Red Hat Linux Fedora For Dummies [Electronic resources] نسخه متنی

Building an Effective Firewall

Technical StuffLinux comes bundled with a simple but extremely effective firewall system named Netfilter/Iptables. The Netfilter part refers to the firewall system that’s built into the Linux operating system — the kernel, to be exact — and Iptables is the interface that controls it. We refer to the overall system as Iptables because that is the part that you work with.

Designing filtering rules: Permissive and restrictive methods

Firewall-filtering rules are like the bricks (or asbestos, if you prefer) that build your firewall. Basically, filtering rules determine what network communication can go out of and come into your computer.

When designing firewall-filtering rules, you can choose between two philosophies:

Allow all connections by default and then deny specific access.

Deny all connections by default and then allow specific access.

Allowing all connections takes the view that you should start by allowing all communication with your computer and then denying connections one by one. (This method is used by the Red Hat firewall, which you create during the installation process.) The danger with this method is that you unintentionally allow dangerous traffic to reach your machine. The alternative method is to start by denying all communication and then selectively allowing certain traffic. This more restrictive method is, from a security standpoint, the best way to create a firewall because you know exactly what access you’re allowing. However, the restrictive method can also create problems because you may unintentionally prevent needed or wanted network traffic from reaching your computer.

We explain in this chapter how to use the restrictive method, for several reasons:

It’s the safest method. The restrictive method is safer because it minimizes all external contact with your Internet-connected computer. For example, it minimizes the information about your firewall that port scanning and other tricks can provide to hackers.

It’s easier to configure. Because Iptables provides stateful filtering, you have to configure only two rules to create a safe firewall. However, you have to configure numerous individual rules when using the permissive model. Extra, unnecessary complexity reduces security.

The Iptables system filters IP packets, which are the backbone of the Internet (IP stands for Internet Protocol, in fact). When you’re connected to the Internet, all the information (graphics and text) that you send and receive is sent in the form of IP packets. All the information that enters and leaves your computer via the Internet is packaged in the form of IP packets. You can use Iptables to accept or deny IP packets based on their destinations, source addresses, and ports.

The Iptables system is effective because it uses stateful filtering, which means that the firewall can keep track of the state of each network connection. It’s a technical way of saying that Iptables knows which IP packages are valid and which are not. For example, if you’re browsing www.dummies.com, Iptables keeps track of all packets that belong to that connection. The Iptables utility can deny packets that are trying to reach your computer but don’t belong to your connection, thus preventing any hackers from sneaking packets through your firewall.

TipRed Hat Linux installs an Iptables-based firewall by default. The installation system configures a medium level of protection during the installation process. You may recall from Chapter 3 that we advise you to use the default firewall configuration. However, the default firewall isn’t as secure as we would prefer for connecting to the Internet. Therefore, we describe in this chapter how to construct a more comprehensive and secure firewall.

TipThe concept of ports is an essential part of the Internet Protocol. Ports are used to organize the communication between clients and servers. For example, when you click a Web page, your browser communicates with the web server by using a port. That’s a gross simplification, of course, but it describes the basic idea. Suffice it to say that ports are used to control the internal workings of the Internet for such tasks as Web browsing.