In Linux, there are a few basic concepts that we need to understand before we start.
- Firewall rules are, in general, applied as they are read, from the top down.
- The best firewall DENIES ALL and only ALLOWS what is needed.
- OUTBOUND rules are generally more relaxed than INBOUND.
- A Policy is what gets applied when there is no rule (NB!!!)
- Local Loop is an internal interface which applications can use to connect to each other via tcp/ip. It is also known as “localhost” or “127.0.0.1”.
On the last point, remember that if your default POLICY is to DROP or DENY all traffic, you WILL LOSE CONNECTIVITY if you clear all rules. The only way to restore connectivity is usually to reboot the server. There is a way past this, but it needs a bit of work.
What will we achieve in this basic tutorial?
We will set up a basic firewall which allows ssh and blocks all else except ping, traceroute and whatever services you need to be accessed. In our sample ruleset, we will allow http and https (ports 80 and 443). To find the port used for your application, use google to search for “Which port does … use”. Here is also a short list of commonly used ports:
Our rules, in English, are:
- Allow incoming ssh, ping, traceroute and http as well as https connections.
- Allow any traffic that was requested from an existing session (ie ssh reply).
- Deny all else incoming.
- Allow all outbound traffic.
- Allow all traffic (In, Out and Forward) on our Local Loop (lo).
- Deny all forward (we are not a router or firewall).
Always remember the direction of the data.
- From Internet to your server = INPUT.
- From your server to the internet = OUTPUT
- Any data passing through your server to an internal network = FORWARD (your server is the gateway and firewall). This last case will not be used in this article as we are keeping to basics.
This is the basic building block of all modern Linux firewalls. All the firewall below create iptables rules and are merely frontends that attempt to simplify iptables.
CSF & LFD