[TUTORIAL] Expert Linux Firewalling

Discussion in 'all things UNIX' started by Amanda, Jun 8, 2015.

  1. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,150
    Yes, but you need additional magic to have rules load at boot. The cool thing about iptables-persistent is that the default rules automatically load at boot.
     
  2. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    1,056
    Location:
    Member state of European Union
    For Debian paths are "/etc/iptables/rules.v4" and "/etc/iptables/rules.v6".
    Other way:
    Code:
    #netfilter-persistent save
    I also don't agree with dropping all fragmented packets. TCP packets must not be fragmented, so we can drop them. ICMP packets almost never are fragmented, so we may drop fragmented icmp packets as well. But it is perfectly fine for udp packets to be fragmented.
     
  3. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    429
    Linux noob question (sorry if this isn't the right thread for it):

    Years ago I had ZoneAlarm on a Windows 98 machine. It was an easy to use firewall: the first time any executable tried to access the Internet, ZA would simply ask if I wanted to allow or deny it, then it would remember the decision for the next time.

    Trying to make the switch over to Linux from Windows. Is there a simple firewall like that available for Linux (Kubuntu)? I've tried GUFW but I'm not expert enough to start creating rules and such.

    Thanks.
     
  4. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,806
    Well, this is Windows-style thinking ;) The repositories of the various Linux distributions contain open-source packages which are trustworthy. There is no spyware like in Windows. Hence, outbound connections are usually legitimate and need not be controlled.

    That said, it's easily possible to prevent net access for specific applications with Firejail by adding net none to the respective profile.

    I've noticed that there is the "Douane personal firewall for GNU/Linux". I've never tried it - but I bet that it will probably cause more trouble than anything else.
     
  5. JEAM

    JEAM Registered Member

    Joined:
    Feb 21, 2015
    Posts:
    429
    Thanks very much, I'll look into those.

    I do get what you're saying about Windows-style thinking, :) and will keep it in mind.
     
  6. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,150
    Some apps in Linux run as specific users, and you can allow or block by user ID. But then, if they start as root, and then drop privileges, that won't help.

    It's easiest to block all outgoing traffic, and then allow just what you want. For some stuff, by destination IP address and port number. For other stuff, such as the Tor client by user ID (i.e., debian-tor).
     
  7. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    1,056
    Location:
    Member state of European Union
    cgroups
     
  8. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,150
  9. Stefan Froberg

    Stefan Froberg Registered Member

    Joined:
    Jul 30, 2014
    Posts:
    742
    Oh, cgroups have been in kernel for very long time.
    Just like linux namespaces.

    cgroups = what resources (network,memory,CPU etc...) process(es) are allowed to use
    namespace = what resources (network,PID,etc..) processes are allowed to see

    with the addtion of Linux capabilities you can have a perfectly isolated, super-light VM (or "container" as the marketing term used by some applications)that contains only the process or processes the user wants. No need to install full guest OS.

    Apps like docker, firejail etc... use all those basic building blocks to create their lil sandboxes (or "containers")

    EDIT:

    This reminds me: I really should start wiriting part 2
    https://www.orwell1984.today/Sandboxing_network_software_for_Linux_programmers_part1.pdf
     
    Last edited by a moderator: Sep 1, 2018
  10. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,150
    OK, so how come there aren't app-based firewall wrappers for Linux? Lack of demand?
     
  11. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,806
    Probably. But as mentioned above you can easily block net access with Firejail.

    There is also this script (which I've never tried) that claims to be able to block (specific) net requests of specific applications.
     
  12. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,806
  13. Stefan Froberg

    Stefan Froberg Registered Member

    Joined:
    Jul 30, 2014
    Posts:
    742
    You mean firewall that blocks stuff in layer 7 of OSI model?

    There is but it's so horribly horribly horribly old, needed separate patches for kernel and never got into main kernel.

    https://github.com/l7-filter/netfilter-layer7
     
  14. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,150
    I meant by using cgroups.

    I mean, it's pretty technical.

    Do any of the common iptables frontends/GUIs include cgroups?
     
  15. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,088
    Location:
    Brasil
    Upon returning fully to Linux I realized Unreal Engine can be a bit bitchy about my rules. After a little research the solution is to enable multicast on loopback.

    I'll edit the thread soon and do a general update on OP as well.

    Main thing is to not LOG everything. Now I leave my output open and all logs are disabled as this causes systemd's journal to either grow exceptionally big or to just flood it with the logs (meaning you'll probably miss other important logs if something happens and you need to do 'journalctl').
     
  16. Amanda

    Amanda Registered Member

    Joined:
    Aug 8, 2013
    Posts:
    2,088
    Location:
    Brasil
    I'm a little bit confused.

    I already allow everything on loopback, why would I need to allow musticast on it?
    Code:
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT
    # allow all on loopback
    
    Still searching how I'd have the lines bellow in iptables form and permanent:
    Code:
    route add -net 224.0.0.0 netmask 240.0.0.0 dev lo
    ifconfig lo multicast
    EDIT: Testing to allow everything on FORWARD/lo as well.
    EDIT2: Allowing everything to be forwarded on loopback worked.
     
    Last edited: Dec 2, 2018
  17. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    529
    I am currently adding the last finishing touches to my new Arch laptop.

    Again I am thinking that a firewall would be needed. But seeing how ufw/iptables/... only let me set system wide rules, I wonder if it makes any sense at all?

    Port 80/443 will always be open for the whole system. Any malicious package/malware can simply use that port and enjoy free connectivity.

    What use is iptables/ufw then?
     
  18. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    1,056
    Location:
    Member state of European Union
    On desktop incoming (Input) TCP port 80 usually doesn't need to be opened.
    Outcoming... yes, they must be opened. You may want Apparmor, SELinux or Firejail (or some cgroup-based application segregation) to disable access to Internet per program basis.
     
  19. zakazak

    zakazak Registered Member

    Joined:
    Sep 20, 2010
    Posts:
    529
    But TCP out 80 needs to be opened I believe?

    I use firejail but it only is able to block networks that I manually set a .profile for.
    I would rather block all, check logs and then step-by-step allow access for what is popping up in my logs.
    Also, how does one block network access for geoclue, webgkit2,... with firejail?
     
  20. mag1c

    mag1c Registered Member

    Joined:
    Nov 2, 2011
    Posts:
    40
    Great iptable configuration to help guide people into iptables. I'm going to give it a go, first time on linux and this seems fairly straight forward.
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.