Local: Firewalling  

Linux: Firewalling with kernel 2.2



Version: 0.05 from 2001-09-20
Copyright 2001 by Peter Bieringer <pb@bieringer.de>, original site of publishing: http://www.bieringer.de/linux/firewalling/
Unlimited non-commercial distribution of this document in its entirety is encouraged - please contact the author prior to commercial publication.


Suggestions, comments and improvements are welcome!


Warning: The given script are perhaps not free of bugs and therefore I can give no warranty for protection - check system with nmap from all sides to verify protection!

Contents



Changes to

General hints

With Linux kernel 2.2 there is only the possibility to setup a static port filter firewall. But with the built-in capabilities and definitions it can surly increase protection of hosts against unwanted connections and break-ins.

Like I detected in the past, many Linux firewalls (also commercial ones) do not use all capabilities of the kernel for protection.
Most of the security problems are caused by 2 common rules (others seen on using proxies in reverse manner because of missing access control, see here for how to prevent against such misusage):

  1. Allow active FTP data transfer
  2. Allow UDP responses on DNS requests
Both rules can be used from attackers to collect more information about your firewall or using a running proxy server on it running nmap with outgoing source port 20 (for the ftp-data) or 53 (for domain).

You can easily protect a Linux firewall against such attacks if you're using internal Linux kernel settings. Perhaps you already know about port ranges which are used for outgoing or masqueraded connections. If not, see following table:
 
 

Type of connection Used source port range General control of this range
Outgoing from firewall with r- or ssh-clients
running this applications with SUID bit set or as root
512-1023 By definition, cannot be changed
Outgoing from firewall (normal) 1024-4999 net/ipv4/tcp_ipv4.c (kernel source)
or
/proc/sys/net/ipv4/ip_local_port_range (on-the-fly)
Outgoing from firewall (recommended) 32768-60999 /proc/sys/net/ipv4/ip_local_port_range (changed)
Outgoing masqueraded by firewall  61000-65095 include/net/ip_masq (kernel source)

With this knowledge, it's more easy to define a port range of a static port filter rule to prevent unwanted possible connections.

If you want to see what kernel switches and lists are used in which state, take a look at my ipchains image (thanks to Rusty Russel for reviewing!).

Examples

Local portrange changed like shown in upper table, external interface is ppp0, internal interface is eth0

Steps to build a static port filter firewall are

  1. Install a Linux version on a dedicated server
  2. Deactivate all network service
  3. Create your own firewalling script and put the rules into applying also comments for each rule and a history on top of the script
  4. Run script to setup portfilters
  5. Test the portfilters
  6. Activate the script for automatic starting

Firewalling Linux kernel 2.2.x Light Edition, German Version

Example structured scripts for firewalling with Linux kernel 2.2.x (ipchains), comments are in German The scripts are only for demonstration and not productive. Further extensions are not planned. This scripts are the same like published in the techannel.de online article shown below.

List of related links

Online

HowTos


Credits to



Your connection is via: IPv4
Your address: 54.144.57.183
IPv6 Ready bieringer.de
is maintained by
webmaster at bieringer dot de
(Impressum)
powered by Apache HTTP server powered by Linux IPv4 connectivity is provided by
Strato