[TUTORIAL] Expert Linux Firewalling

Discussion in 'all things UNIX' started by Amanda, Jun 8, 2015.

  1. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,101
    Location:
    Brasil
    I knew how to do this, but since it's been too long since the last time used gufw, I don't remember to do it anymore.

    Could you paste the contents of "/etc/ufw/before.rules" so that I see them? Just so I can have an idea of how GUFW rules work.

    EDIT: Nevermind, I still have them on my Github page.


    Here, they'll look something like this:

    Code:
    # drop INVALID packets (logs these in loglevel medium and higher)
    -A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
    -A ufw-before-input -m conntrack --ctstate INVALID -j DROP
    
    # Drop TCP sessions opened prior to Firewall start
    -A ufw-before-input -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
    -A ufw-before-output -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
    
    # Drop packates that do not match any valid state
    -A ufw-before-input -p tcp -m tcp --sport 1:65535 --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
    -A ufw-before-input -p tcp -m tcp --sport 1:65535 --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
    
    # Anti-spoof
    -A ufw-before-input -i enp0s7 -s amarildo -j DROP
    
    # Anti ICMP
    -A ufw-before-input -p icmp  -m icmp  --icmp-type any  -j DROP
    -A ufw-before-input -p tcp -m tcp  --dport 43  -j DROP
    
    # Xmas scan
    -A ufw-before-input -p tcp -m tcp --tcp-flags ALL URG,PSH,FIN  -j DROP
    -A ufw-before-input -p tcp -m tcp --tcp-flags ALL URG,ACK,PSH,RST,SYN,FIN  -j DROP
    
    # IP fragments
    -A ufw-before-input -p all -f -j DROP
    
    # who
    -A ufw-before-input -p udp -m udp  --dport 513  -j DROP
    
    # traceroute
    -A ufw-before-input -p udp -m udp  --dport 33434:33524  -j DROP
    They might not all be there, though, so adapt the rules as you wish. It's pretty easy.

    Just remember to change "amarildo" to whatever name you have on /etc/hostname, and to change "enp0s7" to whatever name your network card uses.

    This is how my gufw rules looked like: https://raw.githubusercontent.com/amarildojr/Firewall/master/before.rules

    Also, remember to block ICMPv6 and whatnot: https://raw.githubusercontent.com/amarildojr/Firewall/master/before6.rules
     
    Last edited: Jan 17, 2016
  2. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    529
    Hmm those are ufw rules but gufw seems to be superior and have a different way of writing rules (e.g. it has wildcards for "user" and "network card" to e.g. make rules apply to wifi + ethernet.:

    /etc/gufw/Home.profile
    Code:
    [fwBasic]
    status = enabled
    incoming = deny
    outgoing = allow
    routed = disabled
    
    [Rule0]
    ufw_rule = 5553/tcp ALLOW IN Anywhere
    description = test1
    command = /usr/sbin/ufw allow in proto tcp from any to any port 5553
    policy = allow
    direction = in
    protocol = tcp
    from_ip =
    from_port =
    to_ip =
    to_port = 5553
    iface =
    routed =
    logging =
    
    [Rule1]
    ufw_rule = 5553/tcp (v6) ALLOW IN Anywhere (v6)
    description = test1
    command = /usr/sbin/ufw allow in proto tcp from any to any port 5553
    policy = allow
    direction = in
    protocol = tcp
    from_ip =
    from_port =
    to_ip =
    to_port = 5553
    iface =
    routed =
    logging =
    
    
    I meant to translate the rules for gufw so that I could use "network card" and "user" wild card :)

    The gufw gui itself doesn't e.g. have the protocol "icmp" to chose.
     
  3. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,101
    Location:
    Brasil
    GUFW is not superior, it's only a GUI for ufw. So trust me, setting those rules as I did in the past will make ufw load them just like iptables does with the rules in my first post :) They work the same, you just change them from "INPUT" to "ufw-before-input".

    In addition, that "/etc/gufw/Home.profile" config is overly complicated and will take way longer to configure on a rule-by-rule basis. It will be easier to just block the output hosts on your hosts file, or by adding the following to the rule/protocol you want:
    Code:
    -s 65.55.44.100
    To block connections comming from this IP into port 25, for example, the rule would look like this:
    Code:
    # iptables -A INPUT -s 65.55.44.100 -p tcp --destination-port 25 -j DROP
    However, as I mentioned in my fisr post, you don't need to open ports unless you are a server. You don't need to open port 53/80/443 to use Firefox, because the "ESTABLISHED-RELATED" rule will take care of that, it will make possible to accept established-related connection to those ports while keeping them closed for other input, so only what YOU start comes in. You only need to unblock the output for those ports, which shouldn't be a concern.

    To use that rule as a ufw rule, it would look like this:
    Code:
    -A ufw-before-input -s 65.55.44.100 -p tcp --destination-port 25 -j DROP
    But setting them like I did, and already linked (before.rules) is enough. These rules block attacks comming from any IP.
     
    Last edited: Jan 17, 2016
  4. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    529
    Again, I want to use gufw because it can make rules with wildcards for "user" and "network adapter" (which both change several times a day).
     
  5. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,901
    "Linux: 20 Iptables Examples For New SysAdmins"

    That tutorial seems to fit in nicely with this thread.
     
  6. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,101
    Location:
    Brasil
    Thanks, I'll give that a read and add some things to this thread.
     
  7. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,101
    Location:
    Brasil
    I don't know if I'm the only one, but I'm getting this error on Arch:

    Code:
    [root@amarildo ~]# iptables -A OUTPUT -p udp -m multiport --dports 27000:27015 -j ACCEPT
    iptables: No chain/target/match by that name.
    I don't know the cause of it, but I'll look into it tonight.

    EDIT: Solved. I don't know why.
     
    Last edited: Jan 26, 2016
  8. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    529
    Another thing I am worried about right now:

    I can't seem to make rules for each application?
    E.g. allow torrent only torrent related connections
    allow iceweasel only browser related connections and e.g. deny torrent activity

    Or am I missing smth? I can only make rules that are system wide?
     
  9. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,101
    Location:
    Brasil
    Well, I never saw anyone needing this.

    I think such Firewall exists on Windows because of a few reasons:

    • Applications can be more easily compromised;
    • The vast majority of programs are closed-source;
    • Most Windows users won't know how to manage their Firewalls to such level, so companies have a market there.
    On Linux, it's not easy to compromise applications. I've only seen two exploits in the last 3 years, and one of them was on Firefox. It tried to grab /etc/shadow or /etc/passwd, but it's not possible to upload these because of how filesystem permissions are set on Linux. And as long as the (moron) isn't running the entire OS as root, there was nothing to worry about.
    The other one is in the Kernel, but IIRC it's a local exploit.

    On Linux, the vast majority of programs have their Source Code open. Anyone can read it and see what it does. If it does something it's not supposed to, it will be removed quickly. It's not easy to hide malicious code in Linux programs.

    And most sysAdmins can properly configure their Firewalls to their needs.

    So put all that together with the fact that Arch has all ports closed by default, and such Firewall really becomes something silly to discuss, probably related more to laziness than with need :p You trust your OS, you trust your packages, and that's basically it, even for me - a paranoid.

    And remember: A Firewall isn't the only thing protecting an OS. In fact, I might not even consider it the main defense. You could have 1000 ports opened on your Firewall, but if nothing is listening than there is no connection to be made.
     
  10. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    529
    For me it would have various purposes. E.g.
    Safely block all network activities for geolocation services/packages
    Make sure the browser is able to use the ports it needs (80, 8080)
    Make sure the browser is only able to use dns requests to/from dnscrypt on port 443
    Etc...

    But I take it as that their is no such solution on (Arch) Linux.
     
  11. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,101
    Location:
    Brasil
    I'm starting to think about that geolocation thread. For instance, I couldn't find evidence that we're being tracked on Arch or Debian.
    I don't know why geoclue is a hard dependency of webkitgtk on Arch, but it's easily avoidable: you don't need a fancy Firewall, you can just build a dummy package for geoclue (takes literally 3 seconds), your Arch will think it has geoclue installed and it will then install webkitgtk without problems. The same can be done for other packages that you don't want.

    About the browser. If you close all output and open output ports 80 and 443, that's what the browser will use. I don't think browsers will use other ports, it would have been picked up by now, specially since my point #2 has a strong base.
    This has been discussed already. IIRC you can create these kind of rules wit AppArmor.

    Because, again, there's no need for such :) If standards didn't behave the way they should, e.g. SSH not following config files, they wouldn't be a standard to being with. And to a Linux home user, even default UFW is enough to protect the OS. Once I talked to a hacker, I thought it would be easy to open my Firewall. He said "no, if the ports are closed than I'm not even going to try. And even if ports are open, there must exist a service listening, and we must try to exploit that service, which isn't easy on Linux". And remember, Arch has all ports closed by default, and our system has TRUST because it works the way it should.

    Although your Firewall would facilitate some things, it's not even remotely necessary. So good luck finding it.
     
  12. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    529
    And again, that is your point of view.

    I would rather not build dummy packages and bug around when I could just simply create a rule in 2 seconds which won't break anything at all but just disables the network connectivity for those 5-8 packages.
    I would rather not trust that the browser (or any other package) only uses port 80 and 8080 and simply prevent it from even using anything else.
    Also I am not only worried about incoming but also outgoing connections. I would like to allow packages to only "talk" to ip/port which as needed for it to work. Why would I allow "keepass" e.g. to talk to "data-mining.microsoft.com" when it absolutely is not needed for keepass to work (this is just an example) ?

    AppArmor.. okay thanks !
     
  13. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,101
    Location:
    Brasil
    For those who don't want to venture in the realm of output blocking, there is a new file called "Output Open" available for download. This file protects the user on the INPUT chain but lets everything OUT, perfect for those not worried about it.

    https://raw.githubusercontent.com/amarildojr/Firewall/master/Output Open

    To use it, first flush your current rules:

    Code:
    iptables -F
    iptables -X
    iptables -P INPUT ACCEPT
    iptables -P OUTPUT ACCEPT
    iptables -P FORWARD ACCEPT
    Then, wget the file:

    Code:
    wget https://raw.githubusercontent.com/amarildojr/Firewall/master/Output Open
    Then make it executable:
    Code:
     chmod +x chmod +x Output\ Open
    Then run it:
    Code:
    ./Output\ Open
    Save the rules:
    Code:
    iptables-save > /etc/iptables/output.rules
    And you're done!
     
  14. kael1

    kael1 Registered Member

    Joined:
    May 7, 2013
    Posts:
    8
    amarildojr please help me apply your trick on a fresh install slackware64 14.1. I will be very grateful.
     
  15. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    3,313
    Location:
    Canada
    Example of creating a UFW-specific rule:

    Code:
    sudo ufw allow out proto udp from any to 75.153.176.0/24 port 53
    It has very intuitive logic to it. I see no reason why this shouldn't work for those using GUFW.
     
  16. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,101
    Location:
    Brasil
    What trick, exactly?
     
  17. kael1

    kael1 Registered Member

    Joined:
    May 7, 2013
    Posts:
    8
    yeah my bad. Im referring to Secure Linux Firewall. Please
     
  18. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,101
    Location:
    Brasil
    I don't understand what "trick" you need help with.
     
  19. kael1

    kael1 Registered Member

    Joined:
    May 7, 2013
    Posts:
    8
    allright sorry for the word "trick" amarildorjr. I realize im a newcomer and no expert. I just want to learn how to configure my firewall based on this tutorial of yours but im confused and dont really know where and how to achieve it. Or perhaps you can make a newbie friendly tutorial.
     
  20. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,101
    Location:
    Brasil
    :confused: So you use Slack, but is a newcomer?

    Basically, every rule you see in my first post is a terminal command, just like "apt update". For example, if you type/paste "iptables -P INPUT DROP" in your terminal (as root, of course), this will block every input packet comming to your system.

    Since you're a newcomer, I suggest just protecting the INPUT and leaving everything open on the OUTPUT. I already have a file for that in my github repo (link bellow).

    First, wget the file. Then open it with a text editor, edit all "amarildo" that you can find and change them to your hostname. Then select everything (all the text), and copy it.
    Now, open a terminal and login as root.
    Now, just paste all the commands there.

    Done.

    Now save the rules:

    mkdir /etc/iptables
    iptables-save > /etc/iptables/iptables.rules


    I don't know how to load the rules at boot on Slack (never used it), so you might have to do some research on it. On Arch, all I need to do is to enable the iptables service:

    systemctl enable iptables
     
  21. kael1

    kael1 Registered Member

    Joined:
    May 7, 2013
    Posts:
    8
    You're a good soul amarildojr. Thanks for your time and consideration.
    Now i have a clearer idea. I'll report back if i made it. I didnt expect you never tried slackware though.
     
  22. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,101
    Location:
    Brasil
    Thank you for your kind words ;)
    Let me know if you have any problems.

    That's because I've taken quite a bit of free time to learn Arch, and I've never been happier :) I'm not using it anymore because of problems with GTK and Radeon, having these on the bleeding edge is causing me and many other problems.
     
  23. Anonfame1

    Anonfame1 Registered Member

    Joined:
    May 25, 2016
    Posts:
    224
    Thanks. Going to have to go through this and learn me some iptables. Feel pretty good about my Linux setup, but use UFW since I wanted to wait for nftables to become more established and learn that instead of iptables. So UFW is prolly my security weakness. Have it denying all in/out, allowing out on tun0, and out to my vpn servers for authorization. IPtables could give me much more control though, especially over specific ports.
     
  24. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,101
    Location:
    Brasil
    Are "up"s allowed after 2 years? :p

    EDIT: Wow! Almost 30.000 views! Thank you! :-*
     
  25. Rules

    Rules Registered Member

    Joined:
    Mar 3, 2009
    Posts:
    614
    Location:
    EARTH
    I would like to thank you for these set of rules, i use the NO LOG rules on my distro.
    A good advice : always flush your iptables rules before applying other one :
    # IPv6
    ##
    ## set default policies to let everything in
    ip6tables --policy INPUT ACCEPT;
    ip6tables --policy OUTPUT ACCEPT;
    ip6tables --policy FORWARD ACCEPT;
    ##
    ## start fresh
    ip6tables -Z; # zero counters
    ip6tables -F; # flush (delete) rules
    ip6tables -X; # delete all extra chains
    # IPv4
    ##
    ## set default policies to let everything in
    iptables --policy INPUT ACCEPT;
    iptables --policy OUTPUT ACCEPT;
    iptables --policy FORWARD ACCEPT;
    ##
    ## start fresh
    iptables -Z; # zero counters
    iptables -F; # flush (delete) rules
    iptables -X; # delete all extra chains

    Rules.

    PS : i've just added POP3S for the output :
    #POP3S
    iptables -A OUTPUT -p tcp -m tcp --dport 995 -m state --state NEW -j ACCEPT
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.