Friday, June 4, 2010

The system-config-firewall

secuThe firewall rules in the kernel can be configured by using iptables since 2.4 kernel. There are number of tools for configuring the firewall like command line tool, Shorewall, and a number of other GUIs. The default firewall configuration tool in Fedora systems is called “Firewall Configuration”, which can be accessed from System√† Administration √† Firewall in GNOME or from command line via, “system-config-firewall”.

This GUI allows you to set which services are allowed to be accessed via the Internet using a very simple interface. It defines a set of trusted services to be configured. To allow access, you simply need to check the box next to the entry. Each entry lists the service name, the port and protocol, and any additional iptables modules it uses. So if you wanted to allow Samba access to the system, you would check off the box next to the Samba and Samba Client service as in figure below.

The system-config-firewall also provides more than just service level filtering. The “Trusted Interfaces” section enables you to define which interface to be trusted in a multiple interface systems. A trusted interface is one that does not have any firewall rules applied; for instance if eth0 faced the Internet and eth1 faced the local network, you might select that the eth1 interface is trusted. This would allow all connections coming in on the eth1 interface, while applying the firewall rules to all of the other interfaces.

The “Other Ports” section allows you to add new ports to filter that are not in the Trusted Services list. It pulls up a scrollable interface that lists the ports and protocols as defined in /etc/services. It will list all the known ports and protocol types. If there is a custom service you want that is not listed, select User Defined and provide the port and protocol manually.

With the Firewall Configuration GUI, you can also define masquerading, which allows you to use the system as a router; meaning you can use it as a gateway to forward connections from other local machines through it to the Internet. You can also define port forwarding; for instance, any incoming connections on port 80 would get forwarded to another defined host, great for allowing specific access to systems behind the firewall. You can define the incoming interface, protocol, and port to forward on, and then which IP address to forward to and an optional other port (i.e., forwarding connections to port 8080 on the eth0 interface to port 80 on

Finally, you can also change how the firewall will handle ICMP (Internet Control Message Protocol) packets. By default, all ICMP types are permitted, but here you can decide whether the system will respond to ping and other ICMP packets. When you make changes to the firewall, use the Apply button to save them and the Reload button to refresh and activate the firewall rules. If you want to take a look at the actual iptables commands, the tool saves them to /etc/sysconfig/iptables which is used by the iptables-restore command to load the firewall rules. However if you are good in iptables commands, you can edit it from the command line itself.

To enable iptables:

                # chkconfig iptables on

To start iptables service in the command line:

                # service iptables start

To stop iptables services from the command line:

                # service iptables stop

To restart iptables:

      # service iptables restart

Iptables has a lot of different commands and can be used to create some very sophisticated firewall rules as tools like Shorewall prove.

No comments:

Post a Comment