Setting up a Firewall with System-Config-Firewall

s
Topics Covered:

·  Understanding Firewalls

·  Setting Up a Firewall with system-config-firewall

·  Setting Up a Firewall with iptables

·  Advanced iptables Configuration

·  Configuring NAT

Red Hat Enterprise Linux is often used to offer services on the Internet. That means that unauthorized users will try to attack your server and get access to parts of the server that you don’t want to be available to unauthorized users

To prevent this, you need to install a firewall

You will learn how to install a firewall on Red Hat Enterprise Linux and thus protect valuable assets on your server

Understanding Firewalls:

·  Too often, when a hacker breaks through the security wall of a server, it is done by using ports that are actually allowed on the server

·  For instance, the hacker can abuse an Apache web server and have it launch a script that opens connections to external machines

·  In the previous section, you learned how SELinux can be used to avoid this scenario

·  In this section of the program, you’ll learn how a firewall can be used to make sure that no connections are initiated to nodes that haven’t specifically been allowed beforehand

·  A firewall works through “packet inspection”

o  This means that the firewall screens incoming and outgoing packets to check whether the address, protocol, and port of the packet is either allowed or denied

o  From the perspective of the OSI model, a firewall works on layers 3, 4, and 5

·  A firewall cannot typically check on the user that has sent the packet

·  Firewalls normally have a hard time checking the actual data portion of the packet. . .a “proxy” is needed for this

·  Although a firewall is important, not every server is using it. By default, Red Hat switches it on, but in some cases it doesn’t make much sense, therefore, the administrator disables it

·  In large company networks, firewalls are often handled by the router that connects the network to the Internet

o  Everything behind the router is considered to be secure and doesn’t need a firewall of its own

o  If a server is directly connected to the Internet, the server does require a firewall

o  Also, if a company has a specific role in a company network and you want to configure it for additional security, it’s a good idea to configure it with a firewall.

·  Netfilter is the default firewall offered through the Linux kernel

o  To configure Netfilter on Red Hat Enterprise Linux, you can use the system-config-firewall tool if you prefer to use graphical interface or the “iptable” command if you want to work from the command line

Setting Up a Firewall with system-config-firewall

·  If you just need basic firewall services and have a graphical desktop available, system-config-firewall is the simplest way to get started

o  Using the graphical interface, allows you to set up some of the more advanced configurations, including IP masquerading and port forwarding

·  In a text-only mode, you can use the system-config-firewall-tui command if you want a menu-drive interface to configure the firewall

·  Before starting to configure a firewall with the system-config-firewall, one important thing to realize is that it wipes clean all configurations you created manually

Allowing Services:

·  The simplest way to allow specific services through the firewall is by selecting them using the Trusted Services option in system-config-firewall

o  This interface offers a list of commonly used services

·  To enable a service, you just have to select it from the list

·  After selecting the desired services, you click the Apply button to save the current configuration

To make the configurations you just created operational, do the following:

·  Check that the iptables service is enabled

·  Use the “iptables –L” command to verify that the rules have been applied

Exercise Time: Allow the Basic services Through the Firewall (online)10.1

·  The system-config-firewall utility offers an interface to select common services

·  In some situations, your service might be activated on a nondefault port

o  If that’s the case, you need to use the Other Ports interface in system-config-firewall to open that port

o  From Other Ports, click “Add” to open the Port And Protocol window

o  You’ll see a list containing all known port assignments in this window

o  If the port is not available from this list, you can click “User Defined” to enter the port or port range manually

See example below:

Trusted Interfaces:

·  Typically, there are two cases for firewalls:

o  On routers

o  On servers

·  If the firewall is installed on a server, there is normally just one network interface on which the firewall is operational

·  If the firewall is on a server that is used as a router, usually there is an internal network interface and an external network interface

o  Packets are routed between these interfaces by a routing process

·  By default, all network interfaces are considered untrusted

·  If your server works as a router and you want to specify some interfaces as trusted, from system-config-firewall, click Trusted Interfaces and select the interfaces you want to add

o  From that moment on, no packets will be filtered on that interface. . .see image:

Masquerading:

·  In IP masquerading, you can configure a server to connect your local network to the Internet

·  In this configuration, IP addresses from the private address ranges are used on the private network

·  These addresses cannot communicate on the Internet, but they will be translated to the public IP address on the interface that faces the Internet

o  This process is known as IP masquerading, also referred to as Network Address Translation(NAT)

·  The major benefit of using masquerading is that with just one public IP address, you can connect many devices on the private network to the Internet

·  IP masquerading is commonly used in home and corporate networks

·  To enable masquerading, you need to select the public interface, as shown in the pic:

·  Once this interface is masqueraded, all packets are rewritten with the IP address of the public interface as the source address

·  To trace the packet back to its original sender, the NAT router maintains a NAT table

·  A port address is used to trace every connection in this NAT table

·  Once a reply to the packet comes back and has to be forwarded by the NAT router to the originating host, it will use the NAT table to find the address of the host from which the packet is originating, and it forwards the packet

·  You can also use “port forwarding” in combination with masquerading

o  This means you assign a port on the public interface of the NAT router and forward everything that comes in on that port to a specific host and port on the private network

o  You can use this approach if one of the computers on the private network is not directly reachable from the Internet, but it offers a specific service that you want to make available on the internet

·  Users that want to use that service address the masquerading router and the specific port that is assigned on that router

o  Port forwarding will then forward the packet to the destination host

·  You select port forwarding to add a port that is to be forwarded from system-config-firewall

·  Next you click Add and select the interface and port you want to make available. . .See Pic Below

·  After specifying the source port, you need to assign a destination

o  You can choose between forwarding to a local port (a port on the masquerading router itself) or you can forward packets to a specific IP address and port on that node

o  In this next exercise, you’ll learn how to configure port forwarding

Exercise:

·  Configuring Port Forwarding