BLFS Firewall (iptables)

kcirick · 05-06-2016, 06:49 PM

Hello,

I'm trying to learn about firewalls by going through BLFS "Setting Up a Network Firewall". I've installed iptables package and created the "Personal Firewall" script. As far as I know it is running, but how do I track/monitor activities? How do I know it is actually doing its job? The chapter doesn't say. Where do I view the logfile?

I am using 7.9 systemd version.

sag47 · 05-07-2016, 12:13 PM

You should add iptables rules for logging. e.g. http://www.thegeekstuff.com/2012/08/...s-log-packets/

Log to a place that makes sense. e.g. /var/log/iptables

Modify syslog or rsyslog to output to a file. e.g. http://www.cyberciti.biz/tips/force-...-log-file.html

brebs · 05-07-2016, 03:18 PM

Also, iptables-save shows a count of bytes & packets, per chain, which helps a bit.

Keith Hedger · 05-09-2016, 05:46 AM

You can check if you are secure here:
https://www.grc.com/x/ne.dll?bh0bkyd2
Been using shields up for years, you can scan common ports, a range of ports or a single port, find out what a port is for etc, etc.

kcirick · 05-09-2016, 09:30 AM

Thanks for all the feedback so far.

As it says in the firewall chapter of BLFS, it is a complex issue and there is a lot I need to learn/read.

Using the script provided in this chapter, I can view the log using "dmesg | grep 'FIREWALL'". It shows me some packet information, something like:

Code:

...snip
[17289.379163] FIREWALL:INPUT IN=wlp2s0 OUT= MAC=xx:xx:xx SRC=192.168.0.1 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=2 
[17361.433436] FIREWALL:INPUT IN=wlp2s0 OUT= MAC=xx:xx:xx SRC=52.4.167.74 DST=192.168.0.25 LEN=40 TOS=0x00 PREC=0x00 TTL=45 ID=38160 DF PROTO=TCP SPT=80 DPT=53628 WINDOW=0 RES=0x00 RST URGP=0 
[17414.408476] FIREWALL:INPUT IN=wlp2s0 OUT= MAC=xx:xx:xx SRC=192.168.0.1 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=2 
[17539.538090] FIREWALL:INPUT IN=wlp2s0 OUT= MAC=xx:xx:xx SRC=192.168.0.1 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=2 
[17664.670020] FIREWALL:INPUT IN=wlp2s0 OUT= MAC=xx:xx:xx SRC=192.168.0.1 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=2 
[17789.699223] FIREWALL:INPUT IN=wlp2s0 OUT= MAC=xx:xx:xx SRC=192.168.0.1 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0x00 TTL=1 ID=0 DF PROTO=2 
[17893.020554] FIREWALL:INPUT IN=wlp2s0 OUT= MAC=xx:xx:xx SRC=192.168.0.18 DST=255.255.255.255 LEN=171 TOS=0x00 PREC=0x00 TTL=64 ID=39966 PROTO=UDP SPT=17500 DPT=17500 LEN=151

but not sure if this normal and/or knowing what is considered suspicious / possible attack attempts? I guess there is no real answer here. I'm just trying to learn and leaving it as open-ended question...

sag47 · 05-09-2016, 09:12 PM

I have a service script and rules script for iptables that I publish (iptables.rules are my actual rules). That iptables script also has logging. It also a more involved iptables example than your average script.

See man iptables. That thoroughly discusses every option I'm using. Why did I design it that way? Because I want to easily add and remove rules without refreshing my whole firewall. I took concepts from RedHat's firewalld and made them my own.

I have chains for when I'm on my internal network vs VPN vs anywhere else.

Also notice I configure outbound rules. Configuring outbound rules goes a long way for securing a computer. Most guides you encounter won't discuss it much.

My iptables service script is what I use in a SysV init based startup. You might need to change it depending on the init system you're using. In general, you can load the firewall rules using the following command.

Code:

iptables-restore < /etc/iptables.rules

Feel free to ask additional questions.