As soon as networking is enabled, it opens a system up to a massive array of attacks. In order to help mitigate against many network attacks, it is of paramount importance that the system firewall be configured correctly.
Cucumber Linux uses the standard Linux firewall: Iptables. Configuring Iptables can be a very complicated task. This page will cover how to set up reasonable default firewall rules. Every other page that instructs you on how to modify the firewall rules will assume that you are using the firewall rules from this section. Additionally, this section will cover how Iptables is integrated with Cucumber Linux, including how to change the default firewall rules and set Iptables to be active when the system boots.
There are two different flavors of Iptables: one for IPv4 and one for IPv6. These two flavors both run at the same time, but are configured independently of each other. The IPv4 version of Iptables is controlled by the iptables command, and the IPv6 version is controlled by the ip6tables command. Other than the difference in the command, the two flavors work much the same. Much of this section will use only the iptables command; however, the instructions can be applied just as easily for IPv6 by replacing the iptables command with the ip6tables command.
To list the currently active firewall rules, run the command # iptables -nvL. The -n flag tells Iptables not to resolve numbers to their service names, -v tells it to be verbose and show columns that would otherwise be hidden and -L tells it to list the currently active rules. On a default Cucumber Linux installation, the output of the command should look similar to the following:
root@cucumber:~# iptables -nvL iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
This indicates that there are no firewall rules currently active, as is the default in Cucumber Linux 1. Notice that the output of the command is broken down into different chains. Rules under the INPUT chain will be applied to incoming network traffic, while rules under the OUTPUT will be applied to outbound traffic. The FORWARD chain is used by routers and plays a less significant role on systems that are not routers. Also note the policy for each chain is set to ACCEPT. The policy for a chain is effectively the default rule that will be applied if no other rules on the chain match a packet. In this case, since there are no other rules and the policy (default rule) is ACCEPT, all traffic will be allowed through the firewall.
When writing firewall rules, it is considered best practice to block all traffic by default, and then allow only the traffic you need through the firewall. In Iptables, this is accomplished by changing the policy from ACCEPT to DENY for the INPUT and FORWARD chains. This is accomplished by running the following commands (warning: this will temporarly block all your network traffic).
root@cucumber:~# iptables -P INPUT DROP root@cucumber:~# iptables -P FORWARD DROP
It is generally considered permissible practice to allow all outbound traffic since attackers are usually trying to break in from the outside, not the other way around. Now, we will allow incoming traffic that is related to connection that is already established. What this means is that if the local system starts a conversation with a remote system the remote system will be allowed to reply, but a remote system will be unable to start a new conversation with the local system. This is accomplished by running the following command:
root@cucumber:~# iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
As you may have noticed, there are a lot of different flags that can be used with Iptables. Explaining them all is beyond the scope of this guide; however, they are all very well documented in the Iptables manual. This manual can be accessed by running the command man iptables.
If you run iptables -nvL now, you will see the new firewall rules shown below.
root@cucumber:~# iptables -nvL iptables -nvL Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
While not complete for every setup, this is a good set of firewall rules to start with if in doubt. These rules should work well on a desktop system. It is for server systems that they will require additional modification. The exact setup required for each server will be unique and will be covered in detail in chapter four.
By default, Iptables does not save any modifications to the firewall rules across reboots. To address this, Cucumber Linux provides a script for saving and restoring Iptables rules at /etc/init.d/iptables
. This single script controls both the IPv4 and IPv6 flavors of Iptables and allows for one of the following five arguments:
save | Saves the current firewall rules (IPv4 & IPv6), making the new default. |
panic | Puts the system firewall into a “panic” state, temporarily blocking all network traffic. |
clear | Clears the current firewall rules, allowing for all traffic to pass in and out. |
stop | Same as clear. |
start | Loads the default rules (IPv4 & IPv6), making them the currently active firewall rules. |
So to save the current rules, run:
root@cucumber:init.d# /etc/init.d/iptables save
Even after doing this; however, the firewall rules will still not get loaded when the system boots. In order to have the default firewall rules go into effect when the system boots, it is necessary to enable the iptables service on boot (it is disabled by default). Instructions for doing this can be found in the service management page.