Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have set up a basic firewall on my laptop with iptables following a tutorial. Here is my output from iptables -vL:
Code:
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
4 244 ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
4 228 ACCEPT all -- lo any anywhere anywhere
0 0 DROP all -- any any anywhere anywhere ctstate INVALID
0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-request ctstate NEW
0 0 UDP udp -- any any anywhere anywhere ctstate NEW
0 0 TCP tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN ctstate NEW
0 0 REJECT udp -- any any anywhere anywhere reject-with icmp-port-unreachable
0 0 REJECT tcp -- any any anywhere anywhere reject-with tcp-reset
0 0 REJECT all -- any any anywhere anywhere reject-with icmp-proto-unreachable
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 8 packets, 472 bytes)
pkts bytes target prot opt in out source destination
Chain TCP (1 references)
pkts bytes target prot opt in out source destination
Chain UDP (1 references)
pkts bytes target prot opt in out source destination
I am just wondering if this seems like a decent firewall. Any input would be appreciated.
I don't really have a major need for much security wise, I don't deal with any sensitive data or do any banking or anything on this laptop. I am just teaching myself this stuff out of boredom mostly. As far as what I'd like to accomplish with a firewall is block everything but basic internet access. I have no need for any remote access. One thing I've been wondering is if I could use the output chain to help protect against things like a man in the middle attack.
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j DROP
-A FORWARD -j DROP
-A OUTPUT -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
COMMIT
Ok I see. When I run conntrack -L with my current set up after connecting to a web page I do see mostly connections of udp and tcp protocol and, forgive me for my ignorance, I wonder how this simple firewall handles those as well as any other new input connections. As I said previously I don't have a major need for this, it's more just for the fun of learning to me, So I am more concerned about understanding the concepts than just being shown a basic setup. Thanks again for any input.
There are 2 types of firewall states, Connection tracking and Connectionless.
With the ESTABLISHED,RELATED rule the kernel will look in the connection table for a previous connection. If it is there then it allows the traffic to continue without consulting the rest of the rules for a matching one.
The non-tracking firewall doesn't consult the connection tables for a previous connection and thus must read and apply the rules for every packet.
With the above lets take a look at an FTP connection. We will call the connection tracking firewall FirewallA and the connectionless firewall FirewallB. All the commands below are abbreviated.
On FirewallA you setup the following:
INPUT ESTABLISHED,RELATED ACCEPT
INPUT -p 21 NEW ACCEPT
And loaded "ip_conntrack_ftp"
On FirewallB you setup the following
INPUT -p 21 ACCEPT
Now you have a client that wants to connect to FTP on port 21.
On FirewallA the first packet will be applied to all the rules until one is found that matched. Once a matching rule is found it will be handled according to the rule. In this case it is allowed so it places the connection into the conntrack DB. Every subsequent packet will now match the EASTBLISHED rule and bee allowed automatically.
On FirewallB the first packet will be applied to every rule until one is found that it matches. Once a matching rule is found it will be handled according to the rule. Every subsequent packet will need to go through the same process each and every time.
Now the client decides to transfer data over his FTP connection.
On FirewallA because we loaded the "ip_conntrack_ftp" and we have the RELATED rule, port 20 (for the Data transfer) is automatically allowed.
On FirewallB we don't have port 20 allowed so the client will not be able to transfer data over FTP. To allow the data transfer you now need to add a rule for port 20 to allow it. Because we are not doing connection tracking anyone can not connect to port 20 without having to go through port 21 first.
I hope I was able to give you some useful information and I hope this shows you some benefits to using connection tracking over connetionless.
Thank you lazydog for that useful information. I can see that connection tracking does make things simpler. However I am still left with the question about how the example you showed earlier handles any new connection. I will prob try testing some different setups including your example now that I understand things a bit better, but that prob won't happen until tomorrow. Thanks again for taking the time to explain things to me.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.