Maintaining
& modifying your firewall and starting it on boot:
Maintenance
Maintaining your
iptables firewall is pretty easy. The only thing you will want to keep
an eye on is the logs at /var/log/firewall. The logs can let you know
when your server is being probed or when an attack is being attempted,
this allowing you to take appropriate action. Once you start viewing
your logs, you are going to notice that almost every hour of every day
someone is going to be trying to gain access to your server, find an
exploit on your server or attack your server. This is normal. Attackers
simply scan entire networks for vulnerable servers, so don't take scans
and attempted intrusions personally. Every publicly available server
out there gets probed and scanned all the time, so don't think you are
special and that you need to call the FBI or something rash like that.
The fact is that anytime your see unsuccessful attempts to break into
your server or attack it, that's a good thing because it means that
the attackers were not able to succeed. It means your server is secure
and your firewall is working. In other words, failures that are logged
are a sign of a secure server.
You may also want
to make sure that you have a log rotation schedule set up for the firewall
logs. The logs can get quite large, so you will want to keep them in
check by rotating them out on a regular basis.
Modifications
OK, so you've got your firewall
up and running. But what if you need to make a change to the rules?
What if you need to open up another port? What if you want to close
a certain unused port? What if you want to block someone from your server?
Get the answers right here.
What
if I want to open another port?
While it is possible to append
rules to your live iptables configuration, I find that the best way
to make changes is to change the firewall script itself and then re-import
the script back into the iptables configuration. In terms of this site's
setup, this means that you will want to edit the /root/primary_firewall
file. Within this config file you can add rules or remove rules and
then import the new firewall into the iptables ruleset.
So, let's take an example
Example:
I want to allow inbound "tcp" traffic to port 139
To do this you would add
the following line to the "INPUT" section of the /root/primary_firewall
script:
-A INPUT
-p tcp -m tcp --dport 139 -j ACCEPT
Let's go over what
this line does...
-A
- this tells iptables to "append" the new rule to the current
iptables ruleset.
INPUT
- The new rule will be appended to the "INPUT" portion of
the ruleset, which controls inbound server traffic.
-p -
Indicates what protocol the rule applies to. Popular protocols are "tcp",
"udp", "icmp" and several others.
-m
- Indicates a matching protocal value. Usually, this is set to
the same value as the -p flag.
--dport
- Specifies the destination port to which the traffic will be directed.
In this case, it's port 139.
-j -
Instructs the firewall to "jump" to specified state. In this
case, request to TCP port 139 "jump" to "ACCEPT"
and are threfore accepted and allowed to pass through the firewall.
ACCEPT
- As denoted above, this is the state that the rule "jumps"
to. In the example above, any inbound traffic to TCP port 139 will "jump"
to an "ACCEPT" state, and thus will be able to pass through
the firewall.
So the breakdown
above should tell you that the rule we are adding is going to allow
all inbound traffic to TCP port 139. Once you add that line to the "INPUT"
section of the firewall script, you can then import the new firewall
with the following command:
iptables-restore
< /root/primary_firewall
Wow, now wasn't
that easy?
What
if I want to close a port?
The answer to this
is similar to the previous question. However, you need to remember that
your firewall, as it stands now, automatically blocks ALL inbound, outbound
and fowarded traffic by default. The only way that a port gets opened
is if there is a rule telling the firewall to open that port.
Let's take an example...
Example:
I was to close TCP port 143 inbound.
In the firewall
script that comes with this guide, you will notice the following entry
that open up inbound traffic to TCP port 143 (For IMAP). That rule looks
like this:
-A INPUT
-p tcp -m tcp --dport 143 -j ACCEPT
Well, if you wanted
to close port 143, all you would have to do is edit the firewall script
at /root/primary_firewall and remove that line. Once the line is gone
and you've saved the changes, you would activate the change by re-importing
the firewall script back into the iptables ruleset like so
:iptables-restore
< /root/primary_firewall
Now wasn't that
easy?
Now, let's take
another example so that I can demonstrate something that you DON'T
need to worry about.
Example:
I want to block all inbound traffic to TCP port 3389.
Again, let's take
the firewall that comes with this guide. All of the sudden you get it
in your head that you need to close TCP port 3389. What to do? Well,
if you take a look at the firewall script you will notice that TCP port
3389 is not mentioned anywhere in the script and, to be more specific,
it is not mentioned in the "INPUT" portion of the script.
Well, since our firewall is configured to block ALL traffic by default
and only open ports on request, 3389 is ALREADY CLOSED. In other words,
you don't need to worry about that port because it has been automatically
closed by the firewall. The only way it would be open is if you created
a specific rule that rquested that the port be open. Get it?
What
if I want to completely block someone from my server?
The procedure for
this is just the same as the ones above. Basically, all you're going
to do is edit the firewall script, add a rule to block whoever, save
the changes and then re-import the firewall script back into the server's
ruleset. Easy as hell.
So let's take an
example:
Example:
I want to block anyone from the host 1.2.3.4 from accessing
my server.
Open the /root/primary_firewall
script and add the following line to the INPUT section of the script:
-A INPUT
-s 1.2.3.4 -j DROP
Now let's break
that down to see what this rule is doing..
-A
- this tells iptables to "append" the new rule to the current
iptables ruleset.
INPUT
- The new rule will be appended to the "INPUT" portion of
the ruleset, which controls inbound server traffic.
-s
- Specifies the source address of the request. In this case we
are specifying 1.2.3.4 as the source.
-j -
Instructs the firewall to "jump" to specified state. In this
case, request coming from source 1.2.3.4 "jump"
to a DENY state, thus blocking anyone from that addresss from accessing
your server at all.
DROP
- As denoted above, this is the state that the rule "jumps"
to. In the example above, any traffic to coming from 1.2.3.4
will "jump" to an "DROP" state, and thus will be
blocked.
What
if I only want to block someone from accessing a certain port, while allowing
them to access all others?
This would just
be a more specific version of the above rule. In this case, you would
specify the destination port and the protocal type with the "-p",
"-m" and "--dport" flags. If you wanted to block
anyone from 1.2.3.4 from accessing port 25 on your
server, it would look like this:
-A INPUT
-s 1.2.3.4 -p tcp -m tcp --dport 25 -j DROP
Easy enough, right?
The previous questions
are only a sampling of the many, many modifications and customizations
that can be made to your firewall. Check out the iptables man page (man
iptables) for the whole gamut.
As I said before,
always make sure you enable your iptables "safetynet" before
you start playing with your firewall setup. You don't want to accdientally
lock yourself out of your server!
Starting
your fiewall on boot
The final part of this setup
guide will cover the integration of your firewall into the server's
boot process. If you would like your firewall to start on boot and work
correctly, you will want to do the following:
cp /root/primary_firewall
/etc/sysconfig/iptables
This will
cause your iptables config script to be loaded at boot time.The last
step is to make sure that the "ip_conntrack_ftp" kernel module
loads on boot as well to ensure correct FTP functionality.
vi /etc/rc.local
add the following
line:
/sbin/insmod
ip_conntrack_ftp
Save and exit the
file.
That's it! You're
all done. Enjoy your new firewall! Please take a moment to go to the
next page and provide me with some feedback and/or commentary.
Proceed
to the next step
|
