Setting the Table When Users Think About Their Workstations at Home, They Often Forget About Security

Shorewall COVER STORY

Configuring Netfilter/iptables with Shorewall Setting the Table When users think about their workstations at home, they often forget about security. But danger is out there, waiting to pounce on the unsuspecting. Shorewall helps everyday Linux users keep the intruders away.

BY JAMES MOHR

he only way to make your system including simply dropping it or even completely safe from attack is manipulating it. Tnever to connect to the Internet. Netfilter also supports the older Whenever you open the door to go out, ipchains, the packet filter facility in 2.2 you open the door for a potential hacker kernels. Netfilter needs to be explicitly to get it. set to “ipchains compatibility mode” for Some users have the mistaken belief it to work with ipchains. that intruders only attack high-profile You can download the latest version of sites and would not be interested in a Shorewall from the Shorewall Web site personal home workstation. The truth is [2] as either source or as an RPM pack- that every single computer on the Inter- age. Note that the RPM version has not net is in danger of attack – even been tested with every distribution, mines if a particular connection is computers with dial-up connections. In although it has been tested with major allowed, if and how the packet should be many cases, these attacks are blind, distributions like SuSE, Redhat, and manipulated or redirected, and so on. brute force attacks, where the attacker Mandrake. If you are uncertain, check This concept is basically the same in tries a long list of known security holes. the Shorewall site. all firewall software and can be To foil the attackers, you could simply In order for Shorewall to work, you employed on networks with dozens or disable all inbound ports, which essen- also need the iptables and iproute/ even hundreds of computers, although it tially makes your computer invisible to iproute2 packages. These packages are is likely that with that many computers the world. However, when you need to provided by default in most distribu- talking to each other, you would proba- (or even just want to) provided services tions, so it shouldn’t be a problem. The bly want to break down your network from your computer, you need a different reason you need iptables is that Shore- into multiple segments. Each segment form of protection. wall is not really the firewall itself. That also could be managed by its own Shore- Even the smallest businesses need the is, Shorewall is not responsible for wall firewall. protection a firewall provides. Most users checking, filtering, and managing pack- One thing to note is that you do not cannot afford the thousands of dollars ets. Shorewall simply takes its necessarily need to have a dedicated for a commercial firewall product. Fortu- configuration files and uses the iptables computer just for your firewall. Although nately, there are open source solutions command to load them into the kernel. this is common practice (and generally a that offer the necessary protection. One Because iptables assumes the task of good idea), home users probably don’t such solution is Shorewall. manipulating tables within the kernel, have the space to set up extra computers Shorewall is no longer needed once you for each specific function. If your work- Behind the Scenes run it. You can actually see what is being station is connecting directly to the Shorewall is the common name of the done by taking a look at the Shorewall Internet, you could add a firewall Shoreline Firewall. From a user’s per- program itself. No, you don’t need to dig directly to your workstation. spective, Shorewall is a set of through a lot of source. The shorewall My network consists of one computer easy-to-configure files that are used to program (typically, /sbin/shorewall) is a with a DSL card that connects to the configure Netfilter [1]. Netfilter is a fea- shell script. Internet, one Windows XP machine, and ture of the Linux 2.4.x and 2.6.x kernels So that iptables will know what to do, another Linux computer. Each has a dif- that allows kernel modules to access the you need to tell the kernel what the rules ferent purpose, and I allow different network protocol stack at various places. are. So-called rulesets are defined within connections to and from these machines. The kernel module then can do almost iptables and consist of one connection As simple as my network configura- anything with the network packet, and a number of “classifiers.” This deter- tion is, I only have to change a couple of

www.linux-magazine.com January 2005 33 COVER STORY Shorewall

face. Since I have three zones, you may Listing 1: Sample zones file be asking yourself why there is no entry 01 #ZONE DISPLAY COMMENT for the firewall zone. Well, quite simply, 02 net Net the Internet zone the firewall zone connects to the other 03 loc Local the local network zones through one of the interfaces 04 fw FW the firewall already specified. So, it might be better 05 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE to think of the interface file as defining which interface the firewall uses to talk to the other zones. the configuration files in order to use The zones are defined in the In the case of the ppp0 interface, the Shorewall. Because this is a common (as /etc/shorewall/zones file. Each entry has broadcast has a hyphen (-). Since a PPP well as simple) configuration, it is a good three values: zone name (used to refer- connection doesn’t have a broadcast, I place to start. ence this zone in the other files), display could have left this blank. However, name (which appears when shorewall is since I wanted to specify some additional Basic Configuration loading the rules), and a comment. List- options, I needed some kind of place The primary configuration file is ing 1 shows you a basic zones file. holder. Hence, the hyphen. If I had no /etc/shorewall/shorewall.conf. shore- options, I could have left this blank. wall.conf lets you configure everything Defining the Paths of However, I like to always include from startup behavior to shutdown Communication hyphens as a reminder that something is behavior. Although you can set a lot of Although we have defined the zones, the “missing.” different values in this file, I have not yet firewall still does not know how it com- The routefilter option I specified tells found a reason to change any of the set- municates with each zone. That is, there the kernel to reject any package on the tings on my system. is no association between the zone name given interface that has a source address You may already be familiar with the and the actual network. This is done that would have been routed outbound term “segment” to refer to specific por- through the /etc/shorewall/interfaces file, on a different interface. In this case, if tions of a network. Shorewall uses the which consists of four columns: zone, the ppp0 interface had a packet with an term “zone.” In my configuration, I have interface, broadcast, and options. inbound source address that was nor- four zones: fw (the firewall itself, my On my system, the interfaces file looks mally routed outbound from the eth0 workstation), net (the Internet) and loc like Listing 2. interface, it would be dropped. This is (the local network). The zone is simply the name of the referred to as anti-spoofing. Zone names must be short (5 charac- zone from your zones file. The interface The second option, norfc1918, tells the ters or fewer) and can contain letters or is the name of the network interface. For kernel not to route addresses specified as numbers. Note that you cannot use the example, for my DSL connection, which “private” in RFC 1918. RFC 1918 lists a special zone all. Also, you cannot refer uses the Point-to-Point Protocol (PPP), number of address ranges that can be to a zone other than your firewall by the the interface name is ppp0. The interface used by anyone and shouldn’t be routed. name defined by the FW variable in name for my ethernet card is eth0. To This option ensures that they aren’t. shorewall.conf. This name defaults to fw. find out which interfaces you have, use Details of RFC 1918 can be found at [3]. Even if you are not providing any ser- the command /sbin/ifconfig. The broad- Here I have a dilemma. I want my vices to computers outside of your local cast column is the broadcast address for other computers to be able to access the network, you still need the Internet the network attached to that interface. Internet, but they have RFC 1918 zone. Remember that iptable rules are As you might guess, the options column addresses. So how can they reach the defined by a specific connection, that is, specifies any options you want to use. Internet? Well, this is something we will by two end points. One end point is per- On my system, I have two entries that get to shortly. haps your workstation, and the other is look like this: You can configure Shorewall to behave the Internet. Thus, you need to define in specific ways based on the zones by the Internet as a specific zone. net ppp0 routefilter,norfc1918 setting the “policy” for that zone. Setting Note that these names are just a con- loc eth0 detect - the default policy for a zone is done (as vention. Although they are the default you might guess) through the policy file. values that Shorewall itself uses for these As you can see, the Internet zone is con- The fields in this file are: client (the zones, you could call them anything you nected to the ppp0 interface and the source zone), server (the destination want, provided the naming is consistent local zone is connected to the eth0 inter- zone), policy (what should be done by through all of the configuration files. By default, the permissions on the Listing 2: Sample interfaces file /etc/shorewall directory are 700, which 01 #ZONE INTERFACE BROADCAST OPTIONS means only the owner (root) has access. 02 net ppp0 - routefilter,norfc1918 Even read permission could be danger- 03 loc eth0 detect - ous, as someone might be able to see a 04 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE hole in the security and exploit it.

34 January 2005 www.linux-magazine.com Shorewall COVER STORY

default), and log level (how much infor- The last two lines of my policy file ignore it. I do not want the sender to mation to record). look like this: know what happened. This might give Listing 3 shows a sample policy file. the user a clue as to how to circumvent Take a look at the last two lines. The first net all DROP info the security. On the on the hand, packets one says that any traffic that has not yet all all REJECT info coming from anywhere else (my work- matched and is coming from the Internet station or the local machine) are rejected is to simply be dropped (ignored). The first line says any traffic that has not so the client application has some idea of You have four choices for the connec- yet matched and is coming from the what happened. tion policy: Internet is to simply be dropped Note that we are configuring the ACCEPT – Accept the connection (ignored). However, the remaining traffic default behavior in the zone file. What request. DROP – Ignore the connection is rejected. This may seem a little odd at this means is that if you do not define request. REJECT – Return an appropriate first, but it makes sense when you con- any other specific connections, the error to the requesting computer. CON- sider the difference between reject and behavior in the policy file will apply. TINUE – Allows you to have hosts in drop. When a packet comes from the In my policy file, I have only this one multiple zones and apply policies from Internet intended for a specific address entry for the net zone. This theoretically both zones. or port that is not allowed, I want to would mean that all packets coming The log level determines how much information is sent to the system logger Listing 3: Sample policy file (syslog). Keep in mind that all of this is 01 #SOURCE DEST POLICY LOG LEVEL done by iptables, which exists in the ker- 02 fw net ACCEPT info nel. That means all of the logging 03 fw loc ACCEPT info information is sent from the kernel log- 04 loc net REJECT info ging facility. All you are doing here is 05 loc fw ACCEPT info specifying the priority of messages that 06 net all DROP info are logged. (For more details on system 07 all all REJECT info logging, check out the syslogd man- 08 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE page.) COVER STORY Shorewall

from the Internet are dropped. However, Therefore, the meaning of the whole line of the “private” networks listed in RFC I have a web server on my machine with is reversed. That is, all requests except 1918. Even if I wanted to route this a lot of reference information I want to those destined for addresses in the through my DSL card, you can bet be able to access from work. Since this 10.2.38.0 network are redirected to money that my ISP is not going to route connection goes across the Internet, the Squid. This makes sense because it. So what could I do? entry in the policy file would mean that I 10.2.38.0 is my local network, and any The solution is something called “IP could not access my web server. Web servers on the local network can or masquerading.” As its name implies, one The answer to this is the rules file. should be accessible without having to IP address is “masquerading” for the The rules file is the heart of the Shore- go through a proxy. others. In my case, the IP address on wall configuration. Here you define a The LOG action will first log the the DSL card (which has a valid Inter- specific connection both in terms of packet and then continue on with the net address) is masquerading for the zones, network services (ports), network next applicable rule. The QUEUE action IP addresses in the local network. So, segments, individual machines, and is used to forward packets to user-space I needed to create an entry in the basically any combination you can think applications, which manipulate them /etc/shorewall/masq file that looked like of. When an incoming request arrives, and return them to the IP stack. this: the system first checks the request A rule of thumb when configuring against connections defined in the rules your rules file is to turn everything off> ppp0 10.2.38.0/24 file. If none are found, it uses the default at first, and then turn things back on as values in the policy file. The columns in you need them. Many people do things This entry says that all traffic outbound the rules file are: action to be taken, the in reverse, by starting with a network on the ppp0 interface coming from the source of the request, the destination, that is wide open and turning off class C network 10.2.38.0 is to be mas- the protocol used, the destination port, unneeded services. If you forget some- querade. the source port, and the original destina- thing in the first case, it simply means At this point, the basic configuration tion. you don’t have the access you expect for the masquerading was done. How- In addition to the actions in the zone (which is a little inconvenient). In the ever, next came the hardest part. It was file, you have a couple of additional second case, forgetting something could not very easy to get information about actions in the rules file. DNAT allows you mean you open yourself up to an attack. running this game across a firewall. In to do Destination Network Address fact, I found references that actually said Translation. With this, requests can be Digging Deeper if you want to play, you need to disable forwarded to different computers and The /etc/shorewall/hosts file allows you all firewalls while you play! even different ports on those computers. to define specific hosts. Usually, there is Well, I eventually got it to work. To do The REDIRECT action will redirect no reason to add anything into the hosts so, I needed to set the logging level in requests to specific ports on the same file for smaller networks. The smaller the the policy file to debug and watch the log machine. This is commonly used to redi- network, the more likely that all file for all attempts to connect from my rect HTTP requests to a local proxy (i.e., machines in a zone are configured the son’s machine to any machine, then squid). same way (or more accurately phrased, check DNS to see if that was a machine For smaller networks that do not want that all of the machines on a given inter- from the game developers. I then added to provide full Internet access, I have face have the same configuration). the specific port to my rules file. found that the REDIRECT action is This may not be the case, and you If I wanted too, I could have added extremely useful (perhaps only allowing need different access rules for different rules for the WWW service (port 80) as HTTP access). I have any entry that machines on the same network. A cou- well. However, since this was the only looks like this: ple of months ago, my son began to play thing my son needed other than Web an Internet roll playing game. This access, I still continue to use the REDI- REDIRECT loc 3128 tcp www - U meant he needed more than just HTTP RECT entry for web access. !10.2.38.0/24 access to the Internet, so I could no longer simply use the redirection to the Troubleshooting and Logging In a nutshell, this entry says that all Squid proxy, as described above. It is possible (if not likely), that you may incoming connections using the TCP pro- To provide this access, I defined a spe- have problems the first time you config- tocol and requesting www services (i.e., cific set of computers as a new zone. So, ure Shorewall. So, being able to track HTTP) are redirected to port 3128. This I first created a new entry in my zone file down the causes of a problem will be is the port on which the Squid proxy for this zone, which I called “game.” useful. server is listening. Next, I created an entry in the hosts file One useful debugging technique is set- Looking at the original destination, we that contained just my son’s computer: ting the logging level in the policy file. specify an entire class C network using Setting it to debug gives you a lot more CIDR notation: 10.2.38.0/24. Plus, this game eth0:10.2.38.13 information. Going into detail about the entry is preceded by an exclamation log entries is beyond the scope of this mark. As in other contexts, the exclama- But that’s not all. Remember that my article, but they are fairly easy to figure tion mark is used to negate the entry. local network is 10.2.38.0/24. This is one out, even without knowing all of the

36 January 2005 www.linux-magazine.com Shorewall COVER STORY

individual entries. For example, take a all other interfaces. There was a packet to send messages to another file, I find it look at this entry: trying to reach the destination port bothersome to have my firewall logs get (DPT) 1080, the socks port. I don’t have mixed up with other kernel messages. Nov 1 11:19:32 saturn kernel: U anything running on that port, and I cer- To solve this, you can use the ULOG Shorewall:net2all:DROP:IN=ppp0 U tainly did not communicate to anyone support in the kernel. Note that ULOG OUT= MAC= that they should try to use that port. support must be available in your kernel, SRC=1.2.3.4 DST=10.2.38.11 U Since there is not a “standard” service but this is the default in most newer dis- LEN=48 TOS=0x00 PREC=0x00 U associated with this port, there is no rea- tributions. However, the ulogd package is TTL=116 ID=47048 DF son for someone to try to access it from not always available, so you may have to PROTO=TCP SPT=1 292 DPT=1080 U the Internet, so it seems pretty obvious download it yourself from [4]. WINDOW=64240 RES=0x00 SYN URGP=0 to me that someone was trying to see if Once ulogd is configured for your sys- they could exploit a Windows bug. tem, you no longer use the syslogd This is a standard entry from /var/ If the remote computer (or even logging levels in the policy. Instead, you log/messages, so at the beginning you another computer on the same network) use the ULOG. ■ have the date, the computer name, and continued to try to access various ports the syslog facility (kernel, in this case). on my machine, I might want to “black- INFO Following that is the actual message. You list” them. I would do this by adding the [1] Netfilter Website: can easily tell that this packet was host or network address (in CIDR for- http://www.netfilter.org inbound on the ppp0 (my DSL card) and mat) into the /etc/shorewall/ blacklist [2] Shorewall Website: the packet was dropped. You can also file. This means that, regardless of any http://www.shorewall.net see that it was using the connection other entries that might allow them [3] Address Allocation for Private Internets net2all, meaning from the Internet to all access, the computer or network is RFC 1918: other zones. specifically denied access. http://rfc.net/rfc1918.html If you look back to the discussion on By default, Shorewall uses the system [4] Ulog: the policy file, you see that we had an logging facility, which typically defaults http://www.ulog.ch/english/index.html entry that said the default behavior was to sending message to /var/log/ [5] Squid Proxy: http://www.squid-cache.org/ to drop all packets from the Internet to messages. Even when I configure syslogd