we will use in this training. The ‘ip6tables’ is for IPv6 packets filtering and we will not be working on IPv6 network tools in this training.

The ‘iptables’ administration tool is a command line tool that is available in the Linux kernel 2.4 and above. The ‘iptables’ tool uses the Netfilter subsystem to

enhance network connection, inspection, and processing. The ‘iptables’ tool features advanced logging, pre- and post-routing actions, network address translation, and port forwarding, all in one command line interface.

Start by reading the man pages of ‘iptables’ tool. [root@examplehost /]# man iptables

You can use the ‘service iptables’ command to list all available options for the iptables service.

[root@examplehost /]# service iptables Usage: iptables

{start|stop|restart|condrestart|status|panic|save} [root@examplehost /]#

Check using the ‘service’ command to find out if the iptables service is running or not. In the screenshot below, it says the Firewall is not running which means the iptables service is stopped.

[root@examplehost /]# service iptables status iptables: Firewall is not running.

[root@examplehost /]#

If the iptables service is running on your system, you will see an output similar to what is shown below.

[root@examplehost /]# service iptables status Table: filter

Chain INPUT (policy ACCEPT)

num target prot opt source destination 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 5 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 6 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:389 7 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)

num target prot opt source destination 1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)

num target prot opt source destination [root@examplehost /]#

If you need to start the iptables service, you can start it as shown below. [root@examplehost /]# service iptables start

iptables: Applying firewall rules: [ OK ]

[root@examplehost /]#

You can also run the ‘chkconfig’ command to see the init runlevels for which the iptables service is started during system reboots.

[root@examplehost /]# chkconfig --list iptables

iptables 0:off 1:off 2:on 3:on 4:on 5:on

6:off

Type the following ‘iptables’ command as ‘root’ user to list the rules of your firewall. The -L option is to list rules and the -n option is to display IP address and port in numeric format. You can also include the -v option to get a more verbose output.

[root@examplehost /]# iptables -L -n Chain INPUT (policy ACCEPT)

target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:389 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)

target prot opt source destination REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)

target prot opt source destination [root@examplehost /]#

Rules are stored in chains and there are 3 chains – INPUT, FORWARD and OUTPUT. If you just want to view all the rules in the INPUT chain only, you can run the

following command.

[root@examplehost /]# iptables -L INPUT -n Chain INPUT (policy ACCEPT)

You can print the line numbers for rules in the INPUT, FORWARD and OUTPUT chains using the –line-numbers option as shown below. This line-numbers option is useful for adding/deleting rule lines as we will see shortly.

[root@examplehost /]# iptables -L -n --line-numbers Chain INPUT (policy ACCEPT)

Chain FORWARD (policy ACCEPT)

num target prot opt source destination 1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)

num target prot opt source destination [root@examplehost /]#

To delete line 6 of input rules, you can use the –D option as shown below. This will delete line 6 which is the LDAP port 389 access rule in the screenshot above. [root@examplehost /]# iptables -D INPUT 6

[root@examplehost /]#

After deleting the rules, run the iptables command to list the rules. You will notice that the rule line for LDAP port 389 has been deleted.

But if you see the ‘/etc/syconfig/iptables’ file, you will see that the LDAP Port 389 rule is still there in this file. Any guesses why it is still there?

[root@examplehost /]# cat /etc/sysconfig/iptables

# Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter

:INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0]

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT

-A INPUT -i lo -j ACCEPT

-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT

-A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT

-A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT

The rule is still there because after deleting the rule, we have not saved the rules configuration file (/etc/sysconfig/iptables). Run the ‘iptables save’ command to save the new rules.

[root@examplehost /]# service iptables save iptables: Saving firewall rules to

/etc/sysconfig/iptables:[ OK ] [root@examplehost /]#

Once the rules have been saved, you can run the cat command to check the ‘/etc/sysconfig/iptables’ file and this time you should not see the LDAP port 389 rule in this file. See screenshot below.

# Generated by iptables-save v1.4.7 on Wed Feb 6 16:03:37 2013 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0]

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT

-A INPUT -i lo -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT

-A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT

# Completed on Wed Feb 6 16:03:37 2013 [root@examplehost /]#

Even after you have saved the file, you still need to restart the iptables service so that it can re-read the new rules from the ‘/etc/sysconfig/iptables’ file and enforce the new rules.

[root@examplehost /]# service iptables restart

iptables: Flushing firewall rules: [ OK ]

iptables: Setting chains to policy ACCEPT: filter [ OK ]

iptables: Unloading modules: [ OK ]

iptables: Applying firewall rules: [ OK ]

[root@examplehost /]#

Let us list the rules with their line numbers now. We will then add back a rule using the iptables command.

[root@examplehost /]# iptables -L -n --line-numbers Chain INPUT (policy ACCEPT)

num target prot opt source destination 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 5 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 6 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)

num target prot opt source destination 1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)

num target prot opt source destination [root@examplehost /]#

Let us now add a rule between line 5 and line 6 of our rules. In the example below, we are adding a new INPUT rule as line 6 where protocol is TCP and the port that we allow access to is the LDAP port 389.

Once you added the new rule for port 389 using the ‘iptables’ command, you can check using iptables command using the line-numbers option and confirm that it has been added as line 6.

[root@examplehost /]# iptables -L -n --line-numbers Chain INPUT (policy ACCEPT)

Chain FORWARD (policy ACCEPT)

num target prot opt source destination 1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)

num target prot opt source destination [root@examplehost /]#

iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ] [root@examplehost /]#

[root@examplehost /]# service iptables restart

iptables: Flushing firewall rules: [ OK ]

iptables: Setting chains to policy ACCEPT: filter [ OK ]

iptables: Unloading modules: [ OK ]

iptables: Applying firewall rules: [ OK ]

[root@examplehost /]#

We will now look at an example where we open a range of ports on the Oracle Linux 6 system. In the example below, we will open ports from 8000 to 8010 on this system using the ‘iptables’ command. We actually append the INPUT rules and add a new one in this example.

[root@examplehost /]# iptables -A INPUT -m state --state new -m tcp -p tcp --dport 8000:8010 -j ACCEPT

You can use the ‘iptables –L’ option and confirm that you see a new line (line 8 in example below) appended to the INPUT rules for the port range that was opened. [root@examplehost /]# iptables -L -n --line-numbers

Chain INPUT (policy ACCEPT)

Chain FORWARD (policy ACCEPT)

num target prot opt source destination 1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)

num target prot opt source destination [root@examplehost /]#

We will remove this rule that we just added using the –D option of the ‘iptables’ command as shown below.

[root@examplehost /]# iptables -D INPUT 8 [root@examplehost /]#

[root@examplehost /]# service iptables save iptables: Saving firewall rules to

/etc/sysconfig/iptables:[ OK ]

[root@examplehost /]# service iptables restart

iptables: Flushing firewall rules: [ OK ]

iptables: Setting chains to policy ACCEPT: filter [ OK ]

iptables: Unloading modules: [ OK ]

iptables: Applying firewall rules: [ OK ]

[root@examplehost /]#

Configuring complex firewall rules is an advanced topic and will require a deep understanding of the deployed services and requirements before you configure firewalls. This concludes the introductory lab to Firewall and iptables.

One last thing, Nmap ("Network Mapper") is a free and open source utility for

network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. We will leave this as a topic for you to explore on your own depending on your interest and requirements.

In document Lab6 Oracle Linux 6 Basic Network Security Administration (Page 52-81)