Linux Firewall Demonstration

The course is part of this learning path

Linux Security and Hardening
7
4
Start course
Overview
Difficulty
Intermediate
Duration
1h 7m
Students
100
Ratings
5/5
starstarstarstarstar
Description

In this course, you'll learn some techniques and strategies to secure network services. You'll also learn how the local firewall works in Linux and how to configure it. We'll talk about information leakage and ways to prevent it. Next, you'll learn how to test for open ports and perform port scans. You'll also learn about xinetd, what it does, and how to secure it. We'll also cover how to secure SSH. This course includes some guided demonstrations so that you can see the concepts being used in real-world environments.

Learning Objectives

  • Learn how to secure SSH
  • Understand the fundamentals of Linux firewall security, including configuring a firewall from the command line and setting up firewall rules
  • Learn how to use TCP wrappers to secure your Linux system

Intended Audience

This course is intended for anyone who wants to understand how to secure their Linux systems.

Prerequisites

To get the most out of this course, you should already have a good working knowledge of Linux. If you want to brush up on your Linux skills, consider taking our Learn Linux in 5 Days learning path first.

Transcript

I'm logged into a Linux box here and I have a web server running on this system. Let's create a simple set of rules that allows anyone to connect to the web service and only people on my private network to connect via SSH, and we'll go ahead and block all the other packets. First, let's just start out by looking at what's in the filter table. So I can do iptables -L to list the rules. And as you can see, there are no rules defined. Let's go ahead and create that rule that allows anyone to connect to the web server on port 80. Use the iptables command. I'm going to use A, for append, you can also use I for insert, since there's no rules at this point, it really doesn't matter. I'm going to use A for append, I'm going to put this rule in the input chain. We're gonna look for TCP connections that are destined for port 80, and we aren't going to do any other type of processing. We're gonna go ahead and jump to, or go to the Accept target, we're just gonna accept these packets right away. So now let's look at what we've done here, and you can see that the rule has been added to the input chain, accept TCP packets from anywhere that are destined to any address on the HTTP port. So as you can see that the port 80 was translated into its name of HTTP. If we wanna just use numbers or see numbers, we'll use the -n option. So I'll run iptables -n, -L. And then now you can see that the source and destination are listed in a numeric notation. And then also the port of 80 is listed versus the name, which is HTTP. Okay, let's go ahead and accept SSH connections from the 10.0.0.0 network. So we'll do an append to the input table. Again, we're concerned with TCP protocol, the destination port would be 22. The source is going to be 10.0.0.0/24. /24 network is also the same as 255.255.255.0, and that's the subnet mask for a /24. So you can use either type of notation here. I'm just gonna stick with a /24. And again, I don't wanna do any more processing on these packets, I wanna accept them as well. So we'll use a -j ACCEPT to go to the Accept target. And we'll look at our rules again. So rule number one is accept packets that are bound to port 80, and rule number two is accept packets if they originate on the 10.0.0.0/24 network that are destined to port 22 which is the SSH port. Let's go ahead and drop every packet that doesn't match one of those two rules. We'll do this with the iptables command, - A to append in the input chain. And I won't specify any match criteria because we wanna match all the packets and we'll send that to the Drop target. Since we didn't specify any match rules, like the protocol, or ports, or anything like that, any packet will match that rule. Let's go ahead and test this. In this tab, I have a system that's on the 10.0.0.0/24 network. And if I attempt a connection to port 80, it should succeed. So I'll do nc for netcat, -v 10.0.0.8 which is the IP address of our server system and port 80. And then you can see that the connection succeeded there so that nc command, it's also known as netcat, and it can be used for a variety of things. Here it's just attempting to connect to the IP address of the port specified on the command line. Now let's do the same thing, but to the SSH port. Okay, again, the connection succeeded. So let's go back to our original server system and remove the rule that allows port 80 connections. I'm going to do a listing here that includes inline numbers, so I can delete rules by line numbers. So I'll use iptables -D for delete. I wanna delete a rule out of the input table. And the rule number I want to delete is one. Now you can see that that rule was deleted and we are left with the other two rules in our chain. So let's go back to our system and test this. The -w option of the netcat command lets you specify a timeout. Here I used two seconds because I know it was going to time out and I didn't wanna wait the entire time. So our connection timed out because the firewall simply drops the packets. Instead of dropping packets, let's see what happens if we reject those packets. Let's go back to our service system. All right, I'm going to delete the second rule out of the input table. And then I'm going to append a new rule that rejects packets. All right, there is our new rule. Let's go back to our client's system and test this time. So immediately we get a "Connection Refused" message. So if you want someone to know that they're being blocked by the firewall, use Reject as the target. If you want to silently drop their packets and ignore them, use the Drop target. Let's get back on the server here, clear our rules, and start over to an iptables -F to flush our rules, and we run -L, you can see all those rules are gone. Let's do -A INPUT, protocol TCP, destination port 22. If it comes in on the 10.0.0.0/24 network, let's go ahead and accept those packets. Let's create a new table, a custom name table here. We'll call this new table "LOGNDROP". Let's go ahead and add some rules to this table. We'll use the limit module and we'll limit packets to, let's say, five a minute and we'll log those packets. And there's an additional option you can use here, called --log-prefix. And this is what's gonna show up in our system log and I'll just use iptables BLOCK, and a space at the end there. Now, after we log the packet, we're gonna go ahead and drop the packet. And let's go ahead and append the destination, or let's jump to this new chain that we've created from the input chain. Okay, let me look at the rules here. So the packet will come in and traverse the filter table, go through the input chain. And if it's destined to port 22 and originates from 10.0.0. something, then it will be accepted. In all other cases, the packet will be made to traverse the log and drop chain. This chain has two rules. The first rule is a logging rule. Here we've used rate limiting, so we don't fill up our disc with blocked messages from IP tables. Let's go ahead and send some packets over here to block. Let's also tail the messages file. So, var/log/syslog here. I'll just send packets here, like we've done just a second ago. So it timed out, so that means our packet got dropped. Let's go over here. And then now you can see that we have some log messages. Here is the log prefix that we specified. This packet came in eth0, and this is the Mac address. This was the source address, 10.0.0.6. The destination was the IP address of this system which was 10.0.0.8. And there's some other information in here. Here's the source port from the source machine, the destination port, which was port 80 for the web server. And again, this got blocked, and if you log every single message that blocks, again, you'll fill up your desk. So that's why we're using rate limiting in this instance. Okay, I'll go ahead and quit out of that. So if you don't wanna lose your changes after a reboot, remember to save the running configuration. Now this will vary from distro to distro but for this Ubuntu system I can run netfilter-persistent, followed by the word "save".

About the Author
Avatar
Jason Cannon
Founder, Linux Training Academy
Students
3315
Courses
60
Learning Paths
7

Jason is the founder of the Linux Training Academy as well as the author of "Linux for Beginners" and "Command Line Kung Fu." He has over 20 years of professional Linux experience, having worked for industry leaders such as Hewlett-Packard, Xerox, UPS, FireEye, and Amazon.com. Nothing gives him more satisfaction than knowing he has helped thousands of IT professionals level up their careers through his many books and courses.