Firewall issues

English Network/Internet
#1

Hello

I last used an rpm based distro in 2003 (Redhat 9.3). Years of working with debian, ubuntu etc. and subsequent use of port (on BSD) and ufw (on Ubuntu) had almost made me forget iptables.

So, I am looking at a new OpenSuSE server that has to have a good firewall and staring at /etc/sysconfig/SuSEfirewall2.

I need the following,

  • the firewall should reject all traffic from hosts with IPs outside of the class A 10.x.x.x subnet (this is first and foremost).
  • From 10.x.x.x hosts, I want to further restrict ports.

I am dividing my network into an external and internal zone.

I do not know how to deal with a demilitarized zone (though this sounds like a situation for that - do not trust the whole internet, but trust only a subnet on the network).

Am I correct in assuming that I need to look at EXT (external zone) and add all the configuration there ?

I have added trusted network to be 10.0.0.0/16. Is this definition indicative of what I am trying to do here.

I guess I am fairly confused (and I should not be but my ancient allergy to iptables is coming to the fore).

I do not want to use internal zone as I plan to use that for virtual machines over vmnet1 etc.

I would appreciate someone clearing up these doubts for me. Or better still, show a way to setup ufw on OpenSuSE.

#2

First of all this is very interesting for me as well because I still have not found a nice documentation for how openSUSE handles iptables.

So iptables is hard to understand but maybe this guide will help You (it sure helps me). Anyway pure iptables is understandable for me but I find the way openSUSE handles it is very confusing :slight_smile: (for example I don’t know where it saves the rules You specify in the GUI or that can be printed with the CLI command “SuSEfirewall2 status”)

About your zones questions how much interfaces does the server have ? And which interfaces do You plan to put in which zone ?
The way I understand the zone firewall concept implemented in openSUSE is :

  • all the traffic coming from the external zone interfaces is dropped unless You configure a rule for it
  • all the outgoing traffic to the external zone interfaces is allowed by default
  • the traffic between interfaces from the same zones is unfiltered (everything allowed)
  • the traffic from dmz to internal (no idea what happens :))
  • the traffic from internal to dmz (no idea what happenes:))

The way I normally use DMZ but not on openSUSE is to allow some traffic originating from internet and make additional restrictions on the traffic flow between DMZ and private. No traffic originating from internet is allowed on private.

Best regards,
Greg

#3

On Fri April 8 2011 08:36 pm, glistwan wrote:

>
> First of all this is very interesting for me as well because I still
> have not found a nice documentation for how openSUSE handles iptables.
>
> So iptables is hard to understand but maybe ‘this’
> (http://tinyurl.com/rd57k) guide will help You (it sure helps me).
> Anyway pure iptables is understandable for me but I find the way
> openSUSE handles it is very confusing :slight_smile: (for example I don’t know where
> it saves the rules You specify in the GUI or that can be printed with
> the CLI command “SuSEfirewall2 status”)
>
<snip>
>
> Best regards,
> Greg
>
>
Greg;

SuSEfirewall2 is a script that reads the rules in /etc/sysconfig/SuSEfirewall2
to generate iptables when it is run (normally at boot). The script is
in /sbin/SuSEfirewall2. You can examine the script with any editor to see
how the iptables are generated.

You can get finer control over the firewall rules by editing /etc/sysconfig.
Use YaST > System > /etc/sysconfig Editor.
Expand: Network,Firewall,SuSEfirewall2.

P. V.
“We’re all in this together, I’m pulling for you.” Red Green

#4

On Fri April 8 2011 09:08 pm, PV wrote:

> On Fri April 8 2011 08:36 pm, glistwan wrote:
>
>>
>> First of all this is very interesting for me as well because I still
>> have not found a nice documentation for how openSUSE handles iptables.
>>
>> So iptables is hard to understand but maybe ‘this’
>> (http://tinyurl.com/rd57k) guide will help You (it sure helps me).
>> Anyway pure iptables is understandable for me but I find the way
>> openSUSE handles it is very confusing :slight_smile: (for example I don’t know where
>> it saves the rules You specify in the GUI or that can be printed with
>> the CLI command “SuSEfirewall2 status”)
>>
> <snip>
>>
>> Best regards,
>> Greg
>>
>>
> Greg;
>
<snip>
>
> You can get finer control over the firewall rules by editing /etc/sysconfig.
> Use YaST > System > /etc/sysconfig Editor.
> Expand: Network,Firewall,SuSEfirewall2.
gcaveman;

Using the above, you can set separate rules for the internal, external and dmz
interfaces. Initially all ports on all interfaces are closed. You only
need to open ports for your allowed services.

P. V.
“We’re all in this together, I’m pulling for you.” Red Green

#5

May I suggest using YaST2 | Security and Users | Firewall to set up your initial Firewall, and set the your external and internal interfaces.

You can add allowed services to your external firewall from a drop down box. You can add specialized rules for ports and protocols for both internal and external interfaces.

If you’re using a class A subnet internally then you’d set your rules for the internal interface.
From a terminal window you can issue the command


su -c  "iptables-save  >  /home/userid/saved_iptables.txt 
su -c  "iptables -L --line-numbers -n -x -v   >   /home/userid/iptable_traffic.txt"     
password:

to save your iptable state, then to display your current and/or changed rulesets, and the amount packets flowing through the rules.

But I’d start with the YaST2 | Firewall to build my ruleset.

#6

Thank You very much for the additional information. The statement about all ports being closed is valid only for the incoming packets. For outgoing traffic everything is allowed by default.

Best regards,
Greg

#7

I think the commands You show won’t survive the reboot. Sorry guys but it’s still confusing for me :slight_smile: On CentOS it’s easy because all the config that gets loaded during the restart of iptables lies here :

[root@bigboy tmp]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.2.9 on Mon Nov 8 11:00:07 2004 
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [144:12748]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type 255 -j ACCEPT
-A RH-Firewall-1-INPUT -p esp -j ACCEPT
-A RH-Firewall-1-INPUT -p ah -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Mon Nov 8 11:00:07 2004
[root@bigboy tmp]#

Is there a file like this stored anywhere on openSUSE because I think it should be but I can’t find it.

Best regards,
Greg

#8

glistwan wrote:

> I think the commands You show won’t survive the reboot. Sorry guys but
> it’s still confusing for me :slight_smile: On CentOS it’s easy because all the
> config that gets loaded during the restart of iptables lies here :
>
> Code:
> --------------------
> [root@bigboy tmp]# cat /etc/sysconfig/iptables
> # Generated by iptables-save v1.2.9 on Mon Nov 8 11:00:07 2004
> *filter
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [144:12748]
> :RH-Firewall-1-INPUT - [0:0]
> -A INPUT -j RH-Firewall-1-INPUT
> -A FORWARD -j RH-Firewall-1-INPUT
> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
> -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type 255 -j ACCEPT
> -A RH-Firewall-1-INPUT -p esp -j ACCEPT
> -A RH-Firewall-1-INPUT -p ah -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j
> ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with
> icmp-host-prohibited COMMIT
> # Completed on Mon Nov 8 11:00:07 2004
> [root@bigboy tmp]#
>
> --------------------
> Is there a file like this stored anywhere on openSUSE because I think it
> should be but I can’t find it.

Have a look at

YaST -> System -> /etc/sysconfig Editor -> Network -> Firewall ->
SuSEFirewall2 -> FW_CUSTOMRULES

and the file

/etc/sysconfig/scripts/SuSEfirewall2-custom

Is that what you are looking for?


Don

#9

Those commands were not intended to survive anything but were tools to show you how your firewall looked and the traffic through it.

The 1st command I posted saves your current iptable into a file in the format as you have shown above for your CENTOS iptable ruleset. Iptable experts can modify the that output and load it as a new iptable.

The CENTOS iptable you show above won’t work with openSUSE, lots of the differences for INPUT, FORWARD, OUTPUT chains, etc.

As I and others mentioned, IMHO, it would be best for you to use the YaST2, Firewall GUI to build your firewall, since you remember little about building iptable rules. Anything you’d like to try for a firewall, adding specific ports, protocols, ip address, interfaces, etc. can be done through the GUI and done quickly.

The 2nd command I posted shows the network traffic through your firewall chains, which of course you’d have to run every time you wanted to see traffic flow through your iptable ipv4 chains.

#10

Yes I know what the commands do :slight_smile: what I don’t know is why the configuration of SuSEfirewall2 is not saved in this format as well within a single file which IMHO simplifies things greatly. I guess it’s because of the YaST GUI and some added features of SuSEfirewall2 from the ipchains days.

Well it would work very well if You would swap the whole openSUSE iptables config with the file :slight_smile: (but there is no such file as I can see on openSUSE). After all iptables is iptables and works the same regardless of the distro. (ok there are tons of different modules, which vary a lot between distros, with added functionality for iptables but I’m talking about the basics, which should work regardless of the distro)

For me the GUI has a very limited functionality compared to for example the advanced firewall settings in Win7. For one thing, please show me a way to block all the outgoing traffic in the GUI (modifying the following chain in the filter iptables table)

Chain OUTPUT (policy ACCEPT 6174 packets, 1183K bytes)
 pkts bytes target     prot opt in     out     source               destination         
  104  7995 ACCEPT     all  --  any    lo      anywhere             anywhere

What’s more, copying a single text file is much faster than using any GUI whatsoever.

Thanks but I prefer the LOG entries in iptables set up and this has a very limited flexibility in the YaST GUI set up as well.

Best regards,
Greg

#11

My comments and command suggestions were directed to the OP gcaveman.
You can certainly do your iptables any way you want.

#12

This is the most informative document I’ve found so far. Hope this helps You OP :slight_smile:

/usr/share/doc/packages/SuSEfirewall2/EXAMPLES.html

Best regards,
Greg