I want to show you how this is done in two different ways: Using a typical firewall GUI and the ufw command line. For the GUI I am going to illustrate this with GUFW (GNOME frontend for UFW). Naturally, each GUI firewall tool will deal with this process differently, but understanding the fundamentals of what you’re looking for should give you enough information about how exactly to manage the task with the firewall tool you use.

ufw

Figure 1

Let’s start with the more challenging task first. I will assume you know some of the basics. What we will be doing is allowing the necessary Samba ports through with the help of the UFW command line. Let’s first check to make sure your firewall is enabled. To do this issue the command:

sudo iptables -L

When you issue the above command you should see output similar to what you see in Figure 1. If you see nothing, that means your firewall isn’t enabled.

Now, let’s add the rules to allow Samba to pass through your firewall. I am going to illustrate this using the 192.168.1.0 IP address scheme. You can adjust this to fit your needs. The commands you need to run, to open up the necessary ports are:

sudo ufw allow proto udp to any port 137 from 192.168.1.0/24
sudo ufw allow proto udp to any port 138 from 192.168.1.0/24
sudo ufw allow proto tcp to any port 139 from 192.168.1.0/24
sudo ufw allow proto tcp to any port 445 from 192.168.1.0/24

You will issue the above commands one at a time.

GUFW

Figure 2

Now let’s take a look at allowing Samba through your firewall using the UFW front-end, GUFW.  You can start the GUFW tool by clicking System > Administration > Firewall Configuration. When the GUFW window opens (see Figure 2). If the firewall is not enabled, check the Enabled check box to start it up. Once it is started up you can then add rules to the configuration.

Figure 3

When you click the Add button a new window will appear (see Figure 3). From this window select the Preconfigured tab. In this window select the following:

• Allow
• In
• Service
• Samba

When you have the above selected, click Add. Now go back and add another rule to use the same configuration as above with the exception of selecting Out instead of In. Once you have done that, close the Add Rule window and then quit the GUFW window. Your firewall should now allow Samba through.

That complexity is what an introductory article is needed. I have seen plenty of users try to just jump into the heart and soul of iptables, only to see them fail miserably. To fully understand iptables one must first understand how iptables is actually used. In this article I will help you to understand the fundamentals of iptables so later on we can further that knowledge with more in-depth scripts and commands.

What IS iptables?

As I mentioned earlier, iptables is a powerful way to control packet traffic to and from your Linux box. But how does it manage this?  It does so by creating TABLES made up of CHAINS. There are three types of chains:

• INPUT: Controls packets coming in.
• OUTPUT: Controls packets going out.
• FORWARD: Controls packets that are forwarded.

These are also applied to the default policies. When you install a Linux operating system it will have three pre-defined iptables chains (one for each of the above).

Now each chain can handle the packet traffic in one of four different ways (actions):

• ACCEPT: Allow the packet in/out.
• REJECT: The target device will reject the packet.
• DROP: The packet is immediately dropped and the target device never sees said packet.
• RETURN: Go to another chain in your table as if it never saw the rejecting chain.

So now you have a TABLE made up of CHAINS that use ACTIONS to route traffic. Is this getting any easier? Now, you can also have more than one TABLE on a machine – but that is far too complex for an introductory article. Your machine will also have a default POLICY for each chain (INPUT, OUTPUT, FORWARD). By default these POLICIES are typically set to the action ACCEPT.

You must also understand that when a packet arrives on a machine it must traverse the iptables CHAIN until it either matches a CHAIN rule or it passes through all rules unscathed. Because of this you want to create your chains carefully. If you do not you can wind up with traffic you want to ACCEPT getting REJECTed because of a poorly ordered chain. For example:

Let’s say you want to ACCEPT all ssh traffic within your internal network safe passage to your machines. But what if you have a CHAIN rule that REJECTS ssh traffic in place before that internal rule? If you do this all internal ssh traffic will be REJECTed as well. In this case you would want your TABLE chain order like so:

CHAIN ACCEPTing incoming LAN ssh traffic

CHAIN REJECTing incoming WAN ssh traffic

Let’s take a look at how you use itables as a command to create or change POLICY chains.

Usage

Figure 1

If you issue the command iptables -L all of your current chains will be listed like what you see in Figure 1. NOTE: The iptables command MUST be run as either the root user or with the help of sudo.

As you can see, in my output, my TABLE consists of the three default policy CHAINS and each is currently set to the action ACCEPT.  What if I want to change my INPUT policy to DROP? After all, do you want incoming traffic to have total access to your machine? You can set the input POLICY to DROP with the following command:

sudo iptables -P INPUT DROP

What you have effectively done above is set your default INPUT POLICY to REJECT. So without creating any new CHAINS all incoming traffic to that machine will be REJECTED. Here’s the problem with that…say, for instance, you want to allow ssh traffic into that machine? If you leave it as is this will not happen. Because you have the INPUT POLICY set to REJECT and you have no other CHAINS in place, no incoming traffic will work. Remember, though, what I said about creating CHAINS in the right order to ensure needed traffic can find safe passage.

Final thoughts

Thus begins our journey with iptables. It’s not the most simple system to employ, but it certainly is powerful.  Is it worth the time and effort when there are so many GUI tools to choose from? That depends upon your needs. If you are working on nothing more than a desktop – then the GUI front-end will more than likely be enough. If, however, you have a server with mission-critical or sensitive data you might need the extra power and flexibility that iptables brings to the table.

In this article I will introduce you to the Fedora firewall tool and show you how to secure your Linux distribution quickly and reliably.

Two ways to success

There are two ways to configure the firewall tool to meet your needs. The first method is manually. You can decide what to leave open and what to close up. The other method is with the help of a very easy to use Wizard. What these choices do is allow the system to be useful for both new and seasoned users alike.

What I really like about this tool is that it doesn’t take anything for granted. It allows you decide what interfaces, services, ports are all trusted; it allows you to create your own custom rules, do port forwarding, and masquerading. This tool is pretty fantastic and will keep your desktop secure. Now, let’s see how this thing works.

The Wizard

Figure 1

The Wizard is where every new user should start. But before you get to the Wizard you actually have to start the tool. To do this click System > Administration > Firewall and the main window will open. From this main window click on the Wizard button to begin the process of creating your firewall.

The steps of the Wizard are as follows:

Step 1: Welcome screen (just click Foward).

Step 2: Select the system you ahve (System with Network access or system without network access).

Step 3: User skill level (Beginner or Expert).

Step 4: Configuration (Desktop or Server).

After you have completed the Wizard click the Apply button on the main window to complete the process. This will clear your current firewall and apply the settings the Wizard has created. Only problem? The wizard really didn’t do much as far as customization for your needs. In order to really customize your firewall you have to step outside the boundaries of the wizard. Let’s do that.

If you look at the main window you can see there is a number of options you can select. If you find the only option in the left pane that is available is Trusted Services, that means you have selected Beginner level. In order to access the other features (Other Ports, Trusted Interfaces, etc) you will have to set yourself up as an Expert by clicking Options > User Skill Level > Expert. Once you have done that all the other options will be available.

At this point you simply need to walk through all of the possible options and select the following:

• Trusted Services: Which services do you want to be made available to hosts and networks.
• Other Ports: Here you can open up any port listed in /etc/services.
• Trusted Interfaces: If you have more than one NIC on your machine this will be especially handy. Define internal and external network interfaces and refine what each has open.
• Masquerading: Need to hide an entire range of private IP address behind a single public address? You might need to configure masquerading.
• Port Forwarding: If you need to configure the host machine to forward a port request to another machine, this is where you do it.
• ICMP Filter: Here you configure error messages between computers. You can block things like ping requests here.
• Custom Rules: This is where you can add your very own custom rules to your firewall. We will discuss this further in another article.

Once you have made any changes make sure you click the Apply button in order to apply the changes.

Final thoughts

That’s pretty much the gist of the Fedora Firewall tool. We will take this further soon with an article on creating your own customized rules with this tool. Until then, enjoy hardening your Fedora box with this easy to use firewall tool.

When you spend a lot of time creating and administering the web/mail server combination, it’s always good to have a solution that is easy to put in place. I have found one that I have used for a while now and trust its security and ease of use. This “system” uses a fairly complex iptables script that has just a single line that you will need to modify in order to have sound security for a web/mail server that serves up web pages via Apache on port 80 and mail via SMTP on port 25 and IMAP via port 143. Included in this script is the inclusion of port 25 for secure shell access.

You will be surprised how simple this script is to use. I have uploaded the script to a pastebin site which you can access using this address. Copy that script to your Linux server (for the sake of simplicity save it in ~/scripts, which you will create) and you are ready to set the system up.

Configuration

The only line you need to configure (unless you need to change the networking device name and/or want to include extra ports or remove ports from the script) is line 8. This line looks like:

SCRIPT_DIR="/PATH/TO/DIRECTORY"

What you want to have there is the location that will be filled with any IP address blocked by the firewall. For the purposes of this tutorial it will be saved in ~/scripts.

Once you have that edited you can save the file and call it start_iptables.sh. Now give the file executable permission with the command:

chmod u+x start_iptables.sh

Now create a new file called stop_iptables.sh. The contents of that file will be:

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

Make that file executable with the command:

chmod u+x stop_iptables.sh

The former script will start your firewall, the latter script will stop it.

Starting this script

You can start and stop this script any time you feel like with the command:

sudo ~/scripts/start_iptables.sh

If there are no errors you should see something like:

Starting IPv4 Wall…

You can also check to see by listing all of your iptables chains with the command:

sudo iptables -L

Stopping the firewall is done with the command:

sudo ~/scripts/stop_iptables.sh

Start at bootup

Now let’s make it such that the firewall script starts upon boot of the server (should the need arise).  Open up the /etc/rc.local file and add the line:

/PATH/TO/scripts/start_iptables.sh

before the “exit 0″ line.

Where /PATH/TO/ is the explicit path to the ~/scripts directory (you can’t use “~/” in rc.local).

The script will now start at boot.

Final thoughts

This easy to install firewall will add a level of saftey to your web/mail server that would be hard to come by with a GUI tool. And if you are using a headless (console only) server, it’s the only way to go.

Fwbuilder is a powerful firewall creation tool that works by adding objects to build a customized firewall. An object can be just about anything from a firewall, a library, a host, interface, address, DNS name, etc. The idea is you piece objects together to form a cohesive whole that works together to form a complete firewall. The only problem most run into is, when you fire up fwbuilder, where do you start? It may seem a bit confusing at first, but you know where the first step is, the rest of the journey is pretty clear.

Installing fwbuilder

I will touch briefly on installing fwbuilder, because it will not be found on your default system. And although you will find fwbuilder in your respository, it will be an outdated version. So to install the latest version first open up your /etc/apt/sources.list file and add the following (Note: I am installing this on Ubuntu 9.04.):

deb http://www.fwbuilder.org/deb/stable/ jaunty contrib

Before you update apt you will need to add the GPG key. Download that key and then issue the command:

sudo apt-key add PACKAGE-GPG-KEY-fwbuilder.asc

Now issue the command:

sudo apt-get update

Finally you can install with the command:

sudo apt-get install fwbuilder

Once installed you will find fwbuilder in the Administration sub-menu of the System menu (The entry will be labeled Firewall Builder).

Building a firewall

Figure 1

When you start up fwbuilder the main window (see Figure 1) will not seem very intuitive. The first thing you need to do is create a new firewall. To create a new firewall click the Object drop-down which is the icon to the immediate left of the User drop-down. Or you click the Object menu and select New Object (which will open the Object drop-down menu). From this drop-down select New Firewall.

When you add a new firewall object a wizard will appear. Before you can move beyond the first screen you have to do the following:

• Name your firewall.
• Select the firewall software the machine is running.
• Select the OS the firewall is running on.

In the first screen of this wizard is a very important option (if you want to make life easy for yourself). You can base your firewall on pre-configured templates. For new users this is always a good place to start. And even though you choose a pre-configured template, you can still customize this firewall.

But we’re building a customized firewall, so no templates here.

Figure 2

The next screen asks you how you want to define your interfaces. There are two methods: Manually and using SNMP to automatically discover the interfaces. Manually is the most reliable method of course so select that option and click Next.

In the device setup window (see Figure 2) you will enter the information for your networking device. Once you have entered this click Add. If you can’t figure out the MAC address you can always use the Networking Tool application under the Administration sub-menu of the System menu.

Once you have added the device click the Finish button. If you have a machine with two networking devices add your second device and then click Finish. You will now be in the window where you will add rules to your firewall. In the upper left pane click on the name of the firewall to open up the Desktop/Policy window (see Figure 3).

Figure 3

What you want to do is right click within the upper right pane and select “Insert Rule”. When the rule is inserted it will be fairly worthless. You will notice much of the policies are listed as “Any” or “All”. In order to change this you have to add new objects. Let’s say, for example, we want to create an address range that will cover our entire LAN to be used as a destination. To do this click on the Object drop-down and select New Address Range. The lower right pane will change where you can enter the values for your range. I will enter the following:

• Name: Internal LAN
• Range Start: 192.168.1.1
• Range End: 192.168.1.200

You can add a comment if you like.

Figure 4

Now click Apply and that object has been created. This is where the fun begins. As you can see (in Figure 4) my new object is listed in the lower left pane. What I do is click and drag that object into the section of the new rule I want to apply that object to. So I want the Internal Lan object to apply to the Destination section of the rule so I will drag it to that section to apply it.

Now create as many objects as you need for your firewall and click and drag them to apply them. But don’t think you have to limit yourself to one rule. You can add as many rules to this firewall as you need.

Once you have completed building your firewall right click the firewall name (in my example it would be Desktop from the upper left pane) and click “Compile”.  This will open up a compilation wizard that is simple to walk through. The compilation will create a file with the same name as the firewall and an extension of .fw.  After the compilation is complete right click the firewall name and select Install. The installation wizard is also a simple walkthrough of steps. You will have to give a user for the firewall to run under as well as the password for that user. Also you will have to select if you are going to run in test mode or not. If you are install the firewall in test mode it will not be permanent. If you install in regular mode fwbuilder will ask you how soon you want to reboot your machine (so the firewall can take effect.) I suggest running in test most first. If this works then go back through the Install process and allow for full installation (including reboot).

Final thoughts

Fwbuilder is a powerful tool that allows you to create very customized firewalls. I highly recommend this tool for anyone serious about Linux security.

Now with the Linux operating system you have a lot of choices for protection. But one of the easiest to use is Firestarter. Firestarter is one of the easiest-to-use firewalls I have used. And with this simplicity does not come a sacrifice to security. Just because it’s easy does not mean it lacks protection. Firestarter is powerful and has a ton of features. In this article you will learn how to install Firestarter and set up a basic desktop firewall.

Feature highlights

Firestarter includes such features as:

• Setup wizard.
• Real time event viewer.
• Easy port forwarding.
• ICMP parameter tuning.
• Advanced kernel tuning.
• Suitable for desktops, servers, and gateways.

and much, much more.

Installation

The installation of Firestarter is simple. Because it will most likely be found in your distributions’ repositories you will only need to follow these steps for installation:

1. Open up your Add/Remove Software tool.
2. Search for “firestarter” (no quotes).
3. Select Firestarter for installation.
4. Click Apply.
5. Enter your user password.
6. Wait for the installation to complete.
7. Close your Add/Remove Software utility.

Running Firestarter

Figure 1

You will find the Firestarter executable located in the Administration sub-menu of the System menu (in GNOME). When you first run Firestarter the wizard will open up. The first screen is the usual Welcome screen so you can just click the Forward button. The first screen you will have to do any configuration with is the Network Device Setup (see Figure 1). In this screen you need to set which interface Firestarter is to listen to. I am using a laptop so I will select my wireless device.

Figure 2

The next screen (see Figure 2) asks if you need to use internet connection sharing to set your machine up as a gateway. If you do you will need to first click the check box to enable it and then select an interface for the other machines to connect to. If you need to use your machine as a DHCP server you will have to have that installed outside of Firestarter.

Once you have taken care of connection sharing (if it is needed) click the Forward button and you’re done. The last screen wants to know if you want to start the firewall immediately and has you save your configuration.

Figure 3

While Firestarter is running you will see a small icon in your notification area that looks like a blue circle with a right-pointing triangle. If you click on that it will open up the Firestarter main window (see Figure 3). From this window you can Stop the firewall, lock the firewall, view the events log, edit both your inbound and outbound policies, and monitor active connections.

In order to monitor active connections expand the Active Connections listing which will list every connection made to and from your machine. In both the Active connections section and the Events tab you can right click an entry and take action. For instance, in the Active Connections section you can right click an entry and look up the hostname of that entry. In the Events tab you can do more. If you right click an entry in the Events tab you can do the following:

• Allow connections from source.
• Allow inbound service for everyone.
• Allow inbound service for source.
• Disable events from source.
• Disable events on port.
• Lookup hostnames.

Finally, in the Policy tab, you can right click any blank area and add a rule that will apply to a connection from a host or to a port/service. When you go to add a rule you will only need enter the IP address (or domain) and then add a comment.

Final thoughts

Firestarter makes the often daunting task of creating a firewall for a Linux machine simple. If you have ever dealt with iptables you will understand when I say this is a huge relief for desktop users who do not want to take the time to learn to use the underlying technology.

As you would expect, with the help of Webmin, creating a firewall is very simple. And the default Webmin installation comes complete with a firewall module built in, so there is nothing to install (once you have Webmin installed.) All you have to do is point your browser to http://IP_OR_DOMAIN:1000 (Where IP_OR_DOMAIN is the actual IP address or domain hosting your Webmin installation.) If Webmin is installed on your desktop you can point your browser to http://localhost:10000.

Webmin Firewall

Once you are in the Webmin window you will want to click on the Servers link and then click on the Linux Firewall link. The image to the left is the top portion of the configuration screen. This image is showing a default iptables chain that is installed by default in Fedora. As you can see these chain rules are easily modified, moved, appended, and removed.

The Add Rule Window

I want to illustrate how easy it is to add a new rule to the already existing chain. Let’s say you want to add a rule that denies all incoming connections to port 110 (pop3) to your machine. To do this click on the Add Rule button to reveal the Add Rule window (see image to the right.)

The primary configurations to take for this would be:

• Rule Comment: Give the rule a name.
• Action to take: Drop
• Source Address: Any
• Destination Address: 192.168.1. (This will depend upon your needs. If you have a static IP address for the machine enter that.
• Destination Port: 110

Once you have filled this out, click Create Rule and you will be returned to the main window with your rule listed.

Final Steps

Once you have your new rule(s) created you have to scroll down and click the Apply Configuration button (see the image to the left). You will also notice, near the bottom, buttons that allow you to enable your firewall at boot, reset your firewall, and reset to the currently active firewall.

Once you have applied your configuration, if you want to remove a rule you just created you have to go back to the rule list, select the rule you want to delete, and click the Delete Selected button.

It is also important to make sure you have your rules set up in the right order. It is very easy to arrange your rules with the Webmin Firewall Module. Go to the rule listing and click either the up or down arrow the corresponds to the rule you want to move, The rule is then moved one slot up or down (depending upon which arrow you click). But don’t forget to click the Apply Configuration or your move will not stick.

Final Thoughts

If you are looking for a very simple, web-based, solution for creating a firewall the Webmin firewall module might be the answer for you. Not only is it easy to use, you can administer your firewall remotely.

That was then, this is now and in the now there are graphical front ends to help you build a firewall without having to issue a single command from the command line. One of those tools is fwbuilder. The fwbuilder tool builds iptables rulesets but does so by treating each element of the individual rule as an object, a service, or a time. Objects are addresses. Services are protocols or (as the name implies) services. Time is just as it says, time (such as day of the week or a specific time.)

To start up fwbuilder you will find the menu entry in Applications | Administration (under KDE) or in System | Administration (under GNOME). When you fire up fwbuilder you might find yourself thinking “Where do I start?” The first thing to do is go to the File menu and select New Object File. You have to give your object file a name and then save it.

fwbuilder new object

Once you have done this you are ready to start building. As you can see, in the image to the left, the drop-down icon to the left of the User drop-down is what you click to insert a new object into your object file. Click that drop-down to reveal the list of all object to insert.

The first object you must insert into your object file is the Firewall. When you select that a wizard will open up asking for a name for your firewall, what software will run the firewall, and what OS the firewall will run on. I will name my firewall “Example_Firewall”, I will choose iptables from the software list, and Linux 2.4/2.6 for the OS.

Template Chooser

Now, if you want to go the really easy route you can select to insert preconfigured template for your firewall. If you select this you will have to choose your template. Once you have taken care of this information click Next.

Once you click next you will see a list of different templates available. Each template serves a different purpose. As you click on each template a full description will reveal itself in the bottom pane.

After you select the proper template click the Finish button. Now fwbuilder will be open so you can view your template.

Ready To Insert Objects

The first thing you can do is expand the name of the firewall (in my example I would Example_Firewall) and select the object you want to view. Say you want to view the Policy of this firewall (remember this was created from a template so there are already rules applied). To do this click the “Policy” listed (once you expand the firewall) which will reveal the policy in all its glory.

fwbuilder policy editor

Because this is a template you can not edit the objects. This is one of those that you chose based on a specific, yet simple, need.

In the image to the right you can see the details of the policy included with the single interface firewall template.

If you want to create a custom firewall you would go through the same process but, at the point where you are defining your firewall you wouldn’t choose the Preconfigured Template. Instead you would leave that option unchecked and then, in the next window, choose to “Configure Interfaces Manually”. At this point you would add objects as needed and configure those objects to suit your needs.

Once your firewall is built you must then save the firewall, compile the firewall, and install the rules. Here’s the kicker with configuring your firewalls manually. You will need to know the MAC addresses of your interfaces. Fwbuilder has built in SNMP discovery which will help to map out the various interfaces on your network. To use that tool go to the Tool menu and select Discovery Druid. This tool should keep you from having to manually find and associate MAC addresses.

Final Thoughts

The fwbuilder tool is an outstanding means of creating firewalls for any situation. This article gave you a cursory glance at this powerful tool. Give it a try and build a firewall. Try the templates and, once you are familiar with the tool, build your very own customized firewall.