Setting up a simple firewall in Linux - HostAfrica
+27 21 554 3096

Blog

Setting up a simple firewall in Linux

firewallBasics

In Linux, there are a few basic concepts that we need to understand before we start.

  • Firewall rules are, in general, applied as they are read, from the top down.
  • The best firewall DENIES ALL and only ALLOWS what is needed.
  • OUTBOUND rules are generally more relaxed than INBOUND.
  • A Policy is what gets applied when there is no rule (NB!!!)
  • Local Loop is an internal interface which applications can use to connect to each other via tcp/ip. It is also known as “localhost” or “127.0.0.1”.

Please remember that making your firewall rules stay after a reboot differs from version to version of Linux. You will have to Google where your Linux flavour saves it’s rules. On the last point, remember that if your default POLICY is to DROP or DENY all traffic, you WILL LOSE CONNECTIVITY if you clear all rules. The only way to restore connectivity is usually to reboot the server. There is a way past this, but it needs a bit of work.

What will we achieve in this basic tutorial?

We will set up a basic firewall which allows ssh and blocks all else except ping, traceroute and whatever services you need to be accessed. In our sample ruleset, we will allow http and https (ports 80 and 443). To find the port used for your application, use google to search for “Which port does … use”. Here is also a short list of commonly used ports:

Application
Port(s)
Protocol
FTP 10,20,21 tcp
SSH 22 tcp
SMTP 25,493,587 tcp
DNS 53 tcp/udp
HTTP(S) 80,443 tcp
POP3 110 tcp
IMAP 143 tcp

firewallOur rules, in English, are:

  • Allow incoming ssh, ping, traceroute and http as well as https connections.
  • Allow any traffic that was requested from an existing session (ie ssh reply).
  • Deny all else incoming.
  • Allow all outbound traffic.
  • Allow all traffic (In, Out and Forward) on our Local Loop (lo).
  • Deny all forward (we are not a router or firewall).

Always remember the direction of the data.

  • From Internet to your server = INPUT.
  • From your server to the internet = OUTPUT
  • Any data passing through your server to an internal network = FORWARD (your server is the gateway and firewall). This last case will not be used in this article as we are keeping to basics.

Iptables

This is the basic building block of all modern Linux firewalls. All the firewall below create iptables rules and are merely frontends that attempt to simplify iptables.

In iptables, our firewall rules look as follows:

# Set Policies
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
# Rules - INPUT
iptables -A INPUT -i lo -j ACCEPT    # Local Loop
   # Requested traffic from an established session
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT   
   # Accept SSH connections (single port allowed per rule)
iptables -A INPUT -p tcp --dport 22 -j ACCEPT 
   # Allow ping and traceroute (ICMP traffic)
iptables -A INPUT -p ICMP -j ACCEPT 
   # Allow HTTP and HTTPS traffic (multiport allowed)
iptables -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT 
iptables -A INPUT -s 0.0.0.0/0 -j DROP
# Rules - FORWARD
iptables -A FORWARD -s 0.0.0.0/0 -j DROP
# Rules - OUTPUT
iptables -A OUTPUT -d 0.0.0.0/0 -j ACCEPT

There are different ways to write the rules and achieve the same. We could have added the ssh rule to the HTTP/HTTPS multiport rule. Another option is to write all the rules (SSH, HTTP and HTTPS as 3 separate rules as the SSH was written. We could also have changed our INPUT and FORWARD policies to DROP and then left the DROP rules out of the ruleset. This may seem the better choice but can be dangerous as previously mentioned. Once your policy DROPS all traffic not allowed, you cannot afford to clear your iptables rules for testing as your connection will then also be dropped. It is safer until you understand firewalling, to add a DROP rule at the end of your ruleset.

Ufw (UncomplicatedFirewall)firewall

UFW is usually included in Ubuntu but may be installed on other versions of Linux as well. It is quite a powerful interface that simplifies many of iptables more intricate configurations. UFW does not include the more advanced features, but they may be applied in a pre-run configuration file /etc/ufw/before.rules. Here you may add rules in iptables format without the “iptables” part.  Our ruleset under UFW looks as follows:

# Set Policies 0 ufw has no forwarding and allows ICMP by default. 
# Related,Established is also allowed by default.
ufw default allow incoming
ufw default allow outgoing
# Rules - Incoming
ufw allow in on lo from any   # Local Loop
ufw allow in ssh
ufw allow in http
ufw allow in https
ufw deny in from 0.0.0.0/0
ufw allow out to 0.0.0.0/0
# UFW can be controlled with
ufw enable
ufw disable
ifw status

Firewalld

Firewalld came out with Redhat/Centos 7 and is yet another attempt to make iptables easier to use. Personally, I think it has had the opposite effect. Our rules under firewalld are as follows:

# Outbound and Related traffic is allowed by default as is ICMP
firewall-cmd --set-default-zone=public
firewall-cmd --zone=public --add-interface=eth0  # Our public interface is eth0
firewall-cmd --zone=public --add-service=ssh --permanent
firewall-cmd --zone=public --add-service=http --permanent
firewall-cmd --zone=public --add-service=https --permanent
# Reload the firewall
firewall-cmd --reload

Fail2ban

This is a brilliant piece of software that watches for certain access errors such as failed passwords or attempts to call certain known weak points in your application. It will then trigger a firewall rule to block the offending IP address. Blocking time can be configured and the block or BAN is lifted once the timer has run out. Just be aware that the most commonly used trap for fail2ban, ssh, is not always active by default and needs to be enabled.

CSF & LFD

This firewall comes with cPanel and Plesk web hosting platforms. It may also be installed separately.  LFD or Login Failure Daemon is a replacement for Fail2Ban and does much the same thing.

CSF rules are usually written into the /etc/csf/csf.conf and not added or removed via the command line.

Ultimately, any firewall is better than none. Stick to the principles of only allowing what you need and you will have gone a long way to securing your server.


Happy Hosting.Host Africa

Leave a Reply