Home > Articles > Security > Network Security

Securing Linux Systems With Host-Based Firewalls Implemented With Linux iptables

By Sun Microsystems
Jan 30, 2004
Article is provided courtesy of Prentice Hall Professional

Article Contents

Page 1 of 12 Next >

Sun Microsystems

Learn more…

IPsec -- A Secure Deployment Option: Sep 24, 2004
Using pGINA to Authenticate Users in Microsoft Windows Environments: Aug 27, 2004
Best Practices for Deploying the Sun StorADE Utility: Aug 20, 2004
Performing Network Solaris Installations Without a Local Boot Server: Aug 13, 2004
Using Solaris Resource Manager With Sun Ray: Aug 6, 2004
N1 Grid Architecture Realized: Strategic Flexibility: Jul 16, 2004
Global Grid Connectivity Using Globus Toolkit With Solaris Operating System: Jun 25, 2004
Building a Bootable DVD to Deploy a Solaris Flash Archive: Jun 18, 2004
Building OpenSSH--Tools and Tradeoffs, Updated for OpenSSH 3.7.1p2: Jun 18, 2004
Maximizing the Performance a Gigabit Ethernet NIC Interface: Jun 18, 2004
Dynamic Reconfiguration for High-End Servers: Part 2--Implementation Phase: Jun 11, 2004
Supporting Multiple Page Sizes in the Solaris Operating System Appendix: Jun 11, 2004
Dynamic Reconfiguration for High-End Servers: Part 1 --- Planning Phase: Jun 4, 2004
Supporting Multiple Page Sizes in the Solaris Operating System: Jun 4, 2004
Data Center Best Practices for High-End Servers: May 28, 2004
Understanding Tuning TCP: May 28, 2004
Sun Ray Deployment On Shared Networks: Apr 30, 2004
LDAP Triggers: A Framework for Sun Java System Directory Server: Apr 23, 2004
Taming Your Emu to Improve Application Performance: Apr 23, 2004
Best Practices for Deploying the Sun StorADE Utility: Apr 16, 2004
Sun Fire 15K/12K Auto Diagnosis and Recovery: Apr 16, 2004
Dynamic Reconfiguration and Oracle 9i Dynamically Resizeable SGA: Apr 9, 2004
Solaris Operating System Availability Features: Apr 2, 2004
Design, Features, and Applicability of Solaris File Systems: Mar 26, 2004
Securing the Sun Fire 12K/15K System Controller: Mar 19, 2004
Securing the Sun Fire 12K/15K Domains: Mar 12, 2004
Enterprise Network Design Patterns: High Availability: Feb 20, 2004
Performance Forensics: Feb 13, 2004
Migrating to the Solaris Operating System: Migrating From Tru64 UNIX: Feb 6, 2004
Tuning ORACLE to Minimize Recovery Time: For Solaris Operating System on SPARC: Feb 6, 2004
Securing Linux Systems With Host-Based Firewalls Implemented With Linux iptables: Jan 30, 2004
Securing Web Applications through a Secure Reverse Proxy: Jan 30, 2004
Hardware Replication Challenges: Jan 23, 2004
Solaris Volume Manager Performance Best Practices: Jan 23, 2004
Sun Fire 6800/4810/4800/3800 Systems Auto Diagnosis and Recovery Enhancements: Jan 16, 2004
Responding to a Customer's Security Incidents, Part 4: Processing Incident Data: Jan 9, 2004
Desktop Architecture Selection Guide: Dec 31, 2003
Sun ONE Portal Server 6 Best Practices: Dec 23, 2003
Migrating to the Solaris Operating System: Migration Strategies: Oct 31, 2003
Responding to Customer's Security Incidents--Part 3: Following Up After an Incident: Oct 31, 2003
Minimizing Domains for Sun Fire V1280, 6800, 12K, and 15K Systems, Part II: Oct 24, 2003
Using the LDAP to NIS+ Gateway: Oct 24, 2003
Deploying the Solaris Operating Environment Using a Solaris Security Toolkit CD: Oct 17, 2003
Minimizing Domains for Sun Fire V1280, 6800, 12K, and 15K Systems, Part I: Oct 17, 2003
Building Secure Sun Fire Link Interconnect Networks Using Sun Fire 15K and Sun Fire 12K Servers: Sep 26, 2003
Linux Overview for Solaris Users: Sep 26, 2003
Securing Sun Linux Systems: Part II, Network Security: Sep 26, 2003
Sun Fire V1280/Netra 1280 Server Considerations for Improving RAS: Sep 26, 2003
Sun ONE Portal Server and Lotus iNotes Integration Recipe: Sep 26, 2003
Transition Guide--Upgrading From the iPlanet Directory Server 5.1 Software to the Sun ONE Directory Server 5.2 Software: Sep 26, 2003
Capacity Planning as a Performance Tuning Tool—Case Study for a Very Large Database Environment: Sep 19, 2003
Securing Sun Linux Systems: Part I, Local Access and File Systems: Sep 19, 2003
Sun Fire 15K/12K Server Preferred Practices: Sep 19, 2003
Sun Grid Engine, Enterprise Edition—Configuration Use Cases and Guidelines: Sep 19, 2003
The IT Utility Model—Part I: Sep 19, 2003
Using filesync for Disaster Recovery, Business Continuance, and Mobility: Sep 19, 2003
Role Based Access Control and Secure Shell—A Closer Look At Two Solaris Operating Environment Security Features: Sep 12, 2003
Solaris Operating Environment Network Settings for Security: Updated for Solaris 9 Operating Environment: Sep 12, 2003
Using NTP on the Sun Fire 15K/12K Server: Sep 12, 2003
Consolidation Methodology: Sep 5, 2003
Using the Sun ONE Application Server 7 to Enable Collaborative B2B Transactions: Sep 5, 2003
An Architecture for Creating and Managing Integrated Software Stacks: Aug 29, 2003
Auditing System Security: Aug 29, 2003
Integrating the Secure Shell Software: Aug 29, 2003
Sun Cluster 3.0 Series: Guide to Installation—Part 2: Aug 29, 2003
Sun ONE Portal Server and Microsoft Exchange Integration Cookbook: Aug 29, 2003
Building a Global Compute Grid - Two Examples Using the Sun ONE Grid Engine and the Globus Toolkit: Aug 22, 2003
Configuring the Secure Shell Software: Aug 22, 2003
Responding to Customer's Security Incidents—Part 2: Executing a Policy: Aug 22, 2003
Sun Cluster 3.0 Series: Guide to Installation—Part 1: Aug 22, 2003
Sun Fire 6800/4810/4800/3800 Auto Diagnosis and Recovey Features: Aug 22, 2003
Provisioning in Replicated, Mission-Critical Environments: Aug 15, 2003
Responding to Customer's Security Incidents, Part 1: Establishing Teams and a Policy: Aug 15, 2003
Securing the Sun Fire 12K and 15K System Controllers: Aug 15, 2003
Writing an Authentication Plug-in for a Sun ONE Directory Server: Aug 15, 2003
Securing the Sun Cluster 3.x Software: Aug 8, 2003
Securing the Sun Fire 12K and 15K Domains: Aug 8, 2003
Understanding Gigabit Ethernet Performance on Sun Fire Servers: Aug 8, 2003
Using Midframe Servers to Build Secure Sun Fire Link Interconnect Networks: Aug 8, 2003
BluePrint for Benchmarking Success: Aug 1, 2003
System Management Services Software: An Inside Look: Aug 1, 2003
A Patch Management Strategy for the Solaris Operating Environment: May 23, 2003
Building OpenSSH—Tools and Tradeoffs: May 23, 2003
Configuring Databases Using Soft Links: May 23, 2003
Managing Shared Storage in a Sun Cluster 3.0 Environment With Solaris Volume Manager Software: May 23, 2003
Modeling Sun Cluster Availability: May 23, 2003
Performance Oriented System Administration For Solaris: May 23, 2003
A Strategy for Managing Performance: Apr 18, 2003
Solaris Operating Environment Security: Updated for Solaris 9 Operating Environment: Apr 18, 2003
Trust Modeling for Security Architecture Development: Apr 18, 2003
Understanding Solaris 9 Operating Environment Directory Services: Apr 18, 2003
A New Open Resource Management Architecture in the Sun HPC ClusterTools Environment: Feb 21, 2003
Campus Clusters Based on Sun Cluster Software: Feb 14, 2003
Memory Hierarchy in Cache-Based Systems: Feb 14, 2003
Designing Highly Available Architectures: A Methodology: Feb 7, 2003
Internet Protocol Network Multipathing (Update): Feb 7, 2003
Minimizing the Solaris Operating Environment for Security: Updated for Solaris 9 Operating Environment: Feb 7, 2003
Configuring Boot Disks With Solaris Volume Manager Software: Jan 24, 2003
Managing Data Centers With Sun Management Center Change Manager: Jan 24, 2003
SQL*Net Performance Tuning Using Underlying Network Protocols: Jan 24, 2003
Extending Authentication in the Solaris 9 Operating Environment Using Pluggable Authentication Modules (PAM): Part II: Jan 17, 2003
HPC Administration Tips and Techniques: Jan 17, 2003
Sun Fire Midframe Server Best Practices for Firmware Update 5.13.x: Jan 17, 2003
Extending Authentication in the Solaris 9 Operating Environment Using Pluggable Authentication Modules: Part I: Dec 27, 2002
Sun Fire Systems Design and Configuration Guide: Dec 27, 2002
Consolidation in the Data Center: Dec 20, 2002
Enterprise Network Design Patterns: High Availability: Dec 20, 2002
Introduction to the Solaris Cluster Grid - Part 2: Dec 20, 2002
Introduction to the Sun Cluster Grid, Part 1: Sep 26, 2002
Sun's Quality, Engineering, and Deployment (QED) Test Train Model: Sep 26, 2002
Customizing JumpStart Framework for Installation and Recovery: Sep 20, 2002
Sun StorEdge Instant Image 3.0 and Oracle8i Database Best Practices: Sep 20, 2002
Windows NT Server Consolidation and Performance Improvements with Solaris PC NetLink 2.0 Software: Sep 20, 2002
Sun ONE Portal Server 3.0 Rewriter Configuration and Management Guide: Sep 13, 2002
Securing the Sun Fire 12K and 15K Domains, Updated for SMS 1.2: Sep 6, 2002
Securing the Sun Fire 12K and 15K System Controllers, Updated for SMS 1.2: Sep 6, 2002
An Information Technology Management Reference Architecture Implementation: Aug 30, 2002
Reducing the Backup Window With Sun StorEdge Instant Image Software: Aug 30, 2002
An Information Technology Management Reference Architecture: Aug 16, 2002
Drill-Down Monitoring of Database Servers: Aug 16, 2002
LAN-Free Backups Using the Sun StorEdge Instant Image 3.0 Software: Aug 16, 2002
Network Storage Evaluations Using Reliability Calculations: Aug 16, 2002
Securing LDAP Through TLS/SSL: A Cookbook: Aug 16, 2002
Securing the Sun Fire Midframe System Controller: Aug 16, 2002
Deployment Considerations for Data Center Management Tools: Aug 9, 2002
Guide to Installation-Part II: Sun Cluster 3.0 Software Management Services: Aug 9, 2002
How Hackers Do It: Tricks, Tools, and Techniques: Aug 9, 2002
Metropolitan Area Sun Ray Services: Aug 9, 2002
Securing the Sun Cluster 3.0 Software: Aug 9, 2002
Guide to Installation, Part I: Sun Cluster Management Services: May 24, 2002
Service Level Agreement in the Solaris OE Data Center: May 24, 2002
Solaris OE Enterprise Management Systems Part I: Architectures and Standards: May 24, 2002
Solaris OE Storage Resource Management: A Practitioner's Approach: May 24, 2002
Sun Fire 3800-6800 Servers Dynamic Reconfiguration: May 24, 2002
Using Live Upgrade 2.0 With JumpStart Technology and Web Start Flash: May 24, 2002
Enterprise Quality of Service Part II: Enterprise Solution using Solaris Bandwidth Manager 1.6 Software: May 17, 2002
Introduction to SunTone Clustered Database Platforms: May 17, 2002
Securing the Sun Enterprise 10000 System Service Processors: May 17, 2002
Service Level Management in the Data Center: May 17, 2002
Solaris Application Performance Optimization: May 17, 2002
Using Live Upgrade 2.0 With a Logical Volume Manager: May 17, 2002
Establishing a Solaris OE Architectural Model: Apr 5, 2002
Configuring OpenSSH for the Solaris Operating Environment: Mar 22, 2002
Data Center Design Philosophy: Mar 22, 2002
Enterprise Quality of Service (QoS): Part I - Internals: Mar 22, 2002
Issues in Selecting a Job Management System: Mar 22, 2002
Managing Solaris Operating Environment Upgrades With Live Upgrade 2.0: Mar 22, 2002
Securing Sun Fire 15K Domains: Mar 22, 2002
Server Virtualization Using Trusted Solaris 8 Operating Environment: Mar 22, 2002
Sun Cluster 3.0 Implementation Guide: Hardware Setup: Mar 22, 2002

Sorry, this author hasn't posted any blogs.

Like this article? We recommend
Securing Systems with the Solaris Toolkit

This article provides information and recommendations for securing Linux operating systems with host-based firewalls. This article aims to provide readers with a template for constructing a host-based firewall that provides a useful layer of protection against the risks of exposing a system to internal and/or external users. Additionally, readers can gain an understanding of construction methods for host-based firewalls in general and Linux-based firewalls in particular. This article targets an intermediate audience.

The goal of this article is to provide the reader with a template for constructing a host-based firewall that provides a useful layer of protection against the risks of exposing a system to internal and/or external users. Additionally, the reader can gain an understanding of construction methods for host-based firewalls in general and Linux-based firewalls in particular.

This article is targeted for use with RedHat Advanced Server 2.1 and SuSE Enterprise Server 8, but most of the material applies to distributions based on Linux kernel version 2.4 and newer.

We assume that the reader is capable of creating basic Bourne shell scripts and can perform basic system administration tasks.

This article contains the following topics:

"Introduction"
"Why Use a Host-Based Firewall?"
"iptables"
"Creating a Host-Based Firewall Script"
"Installing the Firewall Rule Set"
"Removing the Firewall Rule Set"
"Verifying Firewall Services"
"Firewall Script Sample"
"About the Author"
"Related Resources"
"Ordering Sun Documents"
"Accessing Sun Documentation Online"

Introduction

In September 2001, Sun BluePrints™ OnLine published Martin Englund's article titled "Securing Systems with Host-Based Firewalls – Implemented With SunScreen_ Lite 3.1 Software." Since then, Sun Microsystems has introduced new products that are capable of running Linux in addition to Solaris™ X86. These new products prompted the writing of this article.

The character of this article is different from Martin Englund's article, because the tools that are offered under Linux and Solaris are quite different. SunScreen^™ is a mature product that is relatively easy to configure. The Linux iptables packet filter is not nearly as sophisticated, and more knowledge is required to implement firewalls that function correctly.

This document provides only part of the solution for securing Linux hosts. For more information about securing Linux hosts, refer to the following resources:

For information about system hardening, refer to the Sun BluePrints OnLine articles titled "Securing Sun Linux Systems: Part I, Local Access and File Systems" and "Securing Sun Linux Systems: Part II, Network Security."
For in-depth information about firewalls and protocols, refer to Building Internet Firewalls.

No security tool by itself is sufficient to defend a host against compromise. A good defense strategy consists of multiple layers. The application and the operating system it runs on have to be configured to run as securely as possible. The operating system should provide only services and software that are needed; access privileges should be configured as tightly as possible; and an application should be configured to run with the least amount of privileges possible. Additional tools such as Intrusion Detection Systems provide another layer of security, and are an indispensable part of a security engineer's toolbox.

Security tools are effective only if they are used by well-trained and qualified people. Security requires a thorough risk analysis and clearly documented policies and processes, which have to be kept up to date. The use of tools to automate security processes is highly recommended, because it lowers cost and improves reliability.

This article includes an example host-based firewall setup that is designed to protect a single system more effectively than a one-size-fits-all corporate firewall system. The firewall is of modest complexity, and is easier to verify.

Page 1 of 12 Next >

Discussions

Make a New Comment

You must log in in order to post a comment.

Related Resources

OnOpenSource (Audio + Video)

Recent Episodes

OnNetworking (Audio + Video)

Recent Episodes

See More Podcasts

Social Networking for the Anti-Socialites: By John Traenkenschuh on November 11, 2009 No Comments; How would Scrooge handle today's emphasis on social networking?