Share this post
FaceBook  Twitter  
Contents[Hide]

1. Introduction

The first question you will ask yourself (probably) is "why on earth would I need a firewall? Linux is secure, right?" Right, and I know lots of desktop Linux users that never had to touch the subject or don't know what iptables or Netfilter is. Which is probably just fine, but that doesn't mean Linux is 100% safe from any attacks. Any sufficiently complex software has bugs, and many bugs can be exploited and become a security issue. So in the end it's all about some bored enough cracker to take advantage of some vulnerability (one example that springs to mind is the recently discovered sudo bug). What you will need in this case is a better protection than the default (I know Linux is a tough game to crack, but that doesn't make it impossible) while trying not to change in any way on how you use your computer. Consequently, this article will focus on the casual Ubuntu user that has some knowledge of security and networks (what a vulnerability is, what a port scan is, etc.) that wants to secure his/her system. Happy reading and remember that you can always talk with us or other users by going to the forums.

2. Getting started

First, let's see how we'll do this. As an Ubuntu user that wants to tweak a firewall, you have two choices. The first is iptables, which can be found in any Linux distribution but it's a little daunting for beginners because of the syntax. So you gain the fact that the knowledge you get can be used on any Linux system at the expense of a higher learning curve. Other distributions have their specific tools for configuring a firewall, but they also rely on iptables in the end (Fedora, OpenSUSE). This article, however, will not offer you a complete iptables tutorial, just enough to get you started. The second tool is Ubuntu-specific and it's called ufw (uncomplicated firewall). Ubuntu firewall setupIt has a GUI variant named Gufw and it's syntax resembles OpenBSD's pf, making it thusly easier to work with. ufw and Gufw are also to be found in Debian, which makes me think that other derivatives have it as well. ufw is already installed on an usual Ubuntu system, but you'll have to install its' graphical counterpart if you need that.

 # apt-get install gufw

This is actually a tutorial article that hopes to teach you something, so this will better be accomplished without any graphical tools. However, if you feel Gufw is better suited for you, we guarantee you'll know how to work with it after thoroughly reading this article. That's because the whole idea of a firewall is pretty simple: allow/deny to/from port/service tcp/udp. That maybe didn't sound so simple, but let's take a simple example: let's say you're in a LAN and you want to allow others connect to your machine via ssh, as long as they are also on the same LAN. So you will need to allow from your netmask service ssh port 22 TCP. That means any other machines trying to connect to your box will not be able to, because you have a firewall. Let's start with iptables and see how and what.

3. iptables

Make no mistake: iptables is only a command-line front-end for the packet filtering facility offered by the Linux kernel. In the unlikely case that it is not installed already at your site, the name of the package is iptables regardless of the distribution you use. And of course, it's Linux-specific, so it won't be present on other Unix(-like) systems. Please note that you will have to use the root account for any operations you do from now on. Here's how you can list the firewall rules on any Linux box, and here's what you're likely to get on Debian or any other non-Ubuntu Linux distribution:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

...and this is the output from a Ubuntu 11.10 system, with the mention that both systems have no configured firewall rules whatsoever.

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ufw-before-logging-input  all  --  anywhere             anywhere            
ufw-before-input  all  --  anywhere             anywhere            
ufw-after-input  all  --  anywhere             anywhere            
ufw-after-logging-input  all  --  anywhere             anywhere            
ufw-reject-input  all  --  anywhere             anywhere            
ufw-track-input  all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ufw-before-logging-forward  all  --  anywhere             anywhere            
ufw-before-forward  all  --  anywhere             anywhere            
ufw-after-forward  all  --  anywhere             anywhere            
ufw-after-logging-forward  all  --  anywhere             anywhere            
ufw-reject-forward  all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ufw-before-logging-output  all  --  anywhere             anywhere            
ufw-before-output  all  --  anywhere             anywhere            
ufw-after-output  all  --  anywhere             anywhere            
ufw-after-logging-output  all  --  anywhere             anywhere            
ufw-reject-output  all  --  anywhere             anywhere            
ufw-track-output  all  --  anywhere             anywhere            

Chain ufw-after-forward (1 references)
target     prot opt source               destination         

Chain ufw-after-input (1 references)
target     prot opt source               destination         

Chain ufw-after-logging-forward (1 references)
target     prot opt source               destination         

Chain ufw-after-logging-input (1 references)
target     prot opt source               destination         

Chain ufw-after-logging-output (1 references)
target     prot opt source               destination         

Chain ufw-after-output (1 references)
target     prot opt source               destination         

Chain ufw-before-forward (1 references)
target     prot opt source               destination         

Chain ufw-before-input (1 references)
target     prot opt source               destination         

Chain ufw-before-logging-forward (1 references)
target     prot opt source               destination         

Chain ufw-before-logging-input (1 references)
target     prot opt source               destination         

Chain ufw-before-logging-output (1 references)
target     prot opt source               destination         

Chain ufw-before-output (1 references)
target     prot opt source               destination         

Chain ufw-reject-forward (1 references)
target     prot opt source               destination         

Chain ufw-reject-input (1 references)
target     prot opt source               destination         

Chain ufw-reject-output (1 references)
target     prot opt source               destination         

Chain ufw-track-input (1 references)
target     prot opt source               destination         

Chain ufw-track-output (1 references)
target     prot opt source               destination         

You have noticed that I used the word "rules". This is a very important word when it comes to configuring your firewall as each rule represents a new setting you make regarding packets entering or leaving your system. Now, remember the SSH example before? Let's see how we can write it in iptables terms.

 # iptables -A INPUT -p tcp --dport ssh -s $address/mask -j ACCEPT

In my humble opinion this syntax looks pretty simple. Then again, it gets a little cheesier when you need more complicated rules, but hey, you have ufw if you need it. Here's a list of some usual iptables options:

 -A append this rule to the rule chain (chains can be INPUT, OUTPUT and FORWARD - 
the latter makes sense if you configure a router/gateway)
-I insert this rule to the chain
-p protocol (tcp or udp - in our example,
SSH is running over TCP)
--dport destination port (if you want to specify a different port than the
default use --dport $port or --dport $port:range)
-s source
-d destination
-j jump to specified target. A target value may be ACCEPT, REJECT, DROP, LOG.
The difference between REJECT and DROP is
that REJECT lets the sender know about the rejection,
while DROP is silent.
-i input interface (e.g. -i eth0)
-o output interface
-v verbose

Nonetheless, these are only a few of the options involved, and as you remember, the title has the word "basic" in there for good reasons. Now, in reflection of the options we wrote above, the "accept SSH traffic" command you've seen before can be written like this:

 # iptables -A INPUT -p tcp --dport 22 -s $address/mask -j ACCEPT 
//What command of the two do you think is better and why?

OK, let's see how to reject traffic. If you have a web server that has to reject connections from a certain IP address because of malicious attacks, you can do something like this:

 # iptables -A INPUT --dport 80 -s x.x.x.x -j DROP

 Please remember an essential issue about iptables: the rules are processed starting from the upper side down. So our command will drop traffic on port 80 on every interface , which is not what you always want. Using the '-I {INPUT,OUTPUT,FORWARD} $position' options allows you to alter the natural order of iptables rules.

If you tested multiple scenarios and you see that your rules are great and work as expected, save them so they will be available the next time the machine boots. The command 'iptables-save' command accomplishes that for you.

The iptables manual page is always a good place to start. It may look a little scary at first, but once you get used to the options and syntax, it will become second nature. It is recommended you try various combinations of iptables rules on a non-important machine in your network (or a virtual machine) and thoroughly test everything.

4. ufw

If you choose to use ufw after reading this and/or other resources, bear in mind that it conflicts with iptables. ufw is disabled by default, so make sure you enable it before starting anything (again, everything you'll see below should be executed as root):

 # ufw enable 

Needless to say, use "disable" for the opposite effect. By default ufw allows everything, as you probably could decypher from the sample output above (Ubuntu's iptables -L command). Like I said before, the syntax is much easier to grasp, because it resembles English much more than iptables. On the other hand, while ufw is better for the desktop/small office user, iptables, despite the complicated syntax, is universal in the Linux world and it allows for more complicated setups.

So, it would be only natural to show you the equivalent of the two commands we used with iptables (allowing ssh and blocking http) with ufw. Here they are:

 # ufw allow 22/tcp from $address/mask
 # ufw deny 80 from x.x.x.x 

The appropriate phrase is "human-readable", isn't it? If one wanted to allow ssh access by name, ufw allow ssh would usually cut it. The address/netmask combination can be expressed like this: 192.168.0.0/24. If you want to enable logging, do

 # ufw logging on 

Here are another more complex examples, and it's your task to find out what they do, in case it isn't obvious already:

 # ufw allow from x.x.x.x to $protocol port 321
 # ufw deny from y.y.y.y to any port 7623
//Remember that rules evaluating order is the same as iptables
 # ufw deny from 10.0.2.3 to any port 22
 # ufw deny from 10.0.2.8 to any port 22
 # ufw allow from 10.0.2.0/8 to any port 22
//This last example allows access via ssh to all clients in the 
//10.0.2.x network, except for hosts 10.0.2.3 and 10.0.2.8

5. Conclusion

Which of the two you like the most and why? Were you conquered by the easy language of ufw or by the versatility of iptables? I guess it depends on what your needs are, after all. With a little care and patience you can sleep better at the end of the day knowing your systems to be more secure.

Partners

Who are we?

LinuxCareer.com is not affiliated with any local or international company, nor is it a recruitment or employment agency. We specialise in Linux based careers and closely related Information Technology fields by providing careers advice and latest employment opportunities.

JOIN LINUXCAREER

You can also get involved in the LinuxCareer project by participating on our FORUM or SUBMITTING A LINUX ARTICLE. We offer a range of privileges to our authors and good company.