Linux Firewall

Linux Firewall
Iptables is an in-build firewall application that is shipped with most Linux distributions. In CentOS, iptables is used by administrators to create firewall rules that either block or allow network traffic based on some predefined set of rules. The whole firewall app is composed of two elements: iptables and netfilter. While the iptables module is used to configure firewall rules in predefined tables by using command lines, netfilter is a kernel module that's responsible for filtering the network traffic. In this article I will show you how to work with iptables and how to configure your firewall rules. Network filtering with iptables is made by using several parameters: IP address, port numbers and protocols (TCP, UDP, FTP, etc.). When a firewall rule is created, it's placed in one of the following categories:
  • Input - packets that have the Server as destination
  • Output - packets originated from the Server
  • Forward - packets routed through the network that are passed by the Server to other machines for further processing 
When a packet is received by the Server its information is compared based on the firewall rules and if a match is found, the packet is either Accepted or Dropped. Each set of rules (Input, Output, Forward) will have several rules and every packet is checked with each one from top to bottom. Note that if all rules are checked and no match if found, then the default action is taken which can be either Accept or Drop. You should normally have a DENY ALL firewall rule that is placed at the bottom of each chain.
For this demonstration I will be using a CentOS 6.5 virtual machine. This is my testing environment so make sure you are not going to test Iptables in a production network. Iptables is deployed with all CentOS versions that are newer than 5.X. You can check if the packet has been installed by typing rpm -qa | grep iptables :
Linux software

I have two iptables packets installed , the basic packet + support for ipv6. We can use the lsmod command to view the modules loaded in the kernel. By default, the iptable_filter is loaded, type lsmod or lsmod | grep ip_tables to view the modules:
Linux kernel

To view all chains type iptables -L:
Firewall

To flush all rules type iptables -F, note that this command will erase all firewall rules and will ultimately close all ssh connections. I wanted to start from scratch with all rules so I've executed this command. We can delete a certain rule by typing iptables -D INPUT 4, where the number is the rule's position within the chain:
Linux tutorial

Now if I execute iptables -F, the rules will look like this:
Iptables

Let's build our firewall rules. We will start by enabling ssh from any location. To achieve this result we'll need to type iptables -A INPUT -p tcp --dport 22 -j ACCEPT:
Firewall rules

If our server would host a BIND service (DNS) then we would allow all incoming requests on port 53 TCP/UDP by using the following commands:
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
DNS traffic

I just remembered that I want to drop all incoming packets that are not matching any of my INPUT rules. We will create the rule by inserting it in the last position. We can also use the -A (append) parameter, but let's try something different this time: iptables -I INPUT 4 -j DROP
Firewall tutorial

In a production environment you will probably have multiple firewall rules so maybe it will be harder to know what number to use when deleting a rule. You can type iptables -L -n --line-numbers  to view all rules and their associated number:
computer security

If your server has multiple interfaces and you need to open up ports for each one, you will need to add the -i parameter and specify the desired interface. My virtual machine has two interfaces: loopback and ethernet0. Let's pretend our Server has a web service and we need to open HTTPS port on interface eth0 and HTTP on the loopback interface:
iptables -A INPUT -i lo -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT
To view a detailed information regarding the firewall rules, type iptables -L --verbose:
Linux firewall

Let's say that you need to allow HTTP traffic for only one IP and HTTPS traffic for multiple IP addresses. We must first modify the rules created previously and DROP all traffic received on these two ports, except the ones that we desire. You cannot edit a rule directly in iptables but, you can replace it with another rule by typing the following:
iptables -R INPUT 5 -i lo -p tcp --dport 80 -j DROP
iptables -R INPUT 6 -i eth0 -p tcp --dport 443 -j DROP
iptables -L -n --line-numbers --verbose
Linux firewall

Ups...I forgot to delete the DROP all rule so I would simply type iptables -I INPUT 4. Now I will allow all HTTP incoming traffic originating from 192.168.0.50 through my loopback interface:
iptables -I INPUT 3 -s 192.168.0.50 -p tcp --dport 80 -i lo -j ACCEPT 

I will add a rule that will allow INBOUND HTTPS traffic on my eth0 interface coming from 10.10.10.0/24 network:
iptables -R INPUT 3 -s 10.10.10.0/24 -p tcp --dport 443 -j ACCEPT -i eth0
Let's verify our results:
Linux security

We can be even more specific by filtering an INCOMING packet based on its source IP and MAC address by loading the mac module. This is how our firewall rule would look like for 172.16.0.20 IP:
iptables -I INPUT 3 -s 172.16.0.20 -p tcp --dport 443 -i eth0 -m mac --mac-source 00:26:B9:16:E5:B0 -j ACCEPT:
Firewall filtering

But what if we want to restrict a range of ports for a specific network? Then we would need add a rule that looks similar to:
iptables -I INPUT 6 -s 10.10.100.0/16 -p tcp --dport 60:70 -j DROP -i eth0
Linux firewall

On the OUTPUT chain I want to allow all connections. I will add a comment to this rule by loading the comments module:
iptables -A OUTPUT -j ACCEPT -m comment --comment "Allow all outbound connections"
Linux Firewall

What's really important is to save your rules once you're finished. This way, the newly created rules will be kept when the system is rebooted. You will need to type /sbin/service iptables save:
Firewall tutorial

The command will execute the iptables initiation script and will run /sbin/iptables-save and write changes to /etc/sysconfig/iptables. Note that with each reboot, the iptables initialization script executes /sbin/iptables-restore which will load all rules saved in /etc/sysconfig/iptables.
That's about it for this article folks, I know that we've covered only the basics of Iptables, but should be enough for the first lesson. Iptables is a powerful Firewall program that enables you to create some really nice filtering rules. Wish you all the best and stay tuned for the following articles.

Running Commands as the Superuser

Running commands by impersonating the root is possible in Linux distributions. You can simply use the su command and type in the root password to open a shell with highest available privileges. This method has some disadvantages because you are not able to record any system changes performed by users and you cannot track them in time.
There is another way in which you can allow users to run commands as root by using the sudo command. Any command executed with sudo is recorded by the syslog service and can be tracked later. Privileges must be configured previously before a user can access certain commands. These permissions are configured in the /etc/sudoers file. Here is the output of this file on a standard CentOS machine:
Linux root

Always use the visudo command to edit the sudoers files!
The file offers descriptive lines for each command and you can check out the manpage to find out further options regarding sudo command. I've created a test user named danp and granted access to all commands on the Centos01 server (danp    Centos01=(ALL)  ALL). The line below would allow this user to execute all commands on all machines.
%adm    ALL=(ALL)       ALL - allows users from the adm group to run any commands on any host
Linux tutorial

With visudo you can set custom hosts, users, groups, commands that can be executed and really control the way users interact with network servers.

Configuring routes on Linux

Linux offers administrators the possibility to configure static routes to reach external networks. You should know by now that, in networking, the protocol that defines the means of communication is the IP. Machines communicates with each other by using several elements that define its unique identity within the network. These elements are (IP address, network mask, gateway). If you are familiar with routing under Windows or CISCO devices then, this short tutorial should be simple to digest. If you have trouble assimilating this information, please read the following articles:
IP Routing in Windows Server and Routing protocols - How to configure static routes and more
To view the routes on a CentOS machine type route or route -e:
linux routing software

To add a route for 192.168.2.0/24 network by using my default gateway, I would execute the following command:
route add -net 192.168.2.0 netmask 255.255.255.0 gw 10.18.6.1
The routing table for my server looks like this:
unix tutorial

With route command you can add/delete routes, specify hosts, networks, configure default gateway and loopback interface. For all available options please check out the manpage for this command:
man route
network security