Configuring a Firewall

You should run a personal firewall on your machine to protect yourself from crackers and script kiddies on the internet. A personal firewall will block network traffic to and from your machine that does not match a set of rules. These rules can be based on source or destination address, port number, protocol or whether it is a new or established connection. For example, you may want to run a server locally such as a vncserver then limit which machines can connect using a vnc client. All firewalls in Linux are based on iptables which are network traffic filters built into the kernel. You can change iptables rules from the command line or use a graphical configuration tool, Fedora Core comes with a very simple firewall application built on top of iptables, which you can find at System Settings | Security Level.

A firewall can be used to provide protection for a single machine or for your local network on an internet gateway for sharing an Internet connection. The following configuration shows a machine being used as an internet gateway, /dev/eth0 is the device connected to the local network, and /dev/eth1 is the device connected to the Internet via a cable modem.

Sharing Internet connection

Starting the firewall service

If it is not running already you have to start the firewall service. Select System Settings | Security Level to start Security Level Configuration or become root and use the system-config-securitylevel command.

Security Level Configuration

Note: Connections from your machine out to the internet are not filtered so the firewall does not affect web browsing, you only need a firewall rule if you are running a service that you want others to use such as a web server.

You have to select the Enable firewall security level and set the trusted services and devices. Incoming connections on ports related to the Trusted services will be accepted, meaning the ports of those services are open, if the service is active. For example, if you want to provide the network service SSH checking the service will make the port open in the firewall, as well as those services and ports listed in the input line labeled Other ports.

Select the device connected to your local network, which is eth0 in our example configuration. You do not need to set rules for the services on your local network such as NFS or SMB shares. Press OK and you have your firewall set up to let anything in from your local network, enable incoming connections on trusted ports, and filter everything else.

Fine tuning with iptables

If you reuse the Security Level Configuration tool it will overwrite the /etc/sysconfig/iptables file, and any modifications outside the tool will be lost, so choose to use iptables OR Security Level Configuration

The Security Level Configuration utility performs basic filter settings only. If you want more detailed control, use the iptables command. Firewall rules can be applied when a packet first arrives at an interface, when a packet is to be forwarded to another interface or when a packet leaves an interface. Each of these stages is associated with a list of rules called chains, the default chains are named INPUT, FORWARD and OUTPUT. Fedora Core uses the iptables jump option to continue the INPUT and FORWARD chains on another chain named RH-Firewall-1-INPUT where all rules from the Security Level Configuration are applied.

All incoming packets go through the RH-Firewall-1-INPUT chain. It contains ACCEPT rules for certain packets (such as trusted services) and a REJECT rule at the end which blocks all the unwanted packets. To add a new ACCEPT rule to open up a port on the firewall, use the -I RH-Firewall-1-INPUT 1 option which means insert at the head of the RH-Firewall-1-INPUT chain, together with -j ACCEPT to accept the packet.

Most services use TCP connections so for example HTTPS needs the option "-p tcp --dport 443" which means protocol TCP and destination port 443 which is the HTTPS port number. You can also specify a range of ports, BitTorrent uses ports 6881-6889. Here are the finished commands for HTTPS and BitTorrent servers,

# iptables -I RH-Firewall-1-INPUT 1 -p tcp --dport 443 -j ACCEPT
# iptables -I RH-Firewall-1-INPUT 1 -p tcp --dport 6881:6889 -j ACCEPT

To keep this setup after restarting your machine you have to save it to the iptables configuration file /etc/sysconfig/iptables. The command that does this for you is the following:

# /sbin/service iptables save

Sharing Internet connection

In order to use the machine as a gateway you have to enable IP forwarding in the kernel. In order to do so, select System Tools | Kernel Tuning to start the Kernel Tuning tool, or become root and use the system-config-proc command. Select Networking | IP from the System tree on the left, then click on the second tab of the notebook on the right and check IP Forwarding. Press Save and then Activate saved configuration.

Kernel Tuning

The final step is to setup the sharing of a single IP address through network address translation (NAT). Many Internet connections provide only one IP address, which is used by the gateway. The computers on the local network have their addresses in a non-routable subnet such as When the packets are routed out from the local network to the Internet, the gateway needs to replace packet source addresses with the address of the gateway. The following command will setup NAT where /dev/eth1 is the device connected to the Internet,

# iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

If you want to run a web server, or any other service, on a machine behind the firewall you need to use destination NAT to redirect incoming requests to the server machine. The following redirects web requests to port 80 on the machine with local IP address

# iptables -t nat -A PREROUTING -i eth1 -p tcp -d
--dport 80 -j DNAT --to

Remember to save your changes to the iptables configuration file,

# /sbin/service iptables save

Ubuntu has a "no open ports" policy so does not install a firewall by default. If you install server software you should install a firewall such as firestarter to help restrict access to each server. You can verify which ports are open using nmap -sV -O localhost, there should be none on a clean installation.

Share this

Related Posts

Next Post »