Securing Linux Systems With Host-Based Firewalls Implemented With Linux iptables
The goal of this article is to provide the reader with a template for constructing a host-based firewall that provides a useful layer of protection against the risks of exposing a system to internal and/or external users. Additionally, the reader can gain an understanding of construction methods for host-based firewalls in general and Linux-based firewalls in particular.
This article is targeted for use with RedHat Advanced Server 2.1 and SuSE Enterprise Server 8, but most of the material applies to distributions based on Linux kernel version 2.4 and newer.
We assume that the reader is capable of creating basic Bourne shell scripts and can perform basic system administration tasks.
This article contains the following topics:
"Why Use a Host-Based Firewall?"
"Creating a Host-Based Firewall Script"
"Installing the Firewall Rule Set"
"Removing the Firewall Rule Set"
"Verifying Firewall Services"
"Firewall Script Sample"
"About the Author"
"Ordering Sun Documents"
"Accessing Sun Documentation Online"
In September 2001, Sun BluePrints OnLine published Martin Englund's article titled "Securing Systems with Host-Based Firewalls Implemented With SunScreen_ Lite 3.1 Software." Since then, Sun Microsystems has introduced new products that are capable of running Linux in addition to Solaris X86. These new products prompted the writing of this article.
The character of this article is different from Martin Englund's article, because the tools that are offered under Linux and Solaris are quite different. SunScreen is a mature product that is relatively easy to configure. The Linux iptables packet filter is not nearly as sophisticated, and more knowledge is required to implement firewalls that function correctly.
This document provides only part of the solution for securing Linux hosts. For more information about securing Linux hosts, refer to the following resources:
For information about system hardening, refer to the Sun BluePrints OnLine articles titled "Securing Sun Linux Systems: Part I, Local Access and File Systems" and "Securing Sun Linux Systems: Part II, Network Security."
For in-depth information about firewalls and protocols, refer to Building Internet Firewalls.
No security tool by itself is sufficient to defend a host against compromise. A good defense strategy consists of multiple layers. The application and the operating system it runs on have to be configured to run as securely as possible. The operating system should provide only services and software that are needed; access privileges should be configured as tightly as possible; and an application should be configured to run with the least amount of privileges possible. Additional tools such as Intrusion Detection Systems provide another layer of security, and are an indispensable part of a security engineer's toolbox.
Security tools are effective only if they are used by well-trained and qualified people. Security requires a thorough risk analysis and clearly documented policies and processes, which have to be kept up to date. The use of tools to automate security processes is highly recommended, because it lowers cost and improves reliability.
This article includes an example host-based firewall setup that is designed to protect a single system more effectively than a one-size-fits-all corporate firewall system. The firewall is of modest complexity, and is easier to verify.