Firewall is the one in charge of the good filtration of data and handling of good traffic over the local network, or workstation, for it it is due to fulfill norms which are applied in the server to have a comfortable one I deal of data and to badly have unable applications or instructions prone to the use of the user or being attacked remotely by algun intruder on the Internet.
Firewall, considered as an application of fire-resistant or protective of attacks in the ports of the system, as the famous attacks, simple but very harmful like, attack Two (Denial of Service), that tries to send massive packages to the system, blocking the bandwidth of our connection to Internet until thus taking control of all the wide one and leaving our modem inactive until it does not respond our signal to the main server and loses the signal, mostrandonos a Ping timeout, like more harmful others like infiltrated malignant codigos in unloadings of software packages free. All that and much more can prevent firewall, that is its main function, blocking the passage of the codes or archives that we do not wish that they happen, or to limit the transference use doing a fire barrage on our system.
Kind of Firewalls:
The Firewall is the one in charge to control filtrate and exit of data of server local or remote, since he is the one that offers, it denies or it accepts requests from a remote terminal, controlling to if the protocols of the server of the used and usually known ports but of the GNU/Linux system.
Next, I will make a listing of the ports most common and used by a server or some workstation:
Numer - NickName - Daemon 80 HTTP apache/apache2 25 STMP smtpd 110 POP3 pop3 21 FTP *FTPD 23 TELNET telnetd 22 SSH sshd 443 HTTP with SSL 992 POP3 With SSL 631 CUP's Printer Linux 3306 MySql MySql Server
These protocols are the reason by which works a firewall for a good of data transfer and to avoid malignant data that can damage the system on a transference of the peripherals of a local server.
Now we will to explain practically this happens, with some demostration from console GNU/Linux.
gin@gin:~$ netstat -l Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 *:sunrpc *:* LISTEN tcp 0 0 *:ftp *:* LISTEN tcp 0 0 localhost.localdoma:ipp *:* LISTEN tcp 0 0 localhost.localdom:smtp *:* LISTEN tcp6 0 0 *:81 *:* LISTEN tcp6 0 0 *:ssh *:* LISTEN tcp6 0 0 ip6-localhost:smtp *:* LISTEN udp 0 0 *:bootpc *:* udp 0 0 *:sunrpc *:*
Here we can see that the Protocols are, TCP TCP6 (New version) and UDP, The protocols are serving to Servers Daemons, *:ftp (ProFTPD), *:81 (Http/Apache Server “Port default is 80, but i did some change :) ), *:ssh (Secure Shell Server), localhost.localdom:stmp (SMTPD “Simple Mail”), and another one services, all of them are “LISTEN” the port, but not udp is listening, becaus the firewall Iptables puts as default not run, upd protocols by security of the system, and apart that can't LISTEN because are aplication for personal use to the system. And we can see also that Apache, SSH and Stmp, are on TCP6 protocols, thats why are the servers like default in the new tcp version.
To continue we will check, how works the statis in the server.
gin@gin:~$ netstat -s Ip: 3895922 total packets received 0 forwarded 0 incoming packets discarded 3895920 incoming packets delivered 3887058 requests sent out Icmp: 478 ICMP messages received 15 input ICMP message failed. ICMP input histogram: destination unreachable: 438 timeout in transit: 15 echo requests: 22 echo replies: 3 3059 ICMP messages sent 0 ICMP messages failed ICMP output histogram: destination unreachable: 3037 echo replies: 22 Tcp: 3850 active connections openings 6015 passive connection openings 0 failed connection attempts 72 connection resets received 4 connections established 3867894 segments received 3869722 segments send out 4457 segments retransmited 0 bad segments received. 11432 resets sent Udp: 24511 packets received 3037 packets to unknown port received. 0 packet receive errors 14283 packets sent TcpExt: 3 resets received for embryonic SYN_RECV sockets 438 ICMP packets dropped because they were out-of-window 1065 TCP sockets finished time wait in fast timer 181904 delayed acks sent 1 delayed acks further delayed because of locked socket Quick ack mode was activated 107 times 1740027 packets directly queued to recvmsg prequeue. 20258879 of bytes directly received from backlog 180669753 of bytes directly received from prequeue 288989 packet headers predicted 1567652 packets header predicted and directly queued to user 21106 acknowledgments not containing data received 1714731 predicted acknowledgments 16 times recovered from packet loss due to SACK data Detected reordering 4 times using FACK 1 congestion windows partially recovered using Hoe heuristic 93 congestion windows recovered after partial ack 4 TCP data loss events 3 timeouts after reno fast retransmit 14 timeouts after SACK recovery 7 timeouts in loss state 29 fast retransmits 14 forward retransmits 35 retransmits in slow start 1698 other TCP timeouts 3 sack retransmits failed 68 times receiver scheduled too late for direct processing 52 DSACKs sent for old packets 67 DSACKs received 27 connections reset due to unexpected data 42 connections reset due to early user close 2 connections aborted due to timeout
Now you can note, the statics of the server in saving in a log by default on the system. like, Ip, Icmp, Tcp, Udp,TcpExt, all of them are having considerably a good trafic as minimal.
Now its the time to demostrate How we can config us firewall suitably for a good traffic of dates in the protocols, and it will be demonstrated with IPTables. We will to be use of the commands logically, if you do not understand very good the comamnds you will know in the section Linux Iptables.
gin@gin:~$ /sbin/iptables -A INPUT -i eth0 -p tcp --sport 81 -j ACCEPT FATAL: Error inserting ip_tables (/lib/modules/2.6.10-5-k7/kernel/net/ipv4/netfilter/ip_tables.ko): Operation not permitted iptables v1.2.11: can't initialize iptables table `filter': Permission denied (you must be root) "Firts you should be sure that you're super user(root) :)" root@gin:~ # /sbin/iptables -A INPUT -i eth0 -p tcp --sport 81 -j ACCEPT root@gin:~ # /sbin/iptables -A INPUT -i eth0 -p tcp --dport 81 -j ACCEPT root@gin:~ #
Ready, Now we can see that, I Accept the Input, to whatever IP, because i didn't put the ip specific to access to the web, with sport(origin) and dport(destiny) port “80”, Ethernet “eth0” (Main Board), Protocol TCP . http://giin.us to verify.
root@gin:~ # ssh -l gin pc.giin.us The authenticity of host 'pc.giin.us (126.96.36.199)' can't be established'. RSA key fingerprint is a9:9f:b0:9a:ba:9d:f2:29:8a:88:38:5f:f6:27:e4:80. Are you sure you want to continue connecting (yes/no)? "Until now it works, before the command" root@gin:~ # /sbin/iptables -A INPUT -i eth0 -p tcp --sport ssh -j DROP root@gin:~ # /sbin/iptables -A INPUT -i eth0 -p tcp --dport ssh -j DROP "This was tested to a remote user." uclagyl@0[~]$ ssh -l david pc.giin.us ssh: connect to host pc.giin.us port 22: Connection timed out uclagyl@0[~]$
In this case, Was used the sentence DROP, this means deny. It is verify that the commands of IPTables, Firewall works and we can determinate the security of that Application (IPTables).
Now, we will test with port 25 SMTP (Simple Mail Transfer Protocol).
gin@gin:~$ telnet pc.giin.us 25 Trying 188.8.131.52... Connected to pc.giin.us. Escape character is '^]'. 220 pc.giin.us ESMTP Postfix (Debian) "Before the Command" root@gin:~ # /sbin/iptables -A INPUT -i eth0 -p tcp --dport 25 -j DROP root@gin:~ # /sbin/iptables -A INPUT -i eth0 -p tcp --sport 25 -j DROP root@gin:~ # /sbin/iptables -A OUTPUT -p tcp --sport 25 -j DROP root@gin:~ # /sbin/iptables -A OUTPUT -p tcp --dport 25 -j DROP root@gin:~ # telnet pc.giin.us 25 Trying 184.108.40.206... telnet: Unable to connect to remote host: Connection timed out root@gin:~ #
Here you can note, that the OUTPUT Does not accept, ”-i eth0“ for declare deny to one port. Its because the “eth0” not work like OUTPUT just like, INPUT, so the OUTPUT its for deny, to the user that oper localy the server.
Now, we'll make it enabled.
root@gin:~ # /sbin/iptables -A INPUT -i eth0 -p tcp --dport 25 -j ACCEPT root@gin:~ # /sbin/iptables -A INPUT -i eth0 -p tcp --sport 25 -j ACCEPT "Now look the result" root@gin:~ # telnet pc.giin.us 25 Trying 220.127.116.11... Connected to pc.giin.us. Escape character is '^]'. 220 pc.giin.us ESMTP Postfix (Debian)
And now look with ssh;
root@gin:~ # /sbin/iptables -A INPUT -i eth0 -p tcp --sport ssh -j ACCEPT root@gin:~ # /sbin/iptables -A INPUT -i eth0 -p tcp --dport ssh -j ACCEPT "The testing. :)" root@gin:~ # ssh -l pc.giin.us The authenticity of host 'pc.giin.us (18.104.22.168)' can't be established'. RSA key fingerprint is a9:9f:b0:9a:ba:9d:f2:29:8a:88:38:5f:f6:27:e4:80. Are you sure you want to continue connecting (yes/no)?
Now you can note that it works perfectly the commands with IPTables.
There is as one demonstrates basically as we can deny ports and accept for, to be able to allow I deal weighs on our servant, to the equal one also to deny certain ip's with iptables to deny the acceptance of packages that can be corrupt and massive for our servant, with this avoiding to be attacked by algun Two (Denial of Service) or to deny the certain access to ips, ah our ports of acesso and to give single to which we ask for the power to accesar to our server.
If we could suggest good firewall without a doubt we would advise by IPTables, due to its great work with the operating system and interaction with in kernel, we can say that is the firewall most complete that exists on the platform of any operating system, those of firewall's more graphical and console are front-end the IPTables, is for that true nondescendent reason that we suggested pure IPTables and of the same one..
If you want learn more about IPTables Firewall. Go to Linux IPTables, Section.
All the test was verify in Debian GNU/Linux.
— Jesus Lugo 2005/11/17 10:04