Secure Linux the easy way with iptables
Written by Ian on 20/08/08
Did you know most linux machines are wide open by default after installation? Well it has to be said that a 'wide open' Linux box is probably about as secure as a windows machine with the microsoft firewall.
But why define ourselves in terms of microsoft solutions? Actually we can do a lot better and, with little effot, create an almost impregnable machine!!
This article explains how.
Your Linux machine received IP traffic typically on an ethernet interface named eth0.
Or you could type the following to see if you have any wireless devices:
Normally, when these devices
IP packets have various items of information such as
To find out more about which ports are used, you can refer to the file /etc/services contains a list identifying protocol abbreviation, port number and traffic type (generally either UDP or TCP.
So packets are sorted by protocol and port, and the Linux kernel uses this information to decide which program should receive the incoming packets.
What a firewall does is come between the outside world and those programs that the kernel might call. In fact, if set up properly, it should allow only the expected traffic to go to the expected programs -it should not allow anything unexpected.
A 'wide open' system with no firewall can receive any type of packet, and the kernel will go about looking for a recipient for these packets - whether they are genuine or not.
So a firewall can we set up to block unexpected traffic. Or more commonly, to block everything except known wanted traffic!
It can also block
Firewalls can be set to act on different interfaces in different ways: if you have two ethernet ports, or eth0 plus wireless, you can handle each differently.
However, don't read that - it's too complicated!!
A SIMPLE BUT SECURE FIREWALL
First of all, make sure you have iptables installed:
sudo iptables -L
This should list all the rules... actually it will tell you about three chains, INPUT, FORWARD and OUTPUT and there will probably be no rules for each.
Before we start, also we should delete (or flush) any existing rules:
sudo iptables -FLUSH
Next, we will build a step-by-step firewall configuration at the command line. Then you will save this, and finally set up your system to load it automatically at boot time.
1. First things first. Allow the loopback interface (used internally by your Linux system for many things) to operate normally:
sudo iptables -A INPUT -i lo -j ACCEPT
This says "any inputs on the interface called lo or loopback, we should just accept them".
2. Next, any program within the system that initiates a contact with the outside world should be allowed (i.e. this firewall is one-way, it blocks attacks from outside only).
I also tend to enable secure login and secure copying of files using SSH (secure shell):
And I also allow people to ftp into some of my machines:
4. I like to log the things that I drop:
This will log, to the syslog, any dropped packets from the INPUT chain, and will prefix each dropped packet. I will log at most one per second (could result in a big logfile in a few years time...)
5. Finally we drop everything else, apart from those we have specified above that we want, automatically:
6. The next step is to automate everything.
sudo sh -c "iptables-save > /etc/iptables.rules"
Then we edit (as sudo) /etc/networ/interfaces.
pre-up iptables-restore < /etc/iptables.rules
Finally, you are all done!!
Reboot the system and do the following to just check it all worked:
sudo iptables -L -v
It should list out all the firewall chains you have.
iptables is really great.
For more information, try looking here: