You are previewing Troubleshooting Linux® Firewalls.
O'Reilly logo
Troubleshooting Linux® Firewalls

Book Description

Covers Red Hat and SUSE

When something goes wrong with your Linux firewall, you need to fix it—right now. You don't have time for endless newsgroup searches, confusing man pages, emails to the developers... it's an emergency! One book brings together all the step-by-step solutions and proven problem-solving techniques you'll need when the time comes: Troubleshooting Linux® Firewalls.

Authors Michael Shinn and Scott Shinn are among the world's leading firewall experts; they've even been hired to protect computer security at the White House. In this book, they cover every area where Linux firewalls can go wrong: rules and filtering problems, Layer 2/3/4 issues, trouble with individual services, DNS/DHCP failures, even misconfigured VPNs. They also present an easy, start-to-finish troubleshooting methodology that'll help you identify even the newest or most obscure firewall problem fast—and solve it!

Inside, you will find in-depth information on the following areas:

  • What you must know about iptables and netfilter to troubleshoot and avoid problems

  • Using loggers, sniffers, and other tools to diagnose even the most obscure firewall problems

  • Making sure your firewall rules work the way they're supposed to

  • Resolving problems with Network Address Translation and IP Forwarding

  • Troubleshooting SMTP, Apache, Squid, NFS, FTP, instant messaging, and other Web-based services

  • Finding and fixing common problems with IPsec VPN configuration

  • Making your firewalls more failure-resistant: recommendations from the experts

If you depend on a Linux firewall, what will you do if it goes down? With Troubleshooting Linux® Firewalls, you can be confident that the solutions are right at hand—so you can sleep at night!

© Copyright Pearson Education. All rights reserved.

Table of Contents

  1. Copyright
  2. I. Getting Started
    1. 1. Introduction
      1. Why We Wrote This Book
      2. How This Book Is Organized
      3. Goals of This Book
      4. The Methodical Approach and the Need for a Methodology
      5. Firewalls, Security, and Risk Management
      6. How to Think About Risk Management
      7. Computer Security Principles
      8. Firewall Recommendations and Definitions
      9. Why Do I Need a Firewall?
      10. Do I Need More Than a Firewall?
      11. What Kinds of Firewalls Are There?
        1. Firewall Types
      12. The Myth of “Trustworthy” or “Secure” Software
      13. Know Your Vulnerabilities
      14. Creating Security Policies
      15. Training
      16. Defense in Depth
      17. Summary
    2. 2. Getting Started
      1. Risk Management
      2. Basic Elements of Risk Management
      3. Seven Steps to Managing Risk
      4. Phase I: Analyze
        1. Inventory
        2. Quantify the Value of the Asset
        3. Threat Analysis
          1. Down Stream Liability
      5. Phase II: Document
        1. Create Your Plan
          1. Defense in Depth
          2. Holistic
        2. Create a Security Policy
        3. Create Security Procedures
      6. Phase III: Secure the Enterprise
        1. Implement Policies
        2. Implement Procedures
        3. Deploy Security Technology and Counter Measures
        4. Securing the Firewall Itself
        5. Isolating Assets
        6. Filtering
        7. Ingress/Egress Filtering
      7. Phase IV: Implement Monitoring
      8. Phase V: Test
      9. Phase VI: Integrate
      10. Phase VII: Improve
      11. Summary
    3. 3. Local Firewall Security
      1. The Importance of Keeping Your Software Up to Date
        1. Yum
        2. Red Carpet
        3. Up2Date
        4. Emerge
        5. Apt-Get
      2. Over Reliance on Patching
      3. Turning Off Services
        1. Using TCP Wrappers and Firewall Rules
        2. Running Services with Least Privilege
        3. Restricting the File System
      4. Security Tools to Install
        1. Log Monitoring Tools
        2. Network Intrusion Detection
        3. Host Intrusion Detection
          1. Tiger
            1. rkhunter
            2. chkrootkit
          2. Titan
            1. samhain
            2. tripwire
          3. Aide
        4. Remote Logging
        5. Correctly Configure the Software You Are Using
        6. Use a Hardened Kernel
        7. Other Hardening Steps
      5. Summary
    4. 4. Troubleshooting Methodology
      1. Problem Solving Methodology
      2. Recognize, Define, and Isolate the Problem
      3. Gather Facts
      4. Define What the “End State” Should Be
      5. Develop Possible Solutions and Create an Action Plan
      6. Analyze and Compare Possible Solutions
      7. Select and Implement the Solution
      8. Critically Analyze the Solution for Effectiveness
      9. Repeat the Process Until You Resolve the Problem
        1. Finding the Answers or...Why Search Engines Are Your Friend
        2. Websites
      10. Summary
  3. II. Tools and Internals
    1. 5. The OSI Model: Start from the Beginning
      1. Internet Protocols at a Glance
        1. Understanding the Internet Protocol (IP)
          1. What an IP Packet Looks Like
        2. Understanding ICMP
          1. What an ICMP Message Looks Like
        3. Understanding TCP
          1. Reliability
          2. Full Duplex and Multiplexing
          3. Flow Control
          4. Congestion Control
          5. How TCP Connections Are Established
          6. How TCP Connections Are Closed
          7. TCP CLOSE
          8. TCP ABORT
        4. Understanding UDP
        5. Troubleshooting with this Perspective in Mind
          1. Layer 1: Test To Make Sure You Have Physical Connectivity
          2. Layer 2: Test Your Driver
          3. Layer 3: Test IP Layer
          4. Layer 4: Test the TCP Layer
          5. Layer 5: Test the Session Layer
          6. Layer 6: Test the Presentation Layer
          7. Layer 7: Test the Application Layer
      2. Summary
    2. 6. netfilter and iptables Overview
      1. How netfilter Works
        1. How netfilter Parses Rules
          1. Packet Sent to Service Running on Firewall from Remote Host (INPUT) Steps:
          2. Packet Sent by Firewall from a Local Process to a Remote System (OUTPUT)
          3. Packet Our Firewall Is Forwarding for Some Other Host to Some Host (FORWARD)
          4. Putting It All Together
        2. Netfilter States
        3. What about Fragmentation?
        4. Taking a Closer Look at the State Engine
          1. Breaking Down Some Examples
      2. Summary
    3. 7. Using iptables
      1. Proper iptables Syntax
        1. Examples of How the Connection Tracking Engine Works
          1. UDP
          2. TCP
        2. Applying What Has Been Covered So Far by Implementing Good Rules
      2. Setting Up an Example Firewall
        1. Kernel Options
        2. iptables Modules
        3. Firewall Rules
        4. Quality of Service Rules
        5. Port Scan Rules
        6. Bad Flag Rules
        7. Bad IP Options Rules
        8. Small Packets and Rules to Deal with Them
        9. Rules to Detect Data in Packets Using the String Module
        10. Invalid Packets and Rules to Drop Them
        11. A Quick Word on Fragments
        12. SYN Floods
        13. Polite Rules
        14. Odd Port Detection and Rules to Deny Connections to Them
        15. Silently Drop Packets You Don’t Care About
        16. Enforcement Rules
        17. IP Spoofing Rules
        18. Egress Filtering
        19. Send TCP Reset for AUTH Connections
        20. Playing Around with TTL Values
        21. State Tracking Rules
        22. STEALTH Rules
        23. Shunning Bad Guys
      3. ACCEPT Rules
      4. Summary
    4. 8. A Tour of Our Collective Toolbox
      1. Old Faithful
      2. Sniffers
        1. Analyzing Traffic Utilization
        2. Network Traffic Analyzers
        3. Useful Control Tools
        4. Network Probes
        5. Probing Tools
      3. Firewall Management and Rule Building
      4. Summary
    5. 9. Diagnostics
      1. Diagnostic Logging
        1. Scripts To Do This for You
        2. The catch all Logging Rule
        3. The iptables Trace Patch
      2. Checking the Network
      3. Using a Sniffer to Diagnose Firewall Problems
      4. Memory Load Diagnostics
      5. Summary
  4. III. Diagnostics
    1. 10. Testing Your Firewall Rules (for Security!)
      1. Inside->Out Testing with nmap and iplog
      2. Interpreting the Output from an Inside->Out Scan
      3. Testing from the Outside->In
      4. Reading Output from nmap
      5. Testing your Firewall with fragrouter
      6. VLANs
      7. Summary
    2. 11. Layer 2/Inline Filtering
      1. Common Questions
      2. Tools Discussed in this Chapter
      3. Building an Inline Transparent Bridging Firewall with ebtables (Stealth Firewalls)
        1. Filtering on MAC Address Bound to a Specific IP Address with ebtables
        2. Filtering Out Specific Ports with ebtables
      4. Building an Inline Transparent Bridging Firewall with iptables (Stealth Firewalls)
      5. MAC Address Filtering with iptables
      6. DHCP Filtering with ebtables
      7. Summary
    3. 12. NAT (Network Address Translation) and IP Forwarding
      1. Common Questions about Linux NAT
      2. Tools/Methods Discussed in this Chapter
        1. Diagnostic Logging
        2. Viewing NAT Connections with netstat-nat
        3. Listing Current NAT Entries with iptables
        4. Listing Current NAT and Rule Packet Counters
          1. Forward: A Basic Masquerading Firewall
          2. Forward: A Basic SNAT Firewall
          3. Forward: A Basic DMZ
          4. Troubleshooting: Internal Systems Cannot Communicate with External Systems—Packets Do Not Pass in or Out of the Firewall
        5. Corrective Actions
          1. Troubleshooting: Internal Systems Can Communicate with External Systems—DMZ Systems Cannot Be Reached from the Outside
          2. Corrective Actions
          3. Internal Systems Can Communicate to External Systems Except to a Small Percentage of Systems
          4. Internal Systems Can Communicate with External Systems, but only with Small Packets—Large File Transfers Fail
      3. Summary
    4. 13. General IP (Layer 3/Layer 4)
      1. Common Question
      2. Inbound: Creating a Rule for a New TCP Service
      3. Inbound: Allowing SSH to a Local System
      4. Forward: SSH to Another System
      5. SSH: Connections Timeout
      6. Telnet: Forwarding Telnet Connections to Other Systems
      7. MySQL: Allowing MySQL Connections
      8. Summary
    5. 14. SMTP (e-mail)
      1. Common Questions
      2. Tools Discussed in this Chapter
      3. Allowing SMTP to/from Your Firewalls
      4. Forwarding SMTP to an Internal Mail Server
      5. Forcing Your Mail Server Traffic to Use a Specific IP Address with an SNAT Rule
      6. Blocking Internal Users from Sending Mail Through Your Firewall
      7. Accept Only SMTP Connections from Specific Hosts (ISP)
      8. SMTP Server Timeouts/Failures/Numerous Processes
      9. Small e-Mail Send/Receive Correctly—Large e-Mail Messages Do Not
      10. Summary
    6. 15. Web Services (Web Servers and Web Proxies)
      1. Common Questions
      2. Tools Discussed in this Chapter
        1. Inbound: Running a Local Web Server (Basic Rules)
        2. Inbound: Filter: Incoming Web to Specific Hosts
        3. Forward: Redirect Local Port 80 to Local Port 8080
        4. Forwarding Connections from the Firewall to an Internal Web Server
        5. Forward: To Multiple Internal Servers
        6. Forward: To a Remote Server on the Internet
        7. Forward: Filtering Access to a Forwarded Server
        8. Outbound: Some Websites are Inaccessible (ECN)
        9. Outbound: Block Clients from Accessing Websites
        10. Transparent Proxy Servers (squid) on Outbound Web Traffic
      3. Summary
    7. 16. File Services (NFS and FTP)
      1. Tools Discussed in this Chapter
        1. NFS: Cannot Get NFS Traffic to Traverse a NAT or IP Forwarding Firewall
        2. FTP Inbound: Running a Local FTP Server (Basic Rules)
        3. FTP Inbound: Restricting Access with Firewall Rules
        4. FTP Inbound: Redirecting FTP Connections to Another Port on the Server
        5. FTP Forward: Forwarding to an FTP Server Behind the Firewall on a DMZ Segment
        6. FTP Forward: Forwarding to Multiple FTP Servers Behind the Firewall on a DMZ Segment
        7. FTP Forward: From One Internet Server to Another Internet Server
        8. FTP Forward: Restricting FTP Access to a Forwarded Server
        9. FTP Outbound: Connections are Established, but Directories Cannot Be Listed, and Files Cannot Be Downloaded
      2. Summary
    8. 17. Instant Messaging
      1. Common Questions/Problems
      2. Tools Discussed in This Chapter
      3. NetMeeting and GnomeMeeting
        1. Connecting to a Remote NetMeeting/GnomeMeeting Client from Behind an iptables Firewall (Outbound Calls Only)
        2. Connecting to a NetMeeting/GnomeMeeting Client Behind a netfilter/iptables Firewall (Inbound/Outbound Calls)
        3. Directly from the GnomeMeeting Website’s Documentation
        4. Blocking Outbound NetMeeting/GnomeMeeting Traffic
      4. MSN Messenger
        1. Connecting to Other MSN Users
        2. Blocking MSN Messenger Traffic at the Firewall
      5. Yahoo Messenger
        1. Connecting to Yahoo Messenger
        2. Blocking Yahoo Messenger Traffic
      6. AOL Instant Messenger (AIM)
        1. Connecting to AIM
        2. Blocking AOL Instant Messenger Traffic
      7. ICQ
        1. Connecting to ICQ
        2. Blocking ICQ
      8. Summary
        1. Recalling Our Methodology
    9. 18. DNS/DHCP
      1. Common Questions
      2. Tools Discussed in this Chapter
        1. Forwarding DNS Queries to an Upstream/Remote DNS Server
        2. DNS Lookups Fail: Internal Hosts Communicating to an External Nameserver
        3. DNS Lookups Fail: Short DNS Name Lookups Work—Long Name Lookups Do Not
        4. DNS Lookups Fail: Nameserver Running on the Firewall
        5. DNS Lookups Fail: Nameserver Running on the Internal and/or DMZ Network
        6. Misleading rDNS Issue: New Mail, or FTP Connections to Remote Systems Take 30 Seconds or More to Start
        7. DHCP: Dynamically Updating Firewall Rules with the IP Changes
        8. Blocking Outbound DHCP
        9. DHCP: Two Addresses on One External Interface
        10. DHCP: Redirect DHCP Requests to DMZ
      3. Summary
    10. 19. Virtual Private Networks
      1. Things to Consider with IPSEC
      2. Common Questions/Problems
      3. Tools Discussed in this Chapter
        1. IPSEC: Internal Systems—Behind a NAT/MASQ Firewall Cannot Connect to an External IPSEC Server
        2. IPSEC: Firewall Cannot Establish IPSEC VPNs
        3. IPSEC: Firewall Can Establish Connections to a Remote VPN Server, but Traffic Does not Route Correctly Inside the VPN
        4. PPTP: Cannot Establish PPTP Connections Through the Firewall
      4. Running a PPTP Server Behind a NAT Firewall
        1. PPTP: Firewall Cannot Establish PPTP VPNs
        2. PPTP: Firewall Can Establish Connections to a Remote VPN Server, but Traffic Does not Route Correctly Inside the VPN
        3. Using a free/openswan VPN to Secure a Wireless Network
      5. Summary