Firewall Fundamentals

The NetFilter packet filter is configured through the iptables command utility. Like its predecessor, ipchains, iptables enables firewall administrators to control a wide variety of features in the NetFilter packet filter. Chief among these are adding or inserting filter rules within a preexisting set of rules, defining the policy of the various chains in the filter, or creating userdefined chains for specific purposes such as testing for denialofservice (DoS) attacks or other specific attacks.

The path a packet takes through the NetFilter process depends on whether it is destined for the firewall host itself or whether it is being forwarded to a second interface. For most packets that traverse the firewall, the sequence of tables and chains is as follows:

1. Mangle PREROUTING

2. NAT PREROUTING

3. Filter FORWARD

4. NAT POSTROUTING

As shown in Figure 7-4, the process of forwarding packets to the second interface involves a routing decision by the firewall. If a packet is destined for the firewall itself, it must traverse the filter INPUT chain before reaching the local process on the firewall. Packets sent by local processes on the firewall must traverse the filter OUTPUT chain and might traverse the NAT POSTROUTING chain but only if some form of destination NAT is being conducted. Overall, the process through the NetFilter tables and chains is very logical in order and efficiency.

Packets need not traverse every chain in the NetFilter system. It all depends on the destination of the packet as well as what rules are applicable and whether NAT is involved.

Although the configuration of NetFilter firewalls using the iptables utility may appear to be a daunting task, you can also configure NetFilter through a variety of graphical interface tools such as Firewall Builder, Firestarter, or Webmin. Some examples to follow show how you can configure NetFilter using the iptables utilities as well as these graphical tools. This discussion is not meant to be a detailed method of how to use these tools but rather a brief introduction to these tools. You must further explore and decide which tool you are most comfortable using to manage Linux-based firewalls.

IPTables CommandLine Tool

The iptables commandline tool works very much like the older ipchains tool. The iptables utility provides for several commonly used actions (known as targets) for packets that match the filter rules:

• ACCEPT Let the packet through.

• DROP Drop the packet.

• QUEUE Pass the packet to userspace.

• RETURN Stop processing this chain and resume at the next rule in the previous chain.

• REJECT Send an error packet when a matched packet is detected.

• MASQUERADE Map the source IP address to the IP address of the interface that the packet is going out. You should use this only with dynamic connections such as dialup or a DHCPassigned provider IP address. Otherwise, use SNAT.

• DNAT Specifies that the destination address of the packet should be modified.

• SNAT Specifies that the source address of the packet should be modified.

• LOG Turn on kernel logging of packets that match the rule.

• ULOG Provides for userspace logging of packets that match the rule.

Note

These are the most commonly used targets. For additional information about these and other targets, check out http://www.netfilter.org.

In addition, you can specify a userdefined chain as a target, too. Example 7-1 shows how you can configure a basic firewall filter.

Example 7-1. Basic Linux Firewall Filter Configuration

Firewall Builder, Firestarter, and Webmin also come in handy when configuring NetFilter.

Firewall Builder

You can find the Firewall Builder software at http://www.fwbuilder.org. Unlike other firewall management software, Firewall Builder provides a policy compiler for Linux's NetFilter firewall as well as for FreeBSD's and OpenBSD's packet filter (pf) firewall, the IPFilter (IPF) firewall, and the Cisco PIX Firewall. IPF is another open source firewall software package that can be built in to a variety of operating systems, including Sun Solaris, NetBSD, FreeBSD, OpenBSD, HP's HPUX, and SGI's IRIX operating systems. Building a firewall policy with Firewall Builder is exceptionally easy and flexible. You can build a simple packet filter using Firewall Builder much more easily than with the iptables commandline utility, as shown in Figure 7-5. The filter in Figure 7-5 is partially based on the filter given in Example 7-1. The services allowed in are Secure Shell (SSH:TCP/22), Simple Mail Transport Protocol (SMTP:TCP/25), Hypertext Transfer Protocol (HTTP:TCP/80), two Virtual Network Computing connections (VNC0:TCP/5900, VNC1:TCP/5901), and TCP traffic that is part of a previously established connection. All other traffic is denied.

Firewall Builder is available as packages for a variety of operating systems, including Red Hat 9, Fedora Core 3 and 4, Slackware Linux, MacOS X, and Windows 2000 and XP. Firewall Builder uses a duallicense model. The software is available under the GNU Public License (GPL) for operating systems that are available under GPL (such as Red Hat and other Linux derivativesthis list also includes the BSDderived operating systems, too, even if they are not strictly available under GPL). The software is available under a commercial license for commercial operating systems (this includes Sun Solaris, HP's HPUX, and SGI's IRIX).

Firewall Builder stores the configuration of the firewall and its policy in an XML file titled firewall_name.fwb. In addition, when the firewall policy is compiled, it creates a file called firewall_name.fw. This is a shell script that is uploaded to the firewall to apply the changes to the filter policy.

Firestarter

Firestarter is an open source visual firewall policy compiler similar to Firewall Builder. Like Firewall Builder, Firestarter provides the administrator with a graphic interface to build a filtering policy. However, unlike Firewall Builder, Firestarter cannot group items into objects or provide control over multiple firewalls. Firestarter is focused on the policy of a single firewall. Firewall Builder, on the other hand, can manage the policies of multiple firewalls from a central server. Firestarter is to Firewall Builder as the PIX Device Manager (PDM) or Adaptive Security Device Manager (ASDM) is to the CiscoWorks Management Center for Firewalls. When started from the command line, Firestarter brings up a status window, as shown in Figure 7-6.

You can use Firestarter to build both an inbound as well as an outbound policy on the firewall, as shown in Figure 7-7. Like its Firewall Builder counterpart, the policy can be detailed or it can be as sparse as needed. After the policy has been defined, it can be saved and is stored in flat text files and shell scripts in /etc/firestarter.

Figure 7-7 shows the same policy for TCPbased traffic as defined earlier using the iptables utility and the Firewall Builder software.

Webmin

The final method for managing NetFilter on a Linux system covered in this chapter is Webmin. This software is available at http://www.webmin.com. Webmin is more than just a firewall management system. Webmin can manage users, network configuration, system configuration, and much more, as shown in Figure 7-8.

By default, Webmin comes with two methods of managing NetFilter, as shown in Figure 7-9:

• The Linux Firewall module

• The Shoreline Firewall module (otherwise known as Shorewall)

The focus during this discussion is on the Linux Firewall module because the Shoreline Firewall module requires the installation of additional files from the Shorewall project (http://www.shorewall.net).

Webmin enables administrators to control all three tables in NetFilterfilter, mangle, and NATthrough either the Linux Firewall Webmin module or the Shorewall Webmin module, as shown in Figure 7-10.

Figure 7-11 shows the configuration of a simple firewall example.