Personalize this online document
by providing values relevant to you.
Replace the generic LOGIN by the actual login:
ok
Replace the generic
MACHINE name by its actual name:
ok
Computer networks rely primarily on dedicated components
called firewalls to protect the internal computer systems.
For example, our Computer Science machines are separated
from the internet by two firewalls,
one between these machines and the University network, and
the other between the University network and the internet.
It is, of course, important to
have a firewall on the system itself, called a host-based firewall,
primarily to serve as a filtering function for unwanted
inbound network traffic.
The modern
Linux host-based firewall relies on a kernel-based system called
netfilter which regulates and manipulates the flow of network
packets moving in, out, or through the server.
The Linux iptables software provides a user-space tool for
managing netfilter. If you know what you're doing, you can completely
manage the firewall functions using only iptables command calls.
The iptables tool allows you to manipulate three standard tables
which provide rules for dealing with packets. The rules are organized
separated out into sequences of rules called chains.
filter: the default and most basic table consisting of three
built-in chains: INPUT, OUPUT, FORWARD
nat: network address translation;
one common usage is the form
called MASQUERADE for routing multiple private IP addresses through
a single public IP address
mangle: for changing certain packet fields prior to local delivery
The actions which take place are like this:
accept the packet, reject with message,
drop it, log information (and keep going),
jump to another chain.
UFW
Due to the complexity of using iptables,
there are many front end tools, both command-line and GUI-based, which
simplify and hide the direct usage of iptables. In Ubuntu,
the most basic tool is ufw, standing for
"uncomplicated firewall". This is so simple to
use this, that in retrospect, I should have introduced it earlier in
the notes.
ufw, be default, is disabled. In our the isolated subnet in which your
machine resides, it is not really a problem. Nevertheless, it is important
to understand how to use it.
It is useful to see the effect of the firewall while you manipulate it.
Experiment
Open 3 terminal shells which we'll notate as:
control shell. Run this as a root shell.
We'll give ufw commands.
taz shell. Log into taz.
We will attempt connections into MACHINE.
the log shell, where we'll see the effect of dropped connections
First of all, from the control shell, enable the firewall:
# ufw enable
Then follow these steps:
control
taz
log
# ufw logging on
$ tail -f /var/log/messages \
| grep "DPT=22"
$ ssh LOGIN@MACHINE
Failed
observe the dropped packet
# ufw allow ssh/tcp
Ctrl-C
[taz]$ ssh LOGIN@MACHINE
[MACHINE] $ exit
no drop now
Ctrl-C
[taz]$ ping MACHINE
OK
$ tail -f /var/log/messages \
| grep "DPT=80"
[taz]$ links http://MACHINE
Failed
observe the dropped packet
# ufw allow www/tcp
Ctrl-C
[taz]$ links http://MACHINE
OK
no drop now
# ufw logging off
The file /etc/services contains network
port names and numbers.
The UFW firewall makes some default
assumptions about opening certain ports/protocols;
for example, ICMP (ping) is open to permit basic network monitoring.
The key UFW directory is:
/etc/ufw
Within this directory, the subdirectory applications.d holds
firewall rules need by applications you've installed on the system. Try:
$ sudo ufw app list
To enable OpenSSH services, you need know nothing about ports, just:
$ sudo ufw allow OpenSSH
Firewall Persistence
Every configuration step that you've done so far
in the control shell is
remembered. In particular the firewall will be on after a
system reboot as well as all the changes you've made.
To disable the firewall (temporarily), do:
$ sudo ufw disable
Using nmap
The nmap utility is one of the many useful tools to analyze security
settings of network accessiblity. It is most effective if run as root
from an external system.
It is also considered somewhat invasive from
a security administrator's perspective
so one should be careful about general usage.
This section assumes that
you have established the virtual machine, vm0, as described in
the Virtualization with KVM document.
Start the virtual machine:
$ sudo virsh start vm0
Access vm0 by virt-viewer or ssh. As usual,
commands in vm0 are denoted by:
[vm0] $ ...
We want to
install nmap on vm0. The firewall on
MACHINE will be blocking vm0's access
to the internet. Let's temporarily disable it:
$ sudo ufw disable
Then install nmap on vm0:
[vm0] $ sudo apt-get install nmap
Assuming that virtual host relative to vm0 is 192.168.122.1, we do:
[vm0] $ sudo nmap 192.168.122.1
If you've create a name for this in /etc/hosts, use that, because it's simpler.
This gives a TCP port scan listing all open ports which have services.
To get UDP ports (this takes some time):