Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Firewall issues

  1. #1

    Default Firewall issues

    Hello

    I last used an rpm based distro in 2003 (Redhat 9.3). Years of working with debian, ubuntu etc. and subsequent use of port (on BSD) and ufw (on Ubuntu) had almost made me forget iptables.

    So, I am looking at a new OpenSuSE server that has to have a good firewall and staring at /etc/sysconfig/SuSEfirewall2.

    I need the following,

    * the firewall should reject all traffic from hosts with IPs outside of the class A 10.x.x.x subnet (this is first and foremost).
    * From 10.x.x.x hosts, I want to further restrict ports.

    I am dividing my network into an external and internal zone.

    I do not know how to deal with a demilitarized zone (though this sounds like a situation for that - do not trust the whole internet, but trust only a subnet on the network).

    Am I correct in assuming that I need to look at EXT (external zone) and add all the configuration there ?

    I have added trusted network to be 10.0.0.0/16. Is this definition indicative of what I am trying to do here.

    I guess I am fairly confused (and I should not be but my ancient allergy to iptables is coming to the fore).

    I do not want to use internal zone as I plan to use that for virtual machines over vmnet1 etc.

    I would appreciate someone clearing up these doubts for me. Or better still, show a way to setup ufw on OpenSuSE.

  2. #2
    Join Date
    Sep 2010
    Location
    Poland
    Posts
    1,970

    Default Re: Firewall issues

    First of all this is very interesting for me as well because I still have not found a nice documentation for how openSUSE handles iptables.

    So iptables is hard to understand but maybe this guide will help You (it sure helps me). Anyway pure iptables is understandable for me but I find the way openSUSE handles it is very confusing (for example I don't know where it saves the rules You specify in the GUI or that can be printed with the CLI command "SuSEfirewall2 status")

    About your zones questions how much interfaces does the server have ? And which interfaces do You plan to put in which zone ?
    The way I understand the zone firewall concept implemented in openSUSE is :

    • all the traffic coming from the external zone interfaces is dropped unless You configure a rule for it
    • all the outgoing traffic to the external zone interfaces is allowed by default
    • the traffic between interfaces from the same zones is unfiltered (everything allowed)
    • the traffic from dmz to internal (no idea what happens )
    • the traffic from internal to dmz (no idea what happenes)

    The way I normally use DMZ but not on openSUSE is to allow some traffic originating from internet and make additional restrictions on the traffic flow between DMZ and private. No traffic originating from internet is allowed on private.

    Best regards,
    Greg
    Best regards,
    Greg

  3. #3
    Join Date
    Nov 2009
    Location
    ND, USA
    Posts
    1,131

    Default Re: Firewall issues

    On Fri April 8 2011 08:36 pm, glistwan wrote:

    >
    > First of all this is very interesting for me as well because I still
    > have not found a nice documentation for how openSUSE handles iptables.
    >
    > So iptables is hard to understand but maybe 'this'
    > (http://tinyurl.com/rd57k) guide will help You (it sure helps me).
    > Anyway pure iptables is understandable for me but I find the way
    > openSUSE handles it is very confusing (for example I don't know where
    > it saves the rules You specify in the GUI or that can be printed with
    > the CLI command "SuSEfirewall2 status")
    >

    <snip>
    >
    > Best regards,
    > Greg
    >
    >

    Greg;

    SuSEfirewall2 is a script that reads the rules in /etc/sysconfig/SuSEfirewall2
    to generate iptables when it is run (normally at boot). The script is
    in /sbin/SuSEfirewall2. You can examine the script with any editor to see
    how the iptables are generated.

    You can get finer control over the firewall rules by editing /etc/sysconfig.
    Use YaST > System > /etc/sysconfig Editor.
    Expand: Network,Firewall,SuSEfirewall2.
    --
    P. V.
    "We're all in this together, I'm pulling for you." Red Green

  4. #4
    Join Date
    Nov 2009
    Location
    ND, USA
    Posts
    1,131

    Default Re: Firewall issues

    On Fri April 8 2011 09:08 pm, PV wrote:

    > On Fri April 8 2011 08:36 pm, glistwan wrote:
    >
    >>
    >> First of all this is very interesting for me as well because I still
    >> have not found a nice documentation for how openSUSE handles iptables.
    >>
    >> So iptables is hard to understand but maybe 'this'
    >> (http://tinyurl.com/rd57k) guide will help You (it sure helps me).
    >> Anyway pure iptables is understandable for me but I find the way
    >> openSUSE handles it is very confusing (for example I don't know where
    >> it saves the rules You specify in the GUI or that can be printed with
    >> the CLI command "SuSEfirewall2 status")
    >>

    > <snip>
    >>
    >> Best regards,
    >> Greg
    >>
    >>

    > Greg;
    >

    <snip>
    >
    > You can get finer control over the firewall rules by editing /etc/sysconfig.
    > Use YaST > System > /etc/sysconfig Editor.
    > Expand: Network,Firewall,SuSEfirewall2.

    gcaveman;

    Using the above, you can set separate rules for the internal, external and dmz
    interfaces. Initially all ports on all interfaces are closed. You only
    need to open ports for your allowed services.
    --
    P. V.
    "We're all in this together, I'm pulling for you." Red Green

  5. #5

    Default Re: Firewall issues

    Quote Originally Posted by gcaveman View Post
    Hello

    I last used an rpm based distro in 2003 (Redhat 9.3). Years of working with debian, ubuntu etc. and subsequent use of port (on BSD) and ufw (on Ubuntu) had almost made me forget iptables.

    So, I am looking at a new OpenSuSE server that has to have a good firewall and staring at /etc/sysconfig/SuSEfirewall2.

    I need the following,

    * the firewall should reject all traffic from hosts with IPs outside of the class A 10.x.x.x subnet (this is first and foremost).
    * From 10.x.x.x hosts, I want to further restrict ports.

    I am dividing my network into an external and internal zone.

    I do not know how to deal with a demilitarized zone (though this sounds like a situation for that - do not trust the whole internet, but trust only a subnet on the network).

    Am I correct in assuming that I need to look at EXT (external zone) and add all the configuration there ?

    I have added trusted network to be 10.0.0.0/16. Is this definition indicative of what I am trying to do here.

    I guess I am fairly confused (and I should not be but my ancient allergy to iptables is coming to the fore).

    I do not want to use internal zone as I plan to use that for virtual machines over vmnet1 etc.

    I would appreciate someone clearing up these doubts for me. Or better still, show a way to setup ufw on OpenSuSE.
    May I suggest using YaST2 | Security and Users | Firewall to set up your initial Firewall, and set the your external and internal interfaces.

    You can add allowed services to your external firewall from a drop down box. You can add specialized rules for ports and protocols for both internal and external interfaces.

    If you're using a class A subnet internally then you'd set your rules for the internal interface.
    From a terminal window you can issue the command
    Code:
    su -c  "iptables-save  >  /home/userid/saved_iptables.txt 
    su -c  "iptables -L --line-numbers -n -x -v   >   /home/userid/iptable_traffic.txt"     
    password:
    to save your iptable state, then to display your current and/or changed rulesets, and the amount packets flowing through the rules.

    But I'd start with the YaST2 | Firewall to build my ruleset.

  6. #6
    Join Date
    Sep 2010
    Location
    Poland
    Posts
    1,970

    Default Re: Firewall issues

    Quote Originally Posted by venzkep View Post
    On Fri April 8 2011 09:08 pm, PV wrote:

    > On Fri April 8 2011 08:36 pm, glistwan wrote:
    >
    >>
    >> First of all this is very interesting for me as well because I still
    >> have not found a nice documentation for how openSUSE handles iptables.
    >>
    >> So iptables is hard to understand but maybe 'this'
    >> (Quick HOWTO : Ch14 : Linux Firewalls Using iptables - Linux Home Networking) guide will help You (it sure helps me).
    >> Anyway pure iptables is understandable for me but I find the way
    >> openSUSE handles it is very confusing (for example I don't know where
    >> it saves the rules You specify in the GUI or that can be printed with
    >> the CLI command "SuSEfirewall2 status")
    >>

    > <snip>
    >>
    >> Best regards,
    >> Greg
    >>
    >>

    > Greg;
    >

    <snip>
    >
    > You can get finer control over the firewall rules by editing /etc/sysconfig.
    > Use YaST > System > /etc/sysconfig Editor.
    > Expand: Network,Firewall,SuSEfirewall2.

    gcaveman;

    Using the above, you can set separate rules for the internal, external and dmz
    interfaces. Initially all ports on all interfaces are closed. You only
    need to open ports for your allowed services.
    --
    P. V.
    "We're all in this together, I'm pulling for you." Red Green
    Thank You very much for the additional information. The statement about all ports being closed is valid only for the incoming packets. For outgoing traffic everything is allowed by default.

    Best regards,
    Greg
    Best regards,
    Greg

  7. #7
    Join Date
    Sep 2010
    Location
    Poland
    Posts
    1,970

    Default Re: Firewall issues

    Quote Originally Posted by tararpharazon View Post
    May I suggest using YaST2 | Security and Users | Firewall to set up your initial Firewall, and set the your external and internal interfaces.

    You can add allowed services to your external firewall from a drop down box. You can add specialized rules for ports and protocols for both internal and external interfaces.

    If you're using a class A subnet internally then you'd set your rules for the internal interface.
    From a terminal window you can issue the command
    Code:
    su -c  "iptables-save  >  /home/userid/saved_iptables.txt 
    su -c  "iptables -L --line-numbers -n -x -v   >   /home/userid/iptable_traffic.txt"     
    password:
    to save your iptable state, then to display your current and/or changed rulesets, and the amount packets flowing through the rules.

    But I'd start with the YaST2 | Firewall to build my ruleset.
    I think the commands You show won't survive the reboot. Sorry guys but it's still confusing for me On CentOS it's easy because all the config that gets loaded during the restart of iptables lies here :
    Code:
    [root@bigboy tmp]# cat /etc/sysconfig/iptables
    # Generated by iptables-save v1.2.9 on Mon Nov 8 11:00:07 2004 
    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [144:12748]
    :RH-Firewall-1-INPUT - [0:0]
    -A INPUT -j RH-Firewall-1-INPUT
    -A FORWARD -j RH-Firewall-1-INPUT
    -A RH-Firewall-1-INPUT -i lo -j ACCEPT
    -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type 255 -j ACCEPT
    -A RH-Firewall-1-INPUT -p esp -j ACCEPT
    -A RH-Firewall-1-INPUT -p ah -j ACCEPT
    -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
    -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
    COMMIT
    # Completed on Mon Nov 8 11:00:07 2004
    [root@bigboy tmp]#
    Is there a file like this stored anywhere on openSUSE because I think it should be but I can't find it.

    Best regards,
    Greg
    Best regards,
    Greg

  8. #8
    Join Date
    Oct 2010
    Posts
    43

    Default Re: Firewall issues

    glistwan wrote:

    > I think the commands You show won't survive the reboot. Sorry guys but
    > it's still confusing for me On CentOS it's easy because all the
    > config that gets loaded during the restart of iptables lies here :
    >
    > Code:
    > --------------------
    > [root@bigboy tmp]# cat /etc/sysconfig/iptables
    > # Generated by iptables-save v1.2.9 on Mon Nov 8 11:00:07 2004
    > *filter
    > :INPUT ACCEPT [0:0]
    > :FORWARD ACCEPT [0:0]
    > UTPUT ACCEPT [144:12748]
    > :RH-Firewall-1-INPUT - [0:0]
    > -A INPUT -j RH-Firewall-1-INPUT
    > -A FORWARD -j RH-Firewall-1-INPUT
    > -A RH-Firewall-1-INPUT -i lo -j ACCEPT
    > -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type 255 -j ACCEPT
    > -A RH-Firewall-1-INPUT -p esp -j ACCEPT
    > -A RH-Firewall-1-INPUT -p ah -j ACCEPT
    > -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    > -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j
    > ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with
    > icmp-host-prohibited COMMIT
    > # Completed on Mon Nov 8 11:00:07 2004
    > [root@bigboy tmp]#
    >
    > --------------------
    > Is there a file like this stored anywhere on openSUSE because I think it
    > should be but I can't find it.


    Have a look at

    YaST -> System -> /etc/sysconfig Editor -> Network -> Firewall ->
    SuSEFirewall2 -> FW_CUSTOMRULES

    and the file

    /etc/sysconfig/scripts/SuSEfirewall2-custom

    Is that what you are looking for?

    --
    Don

  9. #9

    Default Re: Firewall issues

    Quote Originally Posted by glistwan View Post
    I think the commands You show won't survive the reboot. Sorry guys but it's still confusing for me On CentOS it's easy because all the config that gets loaded during the restart of iptables lies here :
    Code:
    [root@bigboy tmp]# cat /etc/sysconfig/iptables
    # Generated by iptables-save v1.2.9 on Mon Nov 8 11:00:07 2004 
    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [144:12748]
    :RH-Firewall-1-INPUT - [0:0]
    -A INPUT -j RH-Firewall-1-INPUT
    -A FORWARD -j RH-Firewall-1-INPUT
    -A RH-Firewall-1-INPUT -i lo -j ACCEPT
    -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type 255 -j ACCEPT
    -A RH-Firewall-1-INPUT -p esp -j ACCEPT
    -A RH-Firewall-1-INPUT -p ah -j ACCEPT
    -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
    -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
    COMMIT
    # Completed on Mon Nov 8 11:00:07 2004
    [root@bigboy tmp]#
    Is there a file like this stored anywhere on openSUSE because I think it should be but I can't find it.

    Best regards,
    Greg
    Those commands were not intended to survive anything but were tools to show you how your firewall looked and the traffic through it.

    The 1st command I posted saves your current iptable into a file in the format as you have shown above for your CENTOS iptable ruleset. Iptable experts can modify the that output and load it as a new iptable.

    The CENTOS iptable you show above won't work with openSUSE, lots of the differences for INPUT, FORWARD, OUTPUT chains, etc.

    As I and others mentioned, IMHO, it would be best for you to use the YaST2, Firewall GUI to build your firewall, since you remember little about building iptable rules. Anything you'd like to try for a firewall, adding specific ports, protocols, ip address, interfaces, etc. can be done through the GUI and done quickly.

    The 2nd command I posted shows the network traffic through your firewall chains, which of course you'd have to run every time you wanted to see traffic flow through your iptable ipv4 chains.
    Box 1: OpenSuse 11.1/Win7 | Linux 2.6.27 Gnome | AMD 64 X2 6000+ | nVidia 8600GT | 2GB RAM
    Box 2: OpenSuse 11.2 | Linux 2.6.31 Gnome | AMD 64 3000+ | ATI X800 Pro | 1GB RAM
    Box 3: Win7 Premium Home | Intel P4 3.0Gz | ATI AIW 2006 | 2GB RAM

  10. #10
    Join Date
    Sep 2010
    Location
    Poland
    Posts
    1,970

    Default Re: Firewall issues

    Quote Originally Posted by tararpharazon View Post
    Those commands were not intended to survive anything but were tools to show you how your firewall looked and the traffic through it.

    The 1st command I posted saves your current iptable into a file in the format as you have shown above for your CENTOS iptable ruleset. Iptable experts can modify the that output and load it as a new iptable.
    Yes I know what the commands do what I don't know is why the configuration of SuSEfirewall2 is not saved in this format as well within a single file which IMHO simplifies things greatly. I guess it's because of the YaST GUI and some added features of SuSEfirewall2 from the ipchains days.
    Quote Originally Posted by tararpharazon View Post
    The CENTOS iptable you show above won't work with openSUSE, lots of the differences for INPUT, FORWARD, OUTPUT chains, etc.
    Well it would work very well if You would swap the whole openSUSE iptables config with the file (but there is no such file as I can see on openSUSE). After all iptables is iptables and works the same regardless of the distro. (ok there are tons of different modules, which vary a lot between distros, with added functionality for iptables but I'm talking about the basics, which should work regardless of the distro)
    Quote Originally Posted by tararpharazon View Post
    As I and others mentioned, IMHO, it would be best for you to use the YaST2, Firewall GUI to build your firewall, since you remember little about building iptable rules. Anything you'd like to try for a firewall, adding specific ports, protocols, ip address, interfaces, etc. can be done through the GUI and done quickly.
    For me the GUI has a very limited functionality compared to for example the advanced firewall settings in Win7. For one thing, please show me a way to block all the outgoing traffic in the GUI (modifying the following chain in the filter iptables table)
    Code:
    Chain OUTPUT (policy ACCEPT 6174 packets, 1183K bytes)
     pkts bytes target     prot opt in     out     source               destination         
      104  7995 ACCEPT     all  --  any    lo      anywhere             anywhere
    What's more, copying a single text file is much faster than using any GUI whatsoever.
    Quote Originally Posted by tararpharazon View Post
    The 2nd command I posted shows the network traffic through your firewall chains, which of course you'd have to run every time you wanted to see traffic flow through your iptable ipv4 chains.
    Thanks but I prefer the LOG entries in iptables set up and this has a very limited flexibility in the YaST GUI set up as well.

    Best regards,
    Greg
    Best regards,
    Greg

Page 1 of 2 12 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •