Difference between revisions of "Ubuntu 10.x Firewall Basics"
(→Ubuntu Services and iptables Rules) |
|||
Line 34: | Line 34: | ||
== Ubuntu Services and iptables Rules == | == Ubuntu Services and iptables Rules == | ||
− | + | <google>ADSDAQBOX_FLOW</google> | |
By default, a newly installed Ubuntu system does not have any iptables rules defined to restrict access to ports. To view the current iptables settings, the following command may executed in a terminal window: | By default, a newly installed Ubuntu system does not have any iptables rules defined to restrict access to ports. To view the current iptables settings, the following command may executed in a terminal window: | ||
Revision as of 14:45, 26 November 2010
Previous | Table of Contents | Next |
Connecting an Ubuntu 10.x System to a DSL Modem | Using Firestarter to Configure an Ubuntu 10.x Firewall |
<google>BUY_UBUNTU_10</google>
A firewall is a vital component in protecting an individual computer system or network of computers from external attack (typically from an internet connection). Any computer connected directly to an internet connection should ideally run a firewall to protect against malicious activity. Similarly, any internal network must have some form of firewall between it and an external internet connection.
Ubuntu is supplied with powerful firewall technology known as iptables built-in. Entire books can, and indeed have, been written about configuring iptables. If you would like to learn about iptables we recommend:
http://www.linuxtopia.org/Linux_Firewall_iptables/index.html
The goal of this chapter is to cover some of the basic concepts of firewalls, TCP/IP ports and services. The configuration of a firewall on an Ubuntu system will be covered in Using Firestarter to Configure an Ubuntu 10.x Firewall.
24.1 Understanding Ports and Services
The predominant network communications protocol in use these days is TCP/IP. It is the protocol used by the internet and as such has swept away most of the formerly popular protocols used for local area networks (LANs). TCP/IP defines a total 65,535 ports of which 1023 are considered to be well known ports. It is important to understand that these are not physical ports into which network cables are connected, but rather virtual ports on each network connection which can be used by applications and services to communicate over a TCP/IP network connection. In reality the number of ports that are used by popular network clients and services comprises an even smaller subset of the well known group of ports.
There are a number of different TCP/IP services that can be provided by an operating system. A comprehensive list of such services is provided in the table at the end of this chapter, but such services include HTTP for running a web server, FTP for allowing file transfers, SSH and Telnet for providing remote login access and SMTP for the transport of email messages. Each service is in turn is assigned to a standard TCP/IP port. For example, HTTP is assigned to port 80 while SSH communication takes place on port 21.
Securing Ports and Services
A large part of securing servers involves defining roles, and based on the roles, defining which services and ports should be enabled. For example, a server that is to act solely as a web server should only run the HTTP service (in addition to perhaps SSH for remote administration access). All other services should be disabled and, ideally, removed entirely from the operating system (thereby making it harder for an intruder to re-enable the service).
Securing a system involves both removing any unnecessary services from the operating system and ensuring that the ports associated with the non-essential services are blocked using a firewall. The rules that define which ports are accessible and under what circumstances are defined using iptables.
Many operating systems are installed with a number of services installed and activated by default. Before installing a new operating system it is essential that the installation be carefully planned. This involves deciding which services are not required and identifying which services have been installed and enabled by default. Deployment of new operating system installations should never be rushed. The fewer services and open ports available on a system the smaller the surface area and opportunities for attackers.
Ubuntu Services and iptables Rules
<google>ADSDAQBOX_FLOW</google> By default, a newly installed Ubuntu system does not have any iptables rules defined to restrict access to ports. To view the current iptables settings, the following command may executed in a terminal window:
sudo iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
As illustrated in the above output, no rules are currently defined. Whilst this may appear to be an unsafe configuration it is important to keep in mind that a newly installed Ubuntu system also has few services running by default, making the ports essentially useless to a potential attacker. It is not possible, for example, to remotely log into a newly installed Ubuntu system or access a web server simply because neither the ssh nor httpd services are installed or running by default. Once services begin to be activated on the system, however, it will be important to begin to establish a firewall strategy by defining iptables rules.
A number of methods are available for defining iptables rules, including the use of command line tools and configuration files. For example, to block access to port 25 (used by the SMTP mail transfer protocol) from IP address 192.168.2.76, the following command could be issued in a terminal window:
sudo iptables -A INPUT -s 192.168.2.76 -p tcp --destination-port 25 -j DROP
If we now check the current rules, we will see that this one is now listed:
sudo iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination DROP tcp -- 192.168.2.76 anywhere tcp dpt:smtp Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
The rule may subsequently be removed as follows:
sudo iptables -D INPUT -s 192.168.2.76 -p tcp --destination-port 25 -j DROP
Given the complexity of iptables it is not surprising that a number of user friendly graphical configuration tools (such as Guarddog and Firestarter) have been created to ease the rule creation process. The use of one such tool is covered in the chapter entitled Using Firestarter to Configure an Ubuntu Firewall.
<google>BUY_UBUNTU_BOTTOM_10</google>
Previous | Table of Contents | Next |
Connecting an Ubuntu 10.x System to a DSL Modem | Using Firestarter to Configure an Ubuntu 10.x Firewall |