LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 04-20-2011, 08:16 AM   #1
Mr. Alex
Senior Member
 
Registered: May 2010
Distribution: Arch + X.org + IceWM
Posts: 1,208

Rep: Reputation: Disabled
Question iptables config - more secure than router's not configurable firewall


Hi everybody!
There are routers with firewalls which you cannot configure - you just use those routers and get some protection from Internet attacks. Is it possible to configure iptables on GNU/Linux machine so that you'll get better protection than the protection you get from those kind of routers?
 
Old 04-20-2011, 09:31 AM   #2
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
It is difficult to say whether or not you can get "better" protection without defining what "better" means. In terms of more secure, one would need to look at the weaknesses of these products. For example, do the products contain known exploits that would let a would be cracker gain access to the LAN side of the network?

Speaking in terms of generalities, I think it is possible to get a more or at least as feature rich solution using IPtables with Linux than you can with most physical routers. I also think that, properly configured, such a solution would be at least as secure as these products.

I recently asked a similar question on my local LUG's mailing list as I have been considering getting a ASA5505 for my network to use in combination with IPTables on the servers. The overwhelming response I received was to go with either pfSense or ClearOS as I would get better performance and more features at a much lower price point.
 
1 members found this post helpful.
Old 04-20-2011, 03:54 PM   #3
sibe
Member
 
Registered: Apr 2011
Location: Jakarta, Indonesia
Distribution: Fedora, CentOS
Posts: 122

Rep: Reputation: 21
Quote:
Originally Posted by Noway2 View Post
... to go with either pfSense or ClearOS as I would get better performance and more features at a much lower price point.
Agree.

ClearOS and other similar products like Endian Firewall or Untangle have strong advantages over a plain iptables-based-firewall due to their features and manageability; from an ordinary rule based filtering to a sophisticated content filter capability, they have it all in one software package with a nice web interface to configure everything.

As pfSense came from the other world of [Open]BSD PF, this product has a slightly different implementation of its filtering technique (if you even bother to look at it under the hood), but its main attraction, IMO, is the option to have a HA, active-passive failover mode firewall using excellent CARP and pfSync to replicate its stateful filtering rules.
 
1 members found this post helpful.
Old 04-21-2011, 07:13 AM   #4
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 3,919

Rep: Reputation: 779Reputation: 779Reputation: 779Reputation: 779Reputation: 779Reputation: 779Reputation: 779
Quote:
Originally Posted by Mr. Alex View Post
There are routers with firewalls which you cannot configure...
Well, probably the most common thing is to have some kind of firewall that you can configure (somewhat), but which doesn't offer you the options that you want...

Quote:
Originally Posted by Mr. Alex View Post
....Is it possible to configure iptables on GNU/Linux machine so that you'll get better protection than the protection you get from those kind of routers?
@Noway2
Quote:
I recently asked a similar question on my local LUG's mailing list as I have been considering getting a ASA5505 for my network...go with either pfSense or ClearOS as I would get better performance and more features at a much lower price
An ASA5505 is quite an expensive product, isn't it, which makes it rather easy for anything else to be cheaper?

In any case, you can get 'router distros' that are intended to run on ordinary, consumer, router boxes (see, eg tomato, dd-wrt here) with their linited resources. The beauty of something like this is that, once having installed your linux-oid OS on your router box, you can run the OS's firewall, which gives you as many features as you could ever want. Or, at least, have the processing power to deploy succesfully.
 
1 members found this post helpful.
Old 04-21-2011, 08:58 AM   #5
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
Quote:
An ASA5505 is quite an expensive product, isn't it, which makes it rather easy for anything else to be cheaper?
The going retail price on the asa5505 is about $350 (USD) for upto 10 simultaneous VPN connections and about $489 for upto 50, which isn't cheap, but isn't terrible.

I am honestly more than a little bit torn between using a dedicated device and a Linux system as a firewall. On one hand, I already have two servers, a cable modem, and a Catalyst switch and I am not certain if I want to bother with maintaining a 3rd Linux system. DD-WRT and Tomato would be good options, but I consider the residential grade hardware that you normally start with to be the limiting factor.

I had OpenVPN setup up on one system and overall it works pretty well. My biggest complaint with it is that it uses what it calls pseudo DHCP in that it pulls from a list that you specify in the configuration file. Consequently, if you use dynamic-dns+dhcp, it doesn't register with the DNS and you can't do lookups by host name. I managed to get around this by creating the TAP device upon boot up, before the DHCP server which allows the DHCP to bind to and listen on the interface, but this causes OpenVPN to not work 100%, especially with Windows clients. While it may be possible to get it to work with more tinkering, I spent months getting that working and final "had enough.". I am thinking that by going the ASA route, this may be simpler and I could use the Cisco VPN client.

One trick, or method, that I picked up watching a youtube video on the ASA5505 is that one creates two vlan's on the switch port and defines ACL rules to work between the two vlans. The same thing could be done on the WRT, but I think this would imply having NAT between the vlans.
 
  


Reply

Tags
iptables, protection, router, security


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Firewall Config. i.e iptables? Daveyon Red Hat 4 02-09-2009 02:02 AM
Router and Firewall config question Gortex Linux - Networking 16 07-01-2007 02:54 AM
Router firewall secure enough? alaskazimm Linux - Security 5 02-27-2006 03:48 PM
Compaq Router Firewall secure? cjpsparks Linux - Security 6 11-02-2003 08:50 PM
SuSe 8.2 firewall / router config domacious Linux - Newbie 2 08-20-2003 07:59 PM


All times are GMT -5. The time now is 03:16 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration