Forum OpenACS Q&A: basic firewall features on RH 8.0

Collapse
Posted by David Kuczek on
As my former provider went bust, I had to move my server to a new location that doesn't put my server behind a firewall, because it doesn't have one installed...

I never had to bother with a firewall so I am quite a newbie. How would basic precautions to secure my server look like and how would I have to proceed?

Thanks

Collapse
Posted by Bjorn Thor Jonsson on
When I was setting up my first home linux firewall box I loved reading this tutorial:
Linux 2.4 stateful firewall design
http://www-106.ibm.com/developerworks/linux/edu/l-dw-linuxfw-i.html

Here I learnt how to do portforwarding (NAT) to services within my LAN:
Linux 2.4 NAT HOWTO
http://www.netfilter.org/unreliable-guides/NAT-HOWTO/index.html

Red Hat Linux 6.X as an Internet Gateway for a Home Network
http://en.tldp.org/HOWTO/mini/Home-Network-mini-HOWTO.html
was also helpful, though I used iptables instead of ipchains.

Collapse
Posted by Jun Yamog on
Hi David,

As a basic rule only open what you need.  Which is likely http (port 80) and ssh (port 22).  You may want to block (DENY or REJECT, I prefer DENY) all ports from 0-1023 (0-64k is even better but I find it an overkill) of all outside interface (e.g. eth0, eth1, etc.).  Then using netstat -nap see if any ports above 1023 is running and close them down.  Also since this is your first time, try doing it on your home machine.  Connect to your remote machine and secure your home machine remotely, that will likely simulate what you need to do in your remote machine.  You can use nmap to scan ports for you.

Just remember the basic rule only offer what you really offer to the world.  Any other should be kept shut, or better yet shut down the service don't just hide them.

Jun

Collapse
Posted by Mike Sisk on
RH 8.0 uses iptables and a gui frontend to create a firewall called lokkit.

The config file for the firewall is in /etc/sysconfig/iptables and the program that creates the file is in /usr/sbin/lokkit

Use the service scripts to start, stop or reload the firewall: "service iptables start".

Basically, make a firewall with a "high" security level in lokkit and only open the ports you need: http, ssh, maybe smtp or ftp if you're using those. The networking scripts should automatically punch a hole in the firewall for named (DNS) services without you having to do anything.

The man pages, lokkit docs in /usr/share/doc, or the Red Hat site have more info in iptables firewalls.

Collapse
Posted by David Kuczek on
Hello Mike,

I just set up my firewall via lokkit, but although I didn't specify port 8000 to be open, I still can access it via http://www.myserver.com:8000 ... (I opened port 10000 for webmin)

This is my iptables file:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Lokkit-0-50-INPUT - [0:0]
-A INPUT -j RH-Lokkit-0-50-INPUT
-A FORWARD -j RH-Lokkit-0-50-INPUT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 10000 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 25 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 80 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i eth0 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 195.94.90.10 --sport 53 -d 0/0 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 195.227.70.1 --sport 53 -d 0/0 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -j REJECT
COMMIT

How come???

Thanks

Collapse
Posted by David Kuczek on
silly me... I set up eth0 as a trusted device although it is the one that connects my server to the net :-)

Here is a basic doc on the RH firewall:

http://www.redhat.com/docs/manuals/linux/RHL-8.0-Manual/custom-guide/ch-basic-firewall.html

Collapse
Posted by James Bennin on
I have this thread and I am having the contrary firewall problem. I am using Red Hat Linux 8.0 with OpenACS 4.6.3. My firewall is set too high, and people on the network where my machine is on (the one with aolserver) cannot access my server/page at http://.....:8000. How do I reconfigure the firewall setting so I allow communication through port 8000 and 8443 (for secure logging). This is what my /etc/sysconfig/iptables file contains :
# Firewall configuration written by lokkit
# Manual customization of this file is not recommended.
# Note: ifup-post will punch the current nameservers through the
#       firewall; such entries will *not* be listed here.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Lokkit-0-50-INPUT - [0:0]
-A INPUT -j RH-Lokkit-0-50-INPUT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 25 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 23 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 140.188.64.153 --sport 53 -d 0/0 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -j REJECT
COMMIT

So how do I modify this to allow communication on ports 8000 and 8443?? If there are any other information you need please let me know. Thank you
Collapse
Posted by James Bennin on
Nevermind, I figured out how to loosen the firewall configuration on my Linux box.  I used "/usr/sbin/lokkit" and then "service iptables start" to resolve my problem.  Thank you for your help.
Collapse
Posted by Jerry Asher on
After setting up the basic firewall with lokkit, rm lokkit.

It used to not be able to read the current rules (even if it wrote them) and understand what your firewall is trying to do.  So all new configs started from scratch and wasted your previous configuration.  Has that been fixed, or is it still the typical pos?

Use lokkit to start, then turn to emacs.

Also, there is a terrific book, Real World Linux Security by Toxen that comes with enormous amounts of firewall rulesets.  For instance, you really don't want to stop iptables and restart it to load new rules, and Toxen shows you how to eliminate the microseconds of vulnerability. Great for the paranoid but difficult for the arm-chair sysadmin.  It also comes with scripts (for non-commercial use) that make logwatch useful, by stripping out all the daily crapola.

Do buy a copy of SSH, The Secure Shell by Barrett & Silverman.  There are some wonderful features in SSH that can make it much easier for you to present to the world a tightly locked down box, while presenting to you and only to you, the  vast wasteland.

And do remember, a firewall is not enough, because one day you will forget to reenable it, or it will not load.  (This actually has been the subject of a redhat errata this week -- a bug in their newest kernel kept iptables from loading on certain machines)    So turn off all unnecessary services.  Consider removing gcc and even emacs.

If your server is offsite, than consider failsafeing it. Install cron jobs to ensure the firewall is up and that you  have connectivity and if you do not to take various failsafe actions: reboot, replace /etc with a failsafe version from a tar file, etc.

Look into chkrootkit and build a CD of executables for chkrootkit to run from.  Keep that CD in place and schedule chkrootkit to run nightly.  Consider booting from a write-protected floppy (something that can help raided sys disks too) or booting from CD.  Note unfortunately that if you do boot from write-protected removable media, that you will be running on old kernels until you can change out the media.  Some folks think that's prudent anyway.

Look into bastille.  It's useful as a teaching tool, but I didn't like it for the somewhat non-standard (presumably better) tools it used.

Backup your system.  I have a website that does nothing more than serve up a MIME encoded encrypted tar backup of my website and pg db along with a few choice keywords.  This little known trick lets me obtain recent backups out of the google cache or the Internet wayback machine.

Lastly, if you have a wifi ethernet card, place tin-foil around it.  Mars is very close right now, and experts have predicted that populations of martian hybrid babies will skyrocket.

Collapse
Posted by Frank N. on
If people are looking into creating serious, stand-alone firewalling machines based on Free Software, then I would suggest people consider OpenBSD. The care and feeding of pf, the OpenBSD in-kernel packet ... transmogrifier(?), is much easier to understand and admin than ip-tables IMNSHO.

And I probably don't have to mention that the OpenBSD folks takes security very, very seriously.

For comparison:

Ip-tables tutorial: http://iptables-tutorial.frozentux.net/iptables-tutorial.html

Complete OpenBSD PF documentation: http://www.openbsd.org/faq/pf/index.html

I currently admin 5 OpenBSD based firewalls, and it would take serious kicks from external forces to drive me back to using Linux for this particular application. My main personal DMZ splitter has 33 non-empty lines in the pf.conf file, of which 11 are macro definitions for addresses, networks and interfaces, yet it is configured for default-deny, redirects, 2x NAT, antispoofing, packet priority queueing and renormalisation, statefull/modulating firewalling etc.