Linux Format - UK (2020-03)

http://www.techradar.com/pro/linux March 2020 LXF260 53

Firewalls IN-DEPTH

Redhat’s firewalld can use nftables or iptables and is the standard way to firewall your VMs

with libvirt.

$ sudo iptables –A INPUT -m conntrack --ctstate

ESTABLISHED,RELATED -j ACCEPT

Don’t worry too much about the syntax here. The

bits in capitals are all that really matter, so this says that

incoming traffic that’s already established or related to

an already established connection should be accepted.

That way, when our wise sysadmin has a brief lapse of

judgement and then adds a rule to, say, deny all

incoming connections, for instance with

$ sudo iptables -A INPUT DROP

then SSH still functions, and the appropriate rule for

explicitly allowing SSH can be inserted, as it should have

been, before it.

Iptables works on chains of rules, which are grouped

together to form tables (as the name suggests). The

default tables are named Filter, NAT, Mangle and Raw,

so right away you can see that packet filters and NAT

routing are closely related. The Filter table has three

built-in chains: INPUT (referred to above), OUTPUT ,

and FORWARD. By default these chains have no

rules, but as we saw above we can add to them using

the -A option.

Iptables is still around, but has technically been

succeeded by nftables, which also talks to the kernel

through the Netfilter interface, but does so in a faster,

more robust way. One thing nftables does better is it

unifies rules for IPv4 and IPv6. There’s a whole separate

ip6tables command for wrangling the latter, which

makes life awkward on dual-stack hosts. We covered

nftables back in LXF237 (p77) and there isn’t nearly

enough space to cover it here. Neither is there space

(or time! – Ed) to cover BPFilter, the new packet filtering

kid on the block (which may even usurp nftables – time

will tell). So let’s use the rest of this feature to talk about

something simpler.

Uncomplicate this!

Many users would like a firewall but would rather not get

tangled up in the abstruse syntax of the iptables or

nftables commands. They may wonder, to paraphrase

Canadian songstress Avril Lavigne, why network

engineers made things so complicated. We don’t really

have an answer, but we have a tenuous link to that song:

ufw – the Uncomplicated Firewall. This has a much

friendlier syntax, and like nftables it can deal with both

IPv4 and IPv6 connections.

A fairly standard desktop firewall arrangement is

to disallow all incoming connections and enable all

outgoing ones. If you aren’t running any services (or

don’t want anyone to connect to ones you are running),

then naturally this won’t break anything. Since these are

general rules (and we might add more specialised ones

on top of them) we’ll set them as the default policy:

$ sudo ufw default allow outgoing

$ sudo ufw default deny incoming

Ufw isn’t enabled by default, so this will need to be

changed in order to enact our new policy. Before we do

that, though, run the command sudo iptables -L to

view the current iptables config. On a clean install, this

will show no firewall rules and traffic allowed in both

directions. Now start and ufw with

$ sudo ufw enable

and check the iptables rules again. This time you should

see a lot more output, most of which you needn’t worry

about. Ufw adds several of its own chains to iptables’

three standard ones, and you should see that the

default INPUT policy has changed to DROP.

Mint and a few other distros ship with Gufw – a

friendly frontend for ufw, and if you’re concerned about

the packets ingressing or egressing your network

interfaces yet don’t want to, that’s a good place to start.

In Ubuntu you’ll find it in the Software Centre, or you

can install it with

$ sudo apt install gufw

Once installed, it’ll be available from the applications

menu as Firewall Configuration. Fire (sigh) it up and you

will see its delightfully simple interface. The Report tab

will show what’s listening (in a much nicer way than we

saw at the beginning of this feature) and there are

predefined applications you can whitelist.

There’s much more to firewalls, but once again,

those ever-present space and time constraints dictate

that our firewalling journey stops here.

Gufw will show you services that are listening for connections, whether

over IPv4 or IPv6.

5550March 2 h0r13h1 March 2020LXF260 53

Firewalls IN-DEPTH

Redhat’s firewalld can use nftables or iptables and is the standard way to firewall your VMs

with libvirt.

$ sudoiptables–AINPUT-mconntrack--ctstate
ESTABLISHED,RELATED -j ACCEPT
Don’t worry too much about the syntax here. The
bits in capitals are all that really matter, so this says that
incoming traffic that’s already established or related to
an already established connection should be accepted.
That way, when our wise sysadmin has a brief lapse of
judgement and then adds a rule to, say, deny all
incoming connections, for instance with
$ sudo iptables -A INPUT DROP
then SSH still functions, and the appropriate rule for
explicitly allowing SSH can be inserted, as it should have
been, before it.
Iptables works on chains of rules, which are grouped
together to form tables (as the name suggests). The
default tables are named Filter, NAT, Mangle and Raw,
so right away you can see that packet filters and NAT
routing are closely related. The Filter table has three
built-in chains: INPUT (referred to above), OUTPUT ,
and FORWARD. By default these chains have no
rules, but as we saw above we can add to them using
the -A option.
Iptables is still around, but has technically been
succeeded by nftables, which also talks to the kernel
through the Netfilter interface, but does so in a faster,
more robust way. One thing nftables does better is it
unifies rules for IPv4 and IPv6. There’s a whole separate
ip6tables command for wrangling the latter, which
makes life awkward on dual-stack hosts. We covered
nftables back in LXF237 (p77) and there isn’t nearly
enough space to cover it here. Neither is there space
(or time! – Ed) to cover BPFilter, the new packet filtering
kid on the block (which may even usurp nftables – time
will tell). So let’s use the rest of this feature to talk about
something simpler.

Uncomplicate this!
Many users would like a firewall but would rather not get
tangled up in the abstruse syntax of the iptables or
nftables commands. They may wonder, to paraphrase

Canadian songstress Avril Lavigne, why network

engineers made things so complicated. We don’t really

have an answer, but we have a tenuous link to that song:

ufw – the Uncomplicated Firewall. This has a much

friendlier syntax, and like nftables it can deal with both

IPv4 and IPv6 connections.

A fairly standard desktop firewall arrangement is

to disallow all incoming connections and enable all

outgoing ones. If you aren’t running any services (or

don’t want anyone to connect to ones you are running),

then naturally this won’t break anything. Since these are

general rules (and we might add more specialised ones

on top of them) we’ll set them as the default policy:

$ sudo ufw default allow outgoing

$ sudo ufw default deny incoming

Ufw isn’t enabled by default, so this will need to be

changed in order to enact our new policy. Before we do

that, though, run the command sudo iptables -L to

view the current iptables config. On a clean install, this

will show no firewall rules and traffic allowed in both

directions. Now start and ufw with

$ sudo ufw enable

and check the iptables rules again. This time you should

see a lot more output, most of which you needn’t worry

about. Ufw adds several of its own chains to iptables’

three standard ones, and you should see that the

default INPUT policy has changed to DROP.

Mint and a few other distros ship with Gufw – a

friendly frontend for ufw, and if you’re concerned about

the packets ingressing or egressing your network

interfaces yet don’t want to, that’s a good place to start.

In Ubuntu you’ll find it in the Software Centre, or you

can install it with

$ sudo apt install gufw

Once installed, it’ll be available from the applications

menu as Firewall Configuration. Fire (sigh) it up and you

will see its delightfully simple interface. The Report tab

will show what’s listening (in a much nicer way than we

saw at the beginning of this feature) and there are

predefined applications you can whitelist.

There’s much more to firewalls, butonceagain,

those ever-present space and time constraints dictate

that our firewalling journey stops here.

Gufw will show you services that are listening for connections, whether

over IPv4 or IPv6.