Sometimes
you may want a host to provide certain services to only local clients
or clients on other hosts of a network that you control. If your
network is connected to the Internet, you can use a
firewall
to prevent undesired access to
services. A Linux firewall depends on certain kernel facilities to
examine incoming and outgoing packets. Packets that fail to pass
specified rules can be rejected, preventing undesired access to
private services.
A related facility, known as
IP masquerading
, lets hosts on a network connect
to the Internet via a host known as the masquerading
host
. All packets from the network seem to the outside
host to have come from the masquerading host. IP masquerading lets
you:
Prevent outside access to services offered on a private network
Hide the structure of private networks
Conserve IP addresses by assigning freely usable reserved IP addresses to masqueraded hosts
At installation time, Red Hat Linux lets you configure a firewall for your system; however, you can reconfigure the firewall after installation. For a firewall to be secure and flexible, customization is almost always required. However, customizing a firewall requires an understanding of the ports and protocols used by each running service, an expertise that generally requires considerable time to achieve. To learn more about services, ports, and protocols, see the resources described at the end of this chapter.
To configure a firewall, issue the command:
lokkit -f
The main Firewall Configuration dialog box, as shown in Figure 12-8, appears. This dialog box lets you select the desired security level:
The firewall admits only DNS and DHCP replies, which are generally necessary for normal system operation. The firewall prohibits active-mode FTP, Internet Relay Chat (IRC) file transfers, Real Audio playback, and Remote X clients. In addition, outside access to services is blocked, unless you use the Customize dialog box to make them available.
The firewall blocks access to privileged ports (ports 0-1023), used
by services such as FTP, SSH, sendmail
, and
HTTP. In addition, it blocks the NFS server port (2049). It blocks
access to the local X Window System display and font server port by
remote clients.
The firewall is disabled; remote clients can freely access services on your host.
The loopback device, lo
, is a trusted device
under the high and medium security levels and therefore cannot be
freely accessed. You may find it difficult to test service
availability even from the system itself when you configure your
system to operate under high or medium security.
To customize the access permitted to remote clients, click on
Customize. The Firewall Configuration—Customize dialog box, as
shown in Figure 12-9, appears. You can use the Allow
Incoming checkboxes to allow access to services that would otherwise
be blocked by the medium or high security levels. If you want to
allow access to a service other than one of the six listed, you can
use the Other Ports text box. There, you can list the number (or
name) of the port, followed by a colon and the port type
(tcp
or udp
). The file
/etc/services
lists the commonly agreed-upon
port numbers and the associated services. For example, the IMAP mail
service is associated with port 143 and both TCP and UDP port types.
To permit access to IMAP, you could place the specification:
143:tcp,143:udp
in the Other Ports text box.
You can list as many ports as you like, separating each from its neighbor by a comma. It is possible to list ports by name, but since the names acceptable to the dialog box are not documented, it’s better to use port numbers.
You can use the Trusted Devices checkboxes to specify that packets originating from the specified device will not be blocked by the firewall. This facility is useful when a host has two network adapters: one associated with a public network, such as the Internet, and another associated with a private network. By specifying the network adapter associated with the private network as a trusted device, you permit clients on the private network free access to services, while blocking clients on the public network from access other than that permitted by the firewall configuration.
To start the firewall, issue the command:
service ipchains start
To stop the firewall, issue the command:
service ipchains stop
To stop and then restart the firewall, so that a new firewall configuration can become effective, issue the command:
service ipchains restart
To view the current firewall policies, issue the command:
service ipchains status
The ipchains
manpage describes the format in
which the policies are listed.
To block outside access to all services, issue the command:
service ipchains panic
This command is handy if you suspect that an intrusion is in progress and you want to terminate the cracker’s access immediately.
If you’ve manually revised the firewall by using the ipchains command, you can save the current firewall status by issuing the command:
service ipchains save
The next time the firewall is started, the saved firewall status will be restored.
To specify that the firewall should start automatically when the system is booted, issue the command:
chkconfig --level 2345 ipchains on
To configure IP masquerading, issue a command of the following form:
ipchains -A forward -i
eth
-sxxx.xxx.xxx.xxx
/yy
-j MASQ
where eth
is the device associated with the
network adapter that interfaces to the masqueraded network,
xxx.xxx.xxx.xxx
is the network address
associated with the masqueraded network, and yy
is the number of 1-bits in the netmask associated with the
masqueraded network.
For example, if eth0
is the network adapter
associated with the masqueraded network 192.168.0.0
having a netmask of 255.255.255.0
(that is, 24 1-bits), you should add the following
command:
ipchains -A forward -i eth0 -s 192.168.0.0/24 -j MASQ
Then, save the current firewall status by issuing the command:
service ipchains save