Linux Stateful Firewall
A stateful firewall is a very powerful firewall. It can keep track of
its connections and thereby distinguishes packets associated with an established
connection from packets that are not. Basically you can configure it in
a way so that nobody can establish any kind of connection to your server.
Servers can only send packets to your server if you established the connection
first on your computer. E.g. if you connect to a web server with your browser,
the web server answers your request and the kernel accepts the network packets
from this web server since you started the connection with your browser. If
you would not have started or initiated the connection with your browser,
all network packets coming from this web server would have been rejected or
dropped, respectivelly; see options "REJECT" and "DROP" below.
Here is a summary describing how I installed a Stateful Firewall on Red Hat 7.2:
Since iptables can define rules for interfaces that are not yet
activated, the iptables commands should be executed before the network
interfaces are initialized.
But before you issue any iptables commands, you first have to remove
the ipchains module by executing /sbin/rmmod ipchains since
these modules are mutually exclusive. A better way though is to update Red
Hat's init scripts for ipchains and iptables to have only
the iptables module loaded at the next reboot:
/sbin/chkconfig ipchains off
/sbin/chkconfig iptables on
Here are some examples I'm using:
/sbin/iptables -F
/sbin/iptables -N block
/sbin/iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT
/sbin/iptables -A block -j LOG
/sbin/iptables -A block -j DROP
/sbin/iptables -A INPUT -j block
/sbin/iptables -A FORWARD -j blockThis drops network packets coming from my DSL line ppp0 on eth0. All other packets coming from my local network via any other network cards are allowed.
I enabled logging with LOG so that I know who tries to send something to my server.
The next line causes all connections not covered in the previous rules to be dropped - all connections simply time out. You can also use REJECT instead of DROP. REJECT means to send back an ICMP error packet as response, otherwise it's equivalent to DROP.
In the last 2 lines we jump to the "block" chain from the INPUT and FORWARD chains.
/sbin/iptables -F
/sbin/iptables -N block
/sbin/iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT
/sbin/iptables -A block -j LOG
/sbin/iptables -A block -j DROP
/sbin/iptables -A INPUT -j block
/sbin/iptables -A FORWARD -j block
/sbin/iptables -t nat -A POSTROUTING -p ppp0 -j MASQUERADEHere we are saying that all packets that are going out to the first PPP interface should change the source IP address to the IP address of the firewall server.
Logging:
Here is an example of an iptables log entry from my /var/log/messages file. You can get these log entries if you turn on logging by setting the LOG option - see the examples above.
Aug 18 06:05:04 localhost kernel: IN=ppp0 OUT= MAC= SRC =xx.xx.xx.xx DST=yy.yy.yy.yy LEN=78 TOS=0x00 PREC=0x00 TTL=120 ID=22337 PROTO=UDP SPT=137 DPT=137 LEN=58
SRC is the IP address where
the request came from.
DST is the target IP address,
in this case the IP address of my firewall.
SPT is the port number on
SRC where the request came from.
DPT is the port number on my
firewall where the request was sent to. In this example the port number
is 137 (see /etc/services), which looks like that someone tried
to use/exploit the NETBIOS Name Service on my firewall.
Here are some more information on iptables:
Linux 2.4 Stateful Firewall Design
http://netfilter.samba.org/
http://www-106.ibm.com/developerworks/linux/library/l-fw/?n-l-4191
http://www.linuxnewbie.org/nhf/intel/security/iptables_basics.html
Other Firewall Links:
A firewall small enough to fit
on a single 1.44MB floppy disk - http://www.linuxrouter.org/
Warning and Disclaimer: Every effort has been made to provide the information as accurate as possible, but no warranty or fitness is implied. The author shall have no liability nor responsibility to any loss or damages arising from the information contained on this web site.