arvb.net

Firewall

4 min read

Firewalld

Config and management

Zones include a group of interfaces with a defined trust level, like “public”, “home”, etc. They are essentially profiles that can bind a network interface to it (each interface is bound to exactly one zone at a time).

A new zone can be created with:

firewall-cmd --permanent --new-zone=<zone-name>
firewall-cmd --reload
firewall-cmd --get-zones

DNS and HTTP and other services can be bound to specific zones, once created.

Rules and access control

Rich rules are firewalld’s worksheets that let users combine sources, protocols, logging, and actions (for example, allow access to HTTPS from a specific domain only during certain times).

A service in firewalld speak is a group of ports that work together.

ufw

This is a wrapper around iptables. By default, ufw blocks all incoming connections and allows all outgoing connections. The command allows an administrator to target specific ports (such as 80/tcp for HTTPS or 53/udp for DNS) or services. A service calls an application profile stored in /etc/ufw/applications.d/, where the application can map a friendly name (to a profile/set of ports) to a specific port.

To open a port, we can use sudo ufw allow 8080/tcp, for example.

To see active rules, sudo ufw status [options]. Use ufw delete 1, where 1 represents the rule number.

Implementations

Both iptables and nftables interact with the kernel netfilter module to manage inbound and outbound connections.

iptables

iptables checks each policy; the model is built around tables such as filter, nat, mangle, raw, and security. Each of those tables has a chain (or rule) such as input, output, or forward.

input inspects packets destined for local services, while output filters packets created by local applications before sending. forward filters packets through the system when the device is acting as a router or bridge.

Example

To allow inbound SSH connections to port 22, we might use the following command:

sudo iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT

We can also use iptables to translate local IP addresses to external ones via NAT:

iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source <public_ip>

ipset

ipset is a complimentary service to iptables. It functions as a single lookup address book for iptables. It can be used, for example, to keep a dynamic deny list of IP addresses and tie it back to iptables:

sudo ipset create deny_list hash:ip
sudo ipset add deny_list 8.8.8.8 # add google to the deny list
sudo ipset list deny_list

nftables

nftables is the modern rewrite that folds iptables, ebtables, arptables, etc. into a single engine with cleaner syntax.

#  - View current configuration:
    sudo nft list ruleset
 
#  - Add a new table with family "inet" and table "filter":
    sudo nft add table inet filter
 
#  - Add a new chain to accept all inbound traffic:
    sudo nft add chain inet filter input \{ type filter hook input priority 0 \; policy accept \; \}
 
#`  - Add a new rule to accept several TCP ports:
    sudo nft add rule inet filter input tcp dport \{ telnet, ssh, http, https \} accept
 
# - Add a NAT rule to translate all traffic from the 192.168.0.0/24 subnet to the host's public IP:
    sudo nft add rule nat postrouting ip saddr 192.168.0.0/24 masquerade
 
#  - Show rule handles:
    sudo nft --handle --numeric list chain family table chain
 
#  - Delete a rule:
    sudo nft delete rule inet filter input handle 3
 
#  - Save current configuration:
    sudo nft list ruleset > /etc/nftables.conf

IP Forwarding

IP forwarding in Linux is controlled by net.ipv4.ip_foward, which is set to 0 by default. To allow a machine to function as a router this must be enabled. To enable it for the current session, set the value to 1 with sudo systctl -w net.ipv4.ip_forward=1. If the change must be permanent, /etc/sysctl.conf must be modified.

Graph View