Debian Firewall

1. Introduction
2.  
3. A network firewall is a set of rules to allow or deny passage of network traffic, through one or more network devices. A network firewall may also perform more complex tasks, such as network address translation, bandwidth adjustment, provide encrypted tunnels and much more related to network traffic.
4.  
5. Prior to version 5 (Lenny), a default Debian installation, did not have a default firewall enabled. But provides the needed tools to configure it manually.
6.  
7. Basic firewall software
8.  
9. Network traffic has different components, layers and protocols. For more references, check out the links section.
10.  
11. The most known type of firewall, and the most initially implemented, are sets of rules based on netfilter software, based on a set of kernel modules and some user space tools.
12.  
13. Basic software for network traffic manipulation
14.  
15. The default Debian installation comes with the program iptables(8), configured to allow all traffic. This section briefly explains the different programs to handle network traffic manually, as well as two sample scripts.
16.  
17. You need to be root, or use sudo, to launch these programs.
18.  
19. You may find the iptables-persistent package useful.
20.  
21. Using iptables for IPv4 traffic
22.  
23. This is not an iptables manual, only a sort introduction about the use of the program. For more extended explanations, see iptables(8)
24.  
25. Basic invocation to define rules is:
26.  
27. % iptables [-t table] -[AD] chain rule-specification [options]
28.  
29. Tables and chains
30.  
31. All rules, are stored on different tables.
32.  
33. The default table is filter, which maintain the INPUT, OUTPUT and FORWARD chains, used for incoming, outgoing and redirected traffic respectively.
34.  
35. Other present tables are mangle, nat and raw. You can also create and delete custom tables.
36.  
37. Rules and program invocation may refer to a specific table using the -t table_name switch (or --table table_name).
38.  
39. If no table is specified, the default table is used (the filter table).
40.  
41. To list the ruleset of any table, the -L switch is used. For example:
42.  
43. % iptables -L
44. Chain INPUT (policy ACCEPT)
45. target prot opt source destination
46.  
47. Chain FORWARD (policy ACCEPT)
48. target prot opt source destination
49.  
50. Chain OUTPUT (policy ACCEPT)
51. target prot opt source destination
52.  
53. As you can see, the default policy in a default installation is to ACCEPT all traffic. There are no rules on any chain.
54.  
55. Each of the default tables, contain different chains, to store rules for different points, in the kernel networking subsystem.
56.  
57. You can list other tables using -t, for example, to see the nat (Network Address Translation) table:
58.  
59. % iptables -L -t nat
60. Chain PREROUTING (policy ACCEPT)
61. target prot opt source destination
62.  
63. Chain POSTROUTING (policy ACCEPT)
64. target prot opt source destination
65.  
66. Chain OUTPUT (policy ACCEPT)
67. target prot opt source destination
68.  
69. Matching and order
70.  
71. When a packet is inspected through the rulesets, matches are searched from top to bottom of tables and chains.
72.  
73. Into the rules, matches are searched from left to right, of the rule syntax used.
74.  
75. When a packet does not match a rule, the search jumps to the next rule. If no rules matches, then the default policy is applied to the packet.
76.  
77. If the packet matches any rule definition, then the target defined on the rule is applied (ACCEPT, REJECT, DROP, LOG, etc), and the following rules of the same chain are skipped.
78.  
79. It is very important to keep this in mind when designing a ruleset, to reach the desired functionality and because of its impact on performance, in large rulesets.
80.  
81. Policies and Targets
82.  
83. Default policy is to ACCEPT all traffic, but the most common practice, is to change policies to DROP all traffic but the allowed.
84.  
85. You have to be careful and sure that your rules are right, before put a policy to DROP, or you will lose connectivity.
86.  
87. See the troubleshooting section for tips about this issue.
88.  
89. Program switches
90.  
91. Most commonly used switches are:
92.  
93. -A Add this rule at the end of the defined chain.
94.  
95. -D Delete this rule definition from the ruleset.
96.  
97. -I Insert this rule at the beginning of the defined chain.
98.  
99. -P Change the default policy of a chain.
100.  
101. There are other switches, to handle chains, tables, clear rules, counters and other elements. See iptables(8) man page.
102.  
103. Modules
104.  
105. The iptables program has an extensive collection of modules, to use different criteria to evaluate packets.
106.  
107. There are modules for protocols, logging, states of the conection, etc. All compiled-in modules, are neatly explained in the man page.
108.  
109. Modules may have parameters (-m module_name --parameter_name parameter_arguments).
110.  
111. An example rule, using the state module, to drop incoming traffic with INVALID state (a parameter of the state module), defined in the headers of the packet, would be:
112.  
113. % iptables -I INPUT -m state --state INVALID -j DROP
114.  
115. Example scripts
116.  
117. Installation
118.  
119. You can put this scripts at any place that run at boot time or network initialization.
120.  
121. Common places are:
122.  
123. /etc/rc.local
124.  
125. Before the exit 0. Will be launched at boot time.
126.  
127. #!/bin/sh
128. #
129. # rc.local
130. #
131. # This script is executed at the end of each multiuser runlevel.
132. # Make sure that the script will "exit 0" on success or any other
133. # value on error.
134. #
135. # In order to enable or disable this script just change the execution
136. # bits.
137. #
138. # By default this script does nothing.
139.  
140. set -e
141.  
142. # Launch my netfilter rules
143. if [ -e '/etc/firewall_example.sh' ]
144. then
145. /bin/sh '/etc/firewall_example.sh'
146. fi
147.  
148. exit 0
149.  
150. /etc/network/interfaces
151.  
152. This is a more reasonable and standar place for networking related stuff.
153.  
154. For example, if eth0 is your main or uniq interface, using DHCP:
155.  
156. # This file describes the network interfaces available on your system
157. # and how to activate them. For more information, see interfaces(5).
158.  
159. # The loopback network interface
160. auto lo
161. iface lo inet loopback
162.  
163. # WAN cablemodem
164. allow-hotplug eth0
165. iface eth0 inet dhcp
166. pre-up /bin/sh /etc/firewall/enable.sh
167. post-down /bin/sh /etc/firewall/disable.sh
168.  
169. Example: Basic standalone machine firewall
170.  
171. You can use this script in any stand-alone machine (for example a personal desktop) that does not need ports open to any place. Or see the final commented line, to open specific ports.
172.  
173. A simple script like the one below, will provide your host with a reasonable amount of security. Be aware that the following script drops all packets which do not match an allow rule, so normal network error messages will not be seen. All allow rules have been commented out to protect the uninitiated.
174.  
175. #!/bin/sh
176. # A very basic IPtables / Netfilter script
177.  
178. PATH='/sbin'
179.  
180. # Flush the tables to apply changes
181. iptables -F
182.  
183. # Default policy to drop 'everything' but our output to internet
184. iptables -P FORWARD DROP
185. iptables -P INPUT DROP
186. iptables -P OUTPUT ACCEPT
187.  
188. # Allow established connections (the responses to our outgoing traffic)
189. iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
190.  
191. # Allow local programs that use loopback (Unix sockets)
192. iptables -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT
193.  
194. # Uncomment this line to allow incoming SSH/SCP conections to this machine,
195. # for traffic from 10.20.0.2 (you can use also use a network definition as
196. # source like 10.20.0.0/22).
197. # iptables -A INPUT -s 10.20.0.2 -p tcp --dport 22 -m state --state NEW -j ACCEPT
198.  
199. Example: Basic gateway machine firewall
200.  
201. #!/bin/sh
202. # This is a more complex setup, for a home firewall:
203. # * One interface plug to the ISP conection (eth0). Using DHCP.
204. # * One interface plug to the local LAN switch (eth1). Using 192.168.0.0/24.
205. # * Traffic open from the LAN to the SSH in the firewall.
206. # * Traffic open and translated, from the local LAN to internet.
207. # * Traffic open from internet, to a local web server.
208. # * Logging of dropped traffic, using a specific ''log level'' to configure a separate file in syslog/rsyslog.
209.  
210. PATH='/sbin'
211.  
212. ## INIT
213.  
214. # Flush previous rules, delete chains and reset counters
215. iptables -F
216. iptables -X
217. iptables -Z
218. iptables -t nat -F
219.  
220. # Default policies
221. iptables -P INPUT DROP
222. iptables -P OUTPUT DROP
223. iptables -P FORWARD DROP
224.  
225. echo -n '1' > /proc/sys/net/ipv4/ip_forward
226. echo -n '0' > /proc/sys/net/ipv4/conf/all/accept_source_route
227. echo -n '0' > /proc/sys/net/ipv4/conf/all/accept_redirects
228. echo -n '1' > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
229. echo -n '1' > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
230.  
231. # Enable loopback traffic
232. iptables -A INPUT -i lo -j ACCEPT
233. iptables -A OUTPUT -o lo -j ACCEPT
234.  
235. # Enable statefull rules (after that, only need to allow NEW conections)
236. iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
237. iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
238. iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
239.  
240. # Drop invalid state packets
241. iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
242. iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP
243. iptables -A FORWARD -m conntrack --ctstate INVALID -j DROP
244.  
245.  
246. ## INPUT
247.  
248. # Incoming ssh from the LAN
249. iptables -A INPUT -i eth1 -s 192.168.0.0/24 \
250. -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
251.  
252.  
253. ## OUTPUT
254.  
255. # Enable al outgoing traffic to internet
256. iptables -A OUTPUT -o eth0 -d 0.0.0.0/0 -j ACCEPT
257.  
258. # Enable access traffic, from the firewall to the LAN network
259. iptables -A OUTPUT -o eth1 -d 192.168.0.0/24 -j ACCEPT
260.  
261.  
262. ## FORWARD
263.  
264. # We have dynamic IP (DHCP), so we've to masquerade
265. iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
266. iptables -A FORWARD -o eth0 -i eth1 -s 192.168.0.0/24 \
267. -m conntrack --ctstate NEW -j ACCEPT
268.  
269. # Redirect HTTP (tcp/80) to the web server (192.168.0.2)
270. iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 \
271. -j DNAT --to-destination 192.168.0.2:80
272.  
273. iptables -A FORWARD -i eth0 -p tcp --dport 80 \
274. -o eth1 -d 192.168.0.2 \
275. -m conntrack --ctstate NEW -j ACCEPT
276.  
277.  
278. ## LOGGING
279.  
280. iptables -A INPUT -j LOG --log-level DEBUG --log-prefix '[FW INPUT]: '
281. iptables -A OUTPUT -j LOG --log-level DEBUG --log-prefix '[FW OUTPUT]: '
282. iptables -A FORWARD -j LOG --log-level DEBUG --log-prefix '[FW FORWARD ]: '
283.  
284. Using ip6tables for IPv6 traffic
285.  
286. Because of growth, Internet is slowly switching to IPv6, that has a much larger address space than IPv4, and Debian is IPv6 capable.
287.  
288. If you have IPv6 addresses, networks and conections in your firewall, you've to be careful and configure your rulesets for each protocol.
289.  
290. To configure and manage IPv6 rulesets, you need to use ip6tables(8), which is provided by the default Debian install, in the package iptables.
291.  
292. The usage and functionality, is very similar to iptables, but oriented to IPv6 traffic.
293.  
294. For more references, see: ip6tables(8)
295.  
296. Using ebtables for ARP traffic
297.  
298. Ebtables (package ebtables) is used to set up, maintain, and inspect the tables of Ethernet frame rules in the Linux kernel. It is analogous to iptables, but operates at the MAC (ARP) layer, rather than the IP layer.
299.  
300. If you need to filter or translate ARP traffic (at link layer), your firewall has bridged interfaces (for example a transparent bridge between a OpenVPN tunneled VLAN and a local VLAN, or bridged interfaces for virtualization), ebtables(8) is your friend.
301.  
302. The design is very similar to netfilter's iptables.
303.  
304. It manages rulesets in tables with chains and targets, using user space tools, but this time it's not in the default Debian installation, and you need to add it:
305.  
306. % aptitude update
307. % aptitude install ebtables
308.  
309. For a more detailed explanation of its usage, look at the inevitable man page, and visit the official website (see links section).
310.  
311. There are documents that explain howto integrate ebtables and iptables, using the iptables module physdev.
312.  
313. Application firewalls
314.  
315. To go more up, and manipulate the Layer 7 of the OSI model, and be able to define rules at application level, you need other tools.
316.  
317. For example... you open the port 80 to your users, but you don't want them to be able to download .exe files from internet. You need an application firewall or proxy.
318.  
319. The default kernel in Debian does not have layer 7 patches, but you can install user space proxys to manage this kind of filters.
320.  
321. There are options like squid, dans guardian, zorp, etc.
322.  
323. ?Zorp is written in python and has been added to Debian with 5.0.
324.  
325. See also the links section for the l7-filter project.
326.  
327. Troubleshooting software and tips
328.  
329. Some helpful (and must-have) tools are:
330.  
331. ip(8): (package: iproute) to list interfaces, addresses, route tables, etc.
332.  
333. nc(1): (package: netcat) to test tcp and udp connections, open ports, etc.
334.  
335. ping(8): to test ICMP traffic (not tcp or udp).
336.  
337. tail(1): and other tools to monitor logs.
338.  
339. tcpdump(8): (package: tcpdump) to monitor "raw" packets, traffic, etc. using filters and regular expresions.
340.  
341. It's very easy to lose connectivity when initially configuring a firewall. And it's easier the more complex the firewall is.
342.  
343. A basic skill for troubleshoot a firewall problem, is to know the points where the traffic passes, is turned, routed, can be rejected, etc. And to know how to monitor that points, and what is happening.
344.  
345. The most effective is to analyze the traffic from end to end, from the initial request, the DNS, the interfaces by which must pass, the translations that have to do, the rejected traffic logs, the routing rules, etc.
346.  
347. A common hack when doing ruleset designing, is to put a cron task, that flush rules every few minutes, in case you will make a mistake (working in remote).
348.  
349. Graphic applications and frontends
350.  
351. There are some tools, to configure firewalls using frontends and helpers.
352.  
353. Some of them are:
354.  
355. ferm (wiki page)
356.  
357. firestarter
358.  
359. fwbuilder
360.  
361. guarddog
362.  
363. kmyfirewall
364.  
365. knetfilter
366.  
367. shorewall
368.  
369. Search firewall in packages.debian.org
370.  
371. There are also command line "high level" tools, to avoid the "low level" syntax, or to simplify certain tasks. Anyway, the real power is in the large number of modules and options for basic command line programs, that often is not covered by frontends.