May 23, 2005

Three tools to help you configure iptables

Author: Chris Lynch

Every user whose client connects to the Internet should configure his firewall immediately after installation. Some Linux distributions include firewall configuration as a part of installation, often offering a set of defaults configurations to choose from. However, to ensure that your machine presents the minimum "attack surface" (a measure of the number of vulnerable ports, user accounts, and sockets exposed to attack) to the predatory inhabitants of the Internet, you may need to do some manual configuration of your firewall. Here are three tools that can help.

The Linux kernel (version 2.4 onwards) contains a framework for packet filtering and firewalling using netfilter and iptables. Netfilter is a set of hooks inside the Linux kernel that allows kernel modules to register callback functions with the network stack. Iptables is a generic table structure for the definition of rulesets. Each rule within an IP table consists of a number of classifiers (iptables matches) and one connected action (iptables target). Iptables has extensive documentation that can be accessed online or by typing man iptables at the command line. Yet despite the depth of the documentation available for iptables, its complexity can be baffling.

FireHOL

The GPL-licensed FireHOL allows you to configure iptables through its abstract, extensible configuration language, enabling you to write your configuration in something approaching a fourth-generation programming language.

Safety in Linux
In December, the Honeypot Project released findings indicating that an unpatched Linux machine could survive for months connected to the Internet, compared to reports of a lifespan as short as four minutes for a some Windows operating systems.

FireHOL can be downloaded from SourceForge as an RPM binary or as source code. I downloaded the RPM and installed it on my Mandrakelinux system.

FireHOL runs a service/daemon, checking its own configuration file at startup and writing out an iptables configuration before automatically starting the iptables firewall. FireHOL backs up any existing iptables configuration during this process, so it should be safe to install alongside any existing configuration you have for iptables.

Configuring FireHOL requires that you learn the FireHOL configuration language. FireHOL configuration files are actually bash scripts. As such, you can use bash features such as functions, loops, and variables within your FireHOL configuration. The actual FireHOL configuration language itself is simple to learn but powerful.

My relatively simple FireHOL configuration looks like this:

version 5

# Allow BitTorrent server ports
server_bittorrent_ports="tcp/6881"
client_bittorrent_ports=any

# Accept all client traffic on any interface
interface any world
        client all accept
        server bittorrent accept

Documentation for FireHOL is excellent. The SourceForge-hosted site for the project documents the FireHOL configuration language in detail, gives an excellent tutorial, and includes links to sites that will test the integrity of your firewall via the Internet. If I have any complaint about the FireHOL documentation, it is that the use of frames on the Web site makes it difficult to read any large section of the documentation without lots of scrolling. It would be nice to see a PDF manual on offer for this otherwise professional offering.

FireHOL scores highly for its mix of simplicity and flexibility. I was able to configure a basic "I can go out, but you can't come in" firewall quickly using it, and the resultant configuration passed every test I threw at it.

Personally, I like the approach that FireHOL takes in simplifying the language used to configure iptables without placing a barrier between you and the system itself. I remain confident that, using FireHOL, I can make my firewall do whatever I want with just a few commands.

GuardDog

Guarddog is a GUI-based iptables configurator for KDE. Like FireHOL, Guarddog is application- and protocol-based, but unlike FireHOL Guarddog provides extensive guidance on which protocols to allow and disallow both through its documentation and through the GUI itself. Guarddog bills itself as a firewall maintenance tool, with the implication that you will return to Guarddog to reconfigure the firewall to meet your changing requirements over time.

You can download a binary installation file for Guarddog for a variety of distributions, including SUSE, Red Hat, Fedora Core, Debian, and Mandrakelinux. I installed Guarddog using URPMI and Mandrake's cooker repository.

The first time that I ran Guarddog it issued a warning that the file /etc/rc.firewall was not a valid Guarddog file, and failure to cancel immediately out of Guarddog following the message would overwrite the contents of this file. Taking this into account, I would advise that you back up your existing firewall configuration before installing and running Guarddog for the first time.

Guarddog offers a comprehensive, but at times bewildering, list of options. Guarddog's configuration is based on the concept of allowing different protocols to be served between different zones. The two default zones that are configured are local and Internet. You can define additional zones, if you require them, based on IP address ranges.

Assuming that you are setting up a simple personal firewall, the first thing that you will want to do is make sure that all of the protocols that you routinely use to connect to online services are allowed to be served to the local zone from the Internet zone. You do this by selecting the allowed protocols from Guarddog's extensive list. For example, allowing the local zone to connect to the Internet zone using the HTTP (port 80) protocol allows Web browsing. A large number of protocols are preconfigured, including all the ones that I required, but it did take some time to find them. Should a protocol that you use be missing from the list, you can define your own additional protocols in the advanced options. Root access is, of course, required to modify the firewall settings.

In my testing of Guarddog, I couldn't find an easy way of saying "let my machine connect to anything," as I had done with FireHOL previously. Whilst this kind of configuration is not a strong firewall, finding all of the protocols that I use within Guarddog's list was particularly time-consuming, and I was tempted to use the simple, insecure approach to start. If you share your computer with other people (or they share your firewall) you will want to make sure you at least cover the common protocols.

Guarddog has a complete online handbook that includes tutorials and a wealth of good advice on firewall configuration in general.

Guarddog is a well-documented and easy to use tool for iptables configuration. The tool is aimed at producing strong firewall configurations with a minimum number of exposed ports and services, and should be applauded for that. However, you're likely to employ Guarddog as a firewall tool that you return to time and again in order to add and remove ports from the available and blocked lists and to, potentially, add new protocols to the configuration. Guarddog encourages, and requires, firewall maintenance.

Easy Firewall Generator for iptables

Not all iptables configuration tools need to be installed or run on your machine, as the Easy Firewall Generator proves. Easy Firewall generator works through a simple Web-based interface to generate a basic firewall script for iptables.

Testing your firewall

Irrespective of which firewall configuration tool you choose, you should always test your firewall configuration after applying it. There are tools available on the Internet that allow you to do this, some of the best being Web-based services that attempt various attacks and exploits on your machine. A word of caution, though -- if you use a tool to test your firewall, be sure that you trust the tool itself not only to give you accurate results, but also to keep those results private and not make use of any vulnerabilities that it detects on your system.

Recommended firewall testing tools

  • Shields Up! -- One of the first Web-based port scanners, GRC's Shields Up! has now scanned more than 35 million firewalls for vulnerabilities. Scans of both common ports and the complete port list are supported, as well as checks for file sharing and IM client vulnerabilities.
  • SOS Scan -- SyGate's suite of scanning tools offer you several different ways to test your firewall, including stealth scans and checks for known trojans.

The Easy Firewall generator requires you to enter the name for your network card, commonly eth0, and the specification of several simple options, such as whether the IP address of the machine is obtained dynamically, whether the machine is to act as a gateway (with subsequent configuration options for the gateway itself), and what services the machine will allow remote users to connect to (from a short list of common services). The Web page then generates a bash script for configuration of the firewall.

Whilst this tool may seem limited in comparison to FireHOL or Guarddog, it serves to show that firewall configuration in Linux can be simple, quick, and relatively painless. If your goal is to configure a simple "allow me out, allow nothing in" firewall, this tool serves the purpose well.

Documentation around Easy Firewall Generator is light, but sufficient to explain the function of the page and to give some additional insights into firewall configuration through some well-chosen links. I advise approaching the links page as a tool, rather than as a solution in itself.

Easy Firewall Generator does exactly what is says it will do and no more. If you ever find yourself at a machine with no firewall and want a quick, safe configuration without the need to install additional tools, this utility can be a big help.

Choosing the right tool for you

There are more iptables configuration tools than the three tools highlighted here, but these three serve to illustrate that there are as many approaches to configuring your firewall as there opinions for what you should and should not have within the configuration itself.

My personal favorite of these three is FireHOL, which I feel provides the optimum mix of flexibility and power. You can configure any firewall with this tool, and you are free to apply your own logic and preferences in that configuration. Guarddog, for me, imposes too many restrictions on what I, as a user, can and cannot do.

Category:

  • Security