لطفا منتظر باشید ...
Setting Up a Firewall
So you know that you need a firewall and want to create one. What’s next? The following sections explain how to set up an Iptables-based firewall by using the restrictive model. This section describes how to manually create the firewall-filtering rules. When you’re done setting up your rules, see the section “Saving your filtering rules to a script,” later in this chapter, so that you don’t have to enter these rules every time you turn on your computer.In this section, you design an Iptables-based firewall that turns off all incoming connections on your modem and still enables you to establish an outgoing connection to the Internet. You then back off the total restriction of incoming communication to allow incoming Secure Shell connection. (Secure Shell provides encrypted communications.)WarningDon’t execute these instructions from a remote connection! You must run these commands from your computer’s console. That is, you must be sitting at your computer and not be working on it over a network connection. The reason is that these firewall rules shut off external network connections before restoring them.These instructions describe how to build your firewall, brick by brick:Log in to your computer as root and then open a GNOME Terminal window, by right-clicking any empty portion of the desktop and choosing New Terminal from the menu.
Make sure that you’re not already running a firewall, by entering these rules at the command prompt in the terminal window:
iptables --flush
iptables --flush -t nat
The iptables entries remove any existing filtering or Network Address Translation (NAT) rules. NAT rules masquerade your network address as another address, making your computer appear to be used by someone else. NAT is frequently used to make your computer appear to be coming from your ISP so that you don’t have to register your computer for an official Internet Protocol (IP) address.
Filter out all network communication to, from, and through your computer by entering these rules:
iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FORWARD DROP
These commands set the default policy of your firewall to not allow any network traffic into (the INPUT rule) or out of (the OUTPUT rule) any network interface; nor is any traffic allowed to pass between multiple network interfaces (the FORWARD rule) if you have them. At this point, you have an extremely safe firewall. However, your computer is useless in terms of using it for any network-related tasks. The next step opens the firewall a little bit so that you can access the Internet (or any network you’re attached to) in a safe way.
Enter these rules to allow network traffic to pass through the loopback device:
iptables -A OUTPUT -j ACCEPT -o lo
iptables -A INPUT -j ACCEPT -i lo
Linux computers use an internal network, called a loopback interface (lo). The loopback isn’t a physical device, but rather is a virtual one. Linux uses lo for internal communications. (A great deal goes on behind the scenes on a Linux computer.)
Turn on all outgoing communication from your computer:
iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
These rules don’t specify any particular network interface. However, because the filter is stateful, these rules effectively work on your Ethernet, wireless, or a dial-up Point-to-Point (PPP) interface.The first filter rule permits all outgoing communication. The --state NEW, RELATED, ESTABLISHED option tells the firewall to allow packets of both new and already established connections to pass. (Packets are the basic part of all network communication.) Packets that are related to existing connections but use a different port, such as FTP data transfers, are also permitted.
The second filter rule controls the packets coming back from outgoing connections. When you connect to a Web site, for example, your browser sends out packets and the web server responds to them. You may click a button on the Web site, and a new display pops up. Clicking a button sends a packet out, and the web server sends packets back. You have previously blocked packets from the Internet. This rule creates an exception that allows packets which belong to an existing connection — such as the connection that represents you clicking a button — to return to your computer through the firewall. Note that we don’t allow new incoming connections (--state NEW) to be established because that would defeat the purpose of this firewall.
(Optional) Use the following rule to allow SSH connections to your Linux computer:
iptables -A INPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT --dport 22
This rule permits SSH connections on Port 22 to enter into your computer. You can install an OpenSSH server by logging in as root, mounting your companion DVD, and running this command:
rpm –ivh /mnt/cdrom/RedHat/RPMS/openssh-server*
Start the OpenSSH server by running this command:
/etc/init.d/sshd start
You can modify this rule to allow other types of incoming connections to your computer. For example, add a new rule using -dport 80, and the firewall allows incoming HTTP packets. All you need to do is install the Apache web server (included on this book’s companion DVD-ROM and described in Chapter 16), and your workstation morphs into a web server.
You have just created a simple, effective firewall that protects your computer from the werewolves of Netdom. (“They’ll rip your heart out, Jim!”) Your firewall remains active until you turn the rules off or reboot your computer. The following section shows how to display your new firewall rules.
