alpha645
2007-01-22, 01:40 PM CST
(VERSION: 26-01-07)
I completely renewed the guide because the other one was just as bad as the pre-configured firewall.
To start, we first need to do 2 things in order to allow you to customize your firewall and for a log.
First, type:
system-config-securitylevel
Now, turn it off :D . This will not completely disable the Fedora Core firewall. Iptables is still loaded and also boots at startup (but you will not see that). By turning this off, you remove the automatic configuration the system applies every time the firewall boots. Turning it off, will allow you to 'write' your own configuration. This configuration will be automatically loaded at boot.
Done.
Second, type:
gedit /etc/syslog.conf
I assume you use gnome, if else use (so replace gedit with...) nano, vi, mousepad or another editor you might like. Now, we simply need to add:
kern.=debug /var/log/firewall
Done.
Third, type:
iptables -L --line-numbers
You should see something like this (in real every chain contains some extra lines and stuff):
Chain INPUT (policy ACCEPT)
target prot opt source destination
<some stuff here>
Chain FORWARD (policy ACCEPT)
target prot opt source destination
<some stuff here>
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
<some stuff here>
Chain RH-Firewall-1-INPUT (0 references)
target prot opt source destination
<some stuff here.>
Now, let's clean up the mess Fedora made, I recommend this to all users:
iptables -F
and then
iptables -X RH-Firewall-1-INPUT
and then
iptables -P FORWARD DROP
and then
iptables -L
You should see, after the last command, something like this:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
This is the firewall in it's most basic way. INPUT determines what happens with packets that attempt to enter your box. OUTPUT determines what happens with packets that leave the box. FORWARD is something for masquerading (I think), but that is not relevant. Ignore that. You did the iptables -P command to let the chain FORWARD drop all it's packets. These 'policy's' are like the 'main rule' of your firewall. In example, INPUT set to DROP will drop all packets except for the packets that comply with the rules (this will come later below). INPUT set to ACCEPT will accept all packets except for the ones that comply below. Note, you can set the main policy to ACCEPT and then a separate rule to accept as well, this is rather useless. Also, make sure you add the rules in the correct order. For example:
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP 0 -- anywhere anywhere
ACCEPT 0 -- 192.168.2.1 anywhere
This will NOT allow access to 192.168.2.1, but switching them will allow only traffic from 192.168.2.1. Because the packets are intercepted by the first rule that blocks all protocols that go from every destination to every destination (in the case of input the destination is always your computer)(with OUTPUT your computer is always source). However, this was just an example, adding a rule that blocks all or allows all is useless, because you can do that with the 'policy' of the chain. Policies can be edited by doing this:
iptables -P <chain name, i.e. INPUT> <target, i.e. DROP or ACCEPT>
Another thing to think about is this:
If you made your changes to the firewall, they will be saved for this session. But if you want to edit your firewall and apply changes every time it boots. Then you should type this when you are done configuring our your changes will be lost.
service iptables save
You will see some output and that it's saved to some sort of file. You can manually edit the file, but to apply the changes back to the firewall:
service iptables restart
Use this file wisely, like back-ing up and stuff.
Now, to the part to add rules:
Example syntax:
iptables -I INPUT 3 -d 192.168.2.1 -s 192.168.2.100 -p tcp --dport 5413 --sport 8754 -j ACCEPT
This is all you need, there is another syntax that is for incoming devices like network-devices. But you don't need that.
Explanation
-I INPUT 3: -I means that it will be Inserted. You could also use -A so it will be inserted as last of the line. INPUT determines the chain on where to insert it. 3 (default=1 Means the place to insert it.
-d 192.168.2.1 : -d Destination-ip, determines what should happen if the packets has this destination ip (and complies with the others). This is always your own ip from your WAN, local network (if you have one). So the destination is where the packet goes to if this is input. If it is output then the destination is the ip where the packet goes too. If this value is not defined, then it's assumed 0/0 which means it has every destination.
-s 192.168.2.1 : -s Source ip, determines what should happen if the packet has this source ip (and complies with the others). The source ip is the computer that sended this packet if this is input. If it is output then the destination is the ip where the packet comes from, which is always your computer. If this value is not defined, then iptables assumes it's 0/0 which means every destination.
-p tcp : Determines the protocol. If this is not defined, then it means every protocol.
--dport : Destination port, same for the destination-ip. But then for ports. (where the packets go to)
--sport : Source port, same for the source-ip. But then for ports. (where the packets comes from)
Note: --dport and--sport are only available for tcp and udp protocols. Not for icmp and others.
-j ACCEPT: The most import one, this will determine what happens to the packet if it comply's to the other parameters (-d,-s,-d etc..). DROP will drop the package and won't send a response to notify the sender (stealth). ACCEPT will accept the package. REJECT will drop the package but will send a signal the the package has been dropped (no stealth). And another very important one is LOG. This will log the packet and then continues through the chain.
And finally the log. If you want to find our which ports to open, simply type in a console:
dmesg
If you want to clear the log:
dmesg -c
Dmesg then will burst it's log out once more and then it's empty. Ready for testing :) . In this log will see lines. I'll give an explanation of the useful parts:
IN= OUT=eth0 SRC=192.168.2.100 DST=128.197.27.61 PROTO=TCP SPT=45204 DPT=58633
The packet was going out (OUT=eth0, IN= empty). My computer (192.168.2.1) was the (SRC)source. DST=Destination-ip. PROTO=protocol. SPT=Source-port. DPT=Destination port.
Now, if you want to add a program, clear the logs. Let the program connect and then read the log. Add the lines to the firewall that will allow the program to connect and you are done. I made the main policy to DROP it ALL. Except for the programs I prefer. This gave me full stealth scores on pcflank.com. I added the results in case you want to compare it with the regular Fedora firewall :p . I did tests at:
www.pcflank.com (advanced port scanner and stealth test)
www.hackerwatch.org/probe
Note, that the source ports from pcflank.com and hackerwatch are somewhere around 3000 to 3500 I think. So, it's not perfect to test source-ports.
I completely renewed the guide because the other one was just as bad as the pre-configured firewall.
To start, we first need to do 2 things in order to allow you to customize your firewall and for a log.
First, type:
system-config-securitylevel
Now, turn it off :D . This will not completely disable the Fedora Core firewall. Iptables is still loaded and also boots at startup (but you will not see that). By turning this off, you remove the automatic configuration the system applies every time the firewall boots. Turning it off, will allow you to 'write' your own configuration. This configuration will be automatically loaded at boot.
Done.
Second, type:
gedit /etc/syslog.conf
I assume you use gnome, if else use (so replace gedit with...) nano, vi, mousepad or another editor you might like. Now, we simply need to add:
kern.=debug /var/log/firewall
Done.
Third, type:
iptables -L --line-numbers
You should see something like this (in real every chain contains some extra lines and stuff):
Chain INPUT (policy ACCEPT)
target prot opt source destination
<some stuff here>
Chain FORWARD (policy ACCEPT)
target prot opt source destination
<some stuff here>
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
<some stuff here>
Chain RH-Firewall-1-INPUT (0 references)
target prot opt source destination
<some stuff here.>
Now, let's clean up the mess Fedora made, I recommend this to all users:
iptables -F
and then
iptables -X RH-Firewall-1-INPUT
and then
iptables -P FORWARD DROP
and then
iptables -L
You should see, after the last command, something like this:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
This is the firewall in it's most basic way. INPUT determines what happens with packets that attempt to enter your box. OUTPUT determines what happens with packets that leave the box. FORWARD is something for masquerading (I think), but that is not relevant. Ignore that. You did the iptables -P command to let the chain FORWARD drop all it's packets. These 'policy's' are like the 'main rule' of your firewall. In example, INPUT set to DROP will drop all packets except for the packets that comply with the rules (this will come later below). INPUT set to ACCEPT will accept all packets except for the ones that comply below. Note, you can set the main policy to ACCEPT and then a separate rule to accept as well, this is rather useless. Also, make sure you add the rules in the correct order. For example:
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP 0 -- anywhere anywhere
ACCEPT 0 -- 192.168.2.1 anywhere
This will NOT allow access to 192.168.2.1, but switching them will allow only traffic from 192.168.2.1. Because the packets are intercepted by the first rule that blocks all protocols that go from every destination to every destination (in the case of input the destination is always your computer)(with OUTPUT your computer is always source). However, this was just an example, adding a rule that blocks all or allows all is useless, because you can do that with the 'policy' of the chain. Policies can be edited by doing this:
iptables -P <chain name, i.e. INPUT> <target, i.e. DROP or ACCEPT>
Another thing to think about is this:
If you made your changes to the firewall, they will be saved for this session. But if you want to edit your firewall and apply changes every time it boots. Then you should type this when you are done configuring our your changes will be lost.
service iptables save
You will see some output and that it's saved to some sort of file. You can manually edit the file, but to apply the changes back to the firewall:
service iptables restart
Use this file wisely, like back-ing up and stuff.
Now, to the part to add rules:
Example syntax:
iptables -I INPUT 3 -d 192.168.2.1 -s 192.168.2.100 -p tcp --dport 5413 --sport 8754 -j ACCEPT
This is all you need, there is another syntax that is for incoming devices like network-devices. But you don't need that.
Explanation
-I INPUT 3: -I means that it will be Inserted. You could also use -A so it will be inserted as last of the line. INPUT determines the chain on where to insert it. 3 (default=1 Means the place to insert it.
-d 192.168.2.1 : -d Destination-ip, determines what should happen if the packets has this destination ip (and complies with the others). This is always your own ip from your WAN, local network (if you have one). So the destination is where the packet goes to if this is input. If it is output then the destination is the ip where the packet goes too. If this value is not defined, then it's assumed 0/0 which means it has every destination.
-s 192.168.2.1 : -s Source ip, determines what should happen if the packet has this source ip (and complies with the others). The source ip is the computer that sended this packet if this is input. If it is output then the destination is the ip where the packet comes from, which is always your computer. If this value is not defined, then iptables assumes it's 0/0 which means every destination.
-p tcp : Determines the protocol. If this is not defined, then it means every protocol.
--dport : Destination port, same for the destination-ip. But then for ports. (where the packets go to)
--sport : Source port, same for the source-ip. But then for ports. (where the packets comes from)
Note: --dport and--sport are only available for tcp and udp protocols. Not for icmp and others.
-j ACCEPT: The most import one, this will determine what happens to the packet if it comply's to the other parameters (-d,-s,-d etc..). DROP will drop the package and won't send a response to notify the sender (stealth). ACCEPT will accept the package. REJECT will drop the package but will send a signal the the package has been dropped (no stealth). And another very important one is LOG. This will log the packet and then continues through the chain.
And finally the log. If you want to find our which ports to open, simply type in a console:
dmesg
If you want to clear the log:
dmesg -c
Dmesg then will burst it's log out once more and then it's empty. Ready for testing :) . In this log will see lines. I'll give an explanation of the useful parts:
IN= OUT=eth0 SRC=192.168.2.100 DST=128.197.27.61 PROTO=TCP SPT=45204 DPT=58633
The packet was going out (OUT=eth0, IN= empty). My computer (192.168.2.1) was the (SRC)source. DST=Destination-ip. PROTO=protocol. SPT=Source-port. DPT=Destination port.
Now, if you want to add a program, clear the logs. Let the program connect and then read the log. Add the lines to the firewall that will allow the program to connect and you are done. I made the main policy to DROP it ALL. Except for the programs I prefer. This gave me full stealth scores on pcflank.com. I added the results in case you want to compare it with the regular Fedora firewall :p . I did tests at:
www.pcflank.com (advanced port scanner and stealth test)
www.hackerwatch.org/probe
Note, that the source ports from pcflank.com and hackerwatch are somewhere around 3000 to 3500 I think. So, it's not perfect to test source-ports.