Linux Format - UK (2020-03)

(Antfer) #1
http://www.techradar.com/pro/linux March 2020 LXF260 53

Firewalls IN-DEPTH


Redhat’s firewalld can use nftables or iptables and is the standard way to firewall your VMs
with libvirt.

$ sudo iptables –A INPUT -m conntrack --ctstate
ESTABLISHED,RELATED -j ACCEPT
Don’t worry too much about the syntax here. The
bits in capitals are all that really matter, so this says that
incoming traffic that’s already established or related to
an already established connection should be accepted.
That way, when our wise sysadmin has a brief lapse of
judgement and then adds a rule to, say, deny all
incoming connections, for instance with
$ sudo iptables -A INPUT DROP
then SSH still functions, and the appropriate rule for
explicitly allowing SSH can be inserted, as it should have
been, before it.
Iptables works on chains of rules, which are grouped
together to form tables (as the name suggests). The
default tables are named Filter, NAT, Mangle and Raw,
so right away you can see that packet filters and NAT
routing are closely related. The Filter table has three
built-in chains: INPUT (referred to above), OUTPUT ,
and FORWARD. By default these chains have no
rules, but as we saw above we can add to them using
the -A option.
Iptables is still around, but has technically been
succeeded by nftables, which also talks to the kernel
through the Netfilter interface, but does so in a faster,
more robust way. One thing nftables does better is it
unifies rules for IPv4 and IPv6. There’s a whole separate
ip6tables command for wrangling the latter, which
makes life awkward on dual-stack hosts. We covered
nftables back in LXF237 (p77) and there isn’t nearly
enough space to cover it here. Neither is there space
(or time! – Ed) to cover BPFilter, the new packet filtering
kid on the block (which may even usurp nftables – time
will tell). So let’s use the rest of this feature to talk about
something simpler.

Uncomplicate this!
Many users would like a firewall but would rather not get
tangled up in the abstruse syntax of the iptables or
nftables commands. They may wonder, to paraphrase

Canadian songstress Avril Lavigne, why network
engineers made things so complicated. We don’t really
have an answer, but we have a tenuous link to that song:
ufw – the Uncomplicated Firewall. This has a much
friendlier syntax, and like nftables it can deal with both
IPv4 and IPv6 connections.
A fairly standard desktop firewall arrangement is
to disallow all incoming connections and enable all
outgoing ones. If you aren’t running any services (or
don’t want anyone to connect to ones you are running),
then naturally this won’t break anything. Since these are
general rules (and we might add more specialised ones
on top of them) we’ll set them as the default policy:
$ sudo ufw default allow outgoing
$ sudo ufw default deny incoming
Ufw isn’t enabled by default, so this will need to be
changed in order to enact our new policy. Before we do
that, though, run the command sudo iptables -L to
view the current iptables config. On a clean install, this
will show no firewall rules and traffic allowed in both
directions. Now start and ufw with
$ sudo ufw enable
and check the iptables rules again. This time you should
see a lot more output, most of which you needn’t worry
about. Ufw adds several of its own chains to iptables’
three standard ones, and you should see that the
default INPUT policy has changed to DROP.
Mint and a few other distros ship with Gufw – a
friendly frontend for ufw, and if you’re concerned about
the packets ingressing or egressing your network
interfaces yet don’t want to, that’s a good place to start.
In Ubuntu you’ll find it in the Software Centre, or you
can install it with
$ sudo apt install gufw
Once installed, it’ll be available from the applications
menu as Firewall Configuration. Fire (sigh) it up and you
will see its delightfully simple interface. The Report tab
will show what’s listening (in a much nicer way than we
saw at the beginning of this feature) and there are
predefined applications you can whitelist.
There’s much more to firewalls, but once again,
those ever-present space and time constraints dictate
that our firewalling journey stops here.

Gufw will show you services that are listening for connections, whether
over IPv4 or IPv6.

5550March 2 h0r13h1 March 2020LXF260 53


Firewalls IN-DEPTH


Redhat’s firewalld can use nftables or iptables and is the standard way to firewall your VMs
with libvirt.

$ sudoiptables–AINPUT-mconntrack--ctstate
ESTABLISHED,RELATED -j ACCEPT
Don’t worry too much about the syntax here. The
bits in capitals are all that really matter, so this says that
incoming traffic that’s already established or related to
an already established connection should be accepted.
That way, when our wise sysadmin has a brief lapse of
judgement and then adds a rule to, say, deny all
incoming connections, for instance with
$ sudo iptables -A INPUT DROP
then SSH still functions, and the appropriate rule for
explicitly allowing SSH can be inserted, as it should have
been, before it.
Iptables works on chains of rules, which are grouped
together to form tables (as the name suggests). The
default tables are named Filter, NAT, Mangle and Raw,
so right away you can see that packet filters and NAT
routing are closely related. The Filter table has three
built-in chains: INPUT (referred to above), OUTPUT ,
and FORWARD. By default these chains have no
rules, but as we saw above we can add to them using
the -A option.
Iptables is still around, but has technically been
succeeded by nftables, which also talks to the kernel
through the Netfilter interface, but does so in a faster,
more robust way. One thing nftables does better is it
unifies rules for IPv4 and IPv6. There’s a whole separate
ip6tables command for wrangling the latter, which
makes life awkward on dual-stack hosts. We covered
nftables back in LXF237 (p77) and there isn’t nearly
enough space to cover it here. Neither is there space
(or time! – Ed) to cover BPFilter, the new packet filtering
kid on the block (which may even usurp nftables – time
will tell). So let’s use the rest of this feature to talk about
something simpler.


Uncomplicate this!
Many users would like a firewall but would rather not get
tangled up in the abstruse syntax of the iptables or
nftables commands. They may wonder, to paraphrase


Canadian songstress Avril Lavigne, why network
engineers made things so complicated. We don’t really
have an answer, but we have a tenuous link to that song:
ufw – the Uncomplicated Firewall. This has a much
friendlier syntax, and like nftables it can deal with both
IPv4 and IPv6 connections.
A fairly standard desktop firewall arrangement is
to disallow all incoming connections and enable all
outgoing ones. If you aren’t running any services (or
don’t want anyone to connect to ones you are running),
then naturally this won’t break anything. Since these are
general rules (and we might add more specialised ones
on top of them) we’ll set them as the default policy:
$ sudo ufw default allow outgoing
$ sudo ufw default deny incoming
Ufw isn’t enabled by default, so this will need to be
changed in order to enact our new policy. Before we do
that, though, run the command sudo iptables -L to
view the current iptables config. On a clean install, this
will show no firewall rules and traffic allowed in both
directions. Now start and ufw with
$ sudo ufw enable
and check the iptables rules again. This time you should
see a lot more output, most of which you needn’t worry
about. Ufw adds several of its own chains to iptables’
three standard ones, and you should see that the
default INPUT policy has changed to DROP.
Mint and a few other distros ship with Gufw – a
friendly frontend for ufw, and if you’re concerned about
the packets ingressing or egressing your network
interfaces yet don’t want to, that’s a good place to start.
In Ubuntu you’ll find it in the Software Centre, or you
can install it with
$ sudo apt install gufw
Once installed, it’ll be available from the applications
menu as Firewall Configuration. Fire (sigh) it up and you
will see its delightfully simple interface. The Report tab
will show what’s listening (in a much nicer way than we
saw at the beginning of this feature) and there are
predefined applications you can whitelist.
There’s much more to firewalls, butonceagain,
those ever-present space and time constraints dictate
that our firewalling journey stops here.

Gufw will show you services that are listening for connections, whether
over IPv4 or IPv6.
Free download pdf