You are previewing Linux® Firewalls: Enhancing Security with nftables and Beyond, Fourth Edition.
O'Reilly logo
Linux® Firewalls: Enhancing Security with nftables and Beyond, Fourth Edition

Book Description

The Definitive Guide to Building Firewalls with Linux

As the security challenges facing Linux system and network administrators have grown, the security tools and techniques available to them have improved dramatically. In Linux® Firewalls, Fourth Edition, long-time Linux security expert Steve Suehring has revamped his definitive Linux firewall guide to cover the important advances in Linux security.

An indispensable working resource for every Linux administrator concerned with security, this guide presents comprehensive coverage of both iptables and nftables. Building on the solid networking and firewalling foundation in previous editions, it also adds coverage of modern tools and techniques for detecting exploits and intrusions, and much more.

Distribution neutral throughout, this edition is fully updated for today’s Linux kernels, and includes current code examples and support scripts for Red Hat/Fedora, Ubuntu, and Debian implementations. If you’re a Linux professional, it will help you establish an understanding of security for any Linux system, and for networks of all sizes, from home to enterprise.

Inside, you’ll find just what you need to

  • Install, configure, and update a Linux firewall running either iptables or nftables

  • Migrate to nftables, or take advantage of the latest iptables enhancements

  • Manage complex multiple firewall configurations

  • Create, debug, and optimize firewall rules

  • Use Samhain and other tools to protect filesystem integrity, monitor networks, and detect intrusions

  • Harden systems against port scanning and other attacks

  • Uncover exploits such as rootkits and backdoors with chkrootkit

  • Table of Contents

    1. About This eBook
    2. Title Page
    3. Copyright Page
    4. Dedication Page
    5. Contents at a Glance
    6. Contents
    7. Preface
      1. Acknowledgments
    8. About the Author
    9. I. Packet Filtering and Basic Security Measures
      1. 1. Preliminary Concepts Underlying Packet-Filtering Firewalls
        1. The OSI Networking Model
          1. Connectionless versus Connection-Oriented Protocols
          2. Next Steps
        2. The Internet Protocol
          1. IP Addressing and Subnetting
          2. IP Fragmentation
          3. Broadcasting and Multicasting
          4. ICMP
        3. Transport Mechanisms
          1. UDP
          2. TCP
        4. Don’t Forget Address Resolution Protocol
        5. Hostnames and IP Addresses
          1. IP Addresses and Ethernet Addresses
        6. Routing: Getting a Packet from Here to There
        7. Service Ports: The Door to the Programs on Your System
          1. A Typical TCP Connection: Visiting a Remote Website
        8. Summary
      2. 2. Packet-Filtering Concepts
        1. A Packet-Filtering Firewall
        2. Choosing a Default Packet-Filtering Policy
        3. Rejecting versus Denying a Packet
        4. Filtering Incoming Packets
          1. Remote Source Address Filtering
          2. Local Destination Address Filtering
          3. Remote Source Port Filtering
          4. Local Destination Port Filtering
          5. Incoming TCP Connection State Filtering
          6. Probes and Scans
          7. Denial-of-Service Attacks
          8. Source-Routed Packets
        5. Filtering Outgoing Packets
          1. Local Source Address Filtering
          2. Remote Destination Address Filtering
          3. Local Source Port Filtering
          4. Remote Destination Port Filtering
          5. Outgoing TCP Connection State Filtering
        6. Private versus Public Network Services
          1. Protecting Nonsecure Local Services
          2. Selecting Services to Run
        7. Summary
      3. 3. iptables: The Legacy Linux Firewall Administration Program
        1. Differences between IPFW and Netfilter Firewall Mechanisms
          1. IPFW Packet Traversal
          2. Netfilter Packet Traversal
        2. Basic iptables Syntax
        3. iptables Features
          1. NAT Table Features
          2. mangle Table Features
        4. iptables Syntax
          1. filter Table Commands
          2. filter Table Target Extensions
          3. filter Table Match Extensions
          4. nat Table Target Extensions
          5. mangle Table Commands
        5. Summary
      4. 4. nftables: The Linux Firewall Administration Program
        1. Differences between iptables and nftables
        2. Basic nftables Syntax
        3. nftables Features
        4. nftables Syntax
          1. Table Syntax
          2. Chain Syntax
          3. Rule Syntax
          4. Basic nftables Operations
          5. nftables File Syntax
        5. Summary
      5. 5. Building and Installing a Standalone Firewall
        1. The Linux Firewall Administration Programs
          1. Build versus Buy: The Linux Kernel
          2. Source and Destination Addressing Options
        2. Initializing the Firewall
          1. Symbolic Constants Used in the Firewall Examples
          2. Enabling Kernel-Monitoring Support
          3. Removing Any Preexisting Rules
          4. Resetting Default Policies and Stopping the Firewall
          5. Enabling the Loopback Interface
          6. Defining the Default Policy
          7. Using Connection State to Bypass Rule Checking
          8. Source Address Spoofing and Other Bad Addresses
        3. Protecting Services on Assigned Unprivileged Ports
          1. Common Local TCP Services Assigned to Unprivileged Ports
          2. Common Local UDP Services Assigned to Unprivileged Ports
        4. Enabling Basic, Required Internet Services
          1. Allowing DNS (UDP/TCP Port 53)
        5. Enabling Common TCP Services
          1. Email (TCP SMTP Port 25, POP Port 110, IMAP Port 143)
          2. SSH (TCP Port 22)
          3. FTP (TCP Ports 21, 20)
          4. Generic TCP Service
        6. Enabling Common UDP Services
          1. Accessing Your ISP’s DHCP Server (UDP Ports 67, 68)
          2. Accessing Remote Network Time Servers (UDP Port 123)
        7. Logging Dropped Incoming Packets
        8. Logging Dropped Outgoing Packets
        9. Installing the Firewall
          1. Tips for Debugging the Firewall Script
          2. Starting the Firewall on Boot with Red Hat and SUSE
          3. Starting the Firewall on Boot with Debian
          4. Installing a Firewall with a Dynamic IP Address
        10. Summary
    10. II. Advanced Issues, Multiple Firewalls, and Perimeter Networks
      1. 6. Firewall Optimization
        1. Rule Organization
          1. Begin with Rules That Block Traffic on High Ports
          2. Use the State Module for ESTABLISHED and RELATED Matches
          3. Consider the Transport Protocol
          4. Place Firewall Rules for Heavily Used Services as Early as Possible
          5. Use Traffic Flow to Determine Where to Place Rules for Multiple Network Interfaces
        2. User-Defined Chains
        3. Optimized Examples
          1. The Optimized iptables Script
          2. Firewall Initialization
          3. Installing the Chains
          4. Building the User-Defined EXT-input and EXT-output Chains
          5. tcp-state-flags
          6. connection-tracking
          7. local-dhcp-client-query and remote-dhcp-server-response
          8. source-address-check
          9. destination-address-check
          10. Logging Dropped Packets with iptables
          11. The Optimized nftables Script
          12. Firewall Initialization
          13. Building the Rules Files
          14. Logging Dropped Packets with nftables
        4. What Did Optimization Buy?
          1. iptables Optimization
          2. nftables Optimization
        5. Summary
      2. 7. Packet Forwarding
        1. The Limitations of a Standalone Firewall
        2. Basic Gateway Firewall Setups
        3. LAN Security Issues
        4. Configuration Options for a Trusted Home LAN
          1. LAN Access to the Gateway Firewall
          2. LAN Access to Other LANs: Forwarding Local Traffic among Multiple LANs
        5. Configuration Options for a Larger or Less Trusted LAN
          1. Dividing Address Space to Create Multiple Networks
          2. Selective Internal Access by Host, Address Range, or Port
        6. Summary
      3. 8. NAT—Network Address Translation
        1. The Conceptual Background of NAT
        2. NAT Semantics with iptables and nftables
          1. Source NAT
          2. Destination NAT
        3. Examples of SNAT and Private LANs
          1. Masquerading LAN Traffic to the Internet
          2. Applying Standard NAT to LAN Traffic to the Internet
        4. Examples of DNAT, LANs, and Proxies
          1. Host Forwarding
        5. Summary
      4. 9. Debugging the Firewall Rules
        1. General Firewall Development Tips
        2. Listing the Firewall Rules
          1. iptables Table Listing Example
          2. nftables Table Listing Example
        3. Interpreting the System Logs
          1. syslog Configuration
          2. Firewall Log Messages: What Do They Mean?
        4. Checking for Open Ports
          1. netstat -a [ -n -p -A inet ]
          2. Checking a Process Bound to a Particular Port with fuser
          3. Nmap
        5. Summary
      5. 10. Virtual Private Networks
        1. Overview of Virtual Private Networks
        2. VPN Protocols
          1. PPTP and L2TP
          2. IPsec
        3. Linux and VPN Products
          1. Openswan/Libreswan
          2. OpenVPN
          3. PPTP
        4. VPN and Firewalls
        5. Summary
    11. III. Beyond iptables and nftables
      1. 11. Intrusion Detection and Response
        1. Detecting Intrusions
        2. Symptoms Suggesting That the System Might Be Compromised
          1. System Log Indications
          2. System Configuration Indications
          3. Filesystem Indications
          4. User Account Indications
          5. Security Audit Tool Indications
          6. System Performance Indications
        3. What to Do If Your System Is Compromised
        4. Incident Reporting
          1. Why Report an Incident?
          2. What Kinds of Incidents Might You Report?
          3. To Whom Do You Report an Incident?
          4. What Information Do You Supply?
        5. Summary
      2. 12. Intrusion Detection Tools
        1. Intrusion Detection Toolkit: Network Tools
          1. Switches and Hubs and Why You Care
          2. ARPWatch
        2. Rootkit Checkers
          1. Running Chkrootkit
          2. What If Chkrootkit Says the Computer Is Infected?
          3. Limitations of Chkrootkit and Similar Tools
          4. Using Chkrootkit Securely
          5. When Should Chkrootkit Be Run?
        3. Filesystem Integrity
        4. Log Monitoring
          1. Swatch
        5. How to Not Become Compromised
          1. Secure Often
          2. Update Often
          3. Test Often
        6. Summary
      3. 13. Network Monitoring and Attack Detection
        1. Listening to the Ether
          1. Three Valuable Tools
        2. TCPDump: A Simple Overview
          1. Obtaining and Installing TCPDump
          2. TCPDump Options
          3. TCPDump Expressions
          4. Beyond the Basics with TCPDump
        3. Using TCPDump to Capture Specific Protocols
          1. Using TCPDump in the Real World
          2. Attacks through the Eyes of TCPDump
          3. Recording Traffic with TCPDump
        4. Automated Intrusion Monitoring with Snort
          1. Obtaining and Installing Snort
          2. Configuring Snort
          3. Testing Snort
          4. Receiving Alerts
          5. Final Thoughts on Snort
        5. Monitoring with ARPWatch
        6. Summary
      4. 14. Filesystem Integrity
        1. Filesystem Integrity Defined
          1. Practical Filesystem Integrity
        2. Installing AIDE
        3. Configuring AIDE
          1. Creating an AIDE Configuration File
          2. A Sample AIDE Configuration File
          3. Initializing the AIDE Database
          4. Scheduling AIDE to Run Automatically
        4. Monitoring AIDE for Bad Things
        5. Cleaning Up the AIDE Database
        6. Changing the Output of the AIDE Report
          1. Obtaining More Verbose Output
        7. Defining Macros in AIDE
        8. The Types of AIDE Checks
        9. Summary
    12. IV. Appendices
      1. A. Security Resources
        1. Security Information Sources
        2. Reference Papers and FAQs
      2. B. Firewall Examples and Support Scripts
        1. iptables Firewall for a Standalone System from Chapter 5
        2. nftables Firewall for a Standalone System from Chapter 5
        3. Optimized iptables Firewall from Chapter 6
        4. nftables Firewall from Chapter 6
      3. C. Glossary
      4. D. GNU Free Documentation License
        1. 0. Preamble
        2. 1. Applicability and Definitions
        3. 2. Verbatim Copying
        4. 3. Copying in Quantity
        5. 4. Modifications
        6. 5. Combining Documents
        7. 6. Collections of Documents
        8. 7. Aggregation with Independent Works
        9. 8. Translation
        10. 9. Termination
        11. 10. Future Revisions of this License
        12. 11. Relicensing
    13. Index
    14. Code Snippets