Linux Basics

 

Linux Basics


 

Activating the iptables Service

The firewall rules will only be active if the iptables service is running. To manual start the service, use the command:

 /sbin/service iptables restart

To ensure that it is started when the system is booted, issue the command:

 /sbin/chkconfig --level 345 iptables on

The ipchains service can not be run along with the iptables service. To make sure the ipchains service is disabled, execute the command:

 /sbin/chkconfig --level 345 ipchains off

The Services Configuration Tool can be used to configure the iptables and ipchains services. See Section 14.3 Services Configuration Tool for details.

 

GNOME Lokkit

GNOME Lokkit allows you to configure firewall settings for an average user by constructing basic iptables networking rules. Instead of having to write the rules, this program asks you a series of questions about how you use your system and then writes it for you in the file /etc/sysconfig/iptables.

You should not try to use GNOME Lokkit to generate complex firewall rules. It is intended for average users who want to protect themselves while using a modem, cable, or DSL Internet connection. To configure specific firewall rules, refer to the Firewalling with iptables chapter in the Red Hat Linux Reference Guide.

To start the graphical version of GNOME Lokkit, select Main Menu Button => System Tools => More System Tools => Lokkit, or type the command gnome-lokkit at a shell prompt as root. If you do not have the X Window System installed or if you prefer a text-based program, type the command lokkit at a shell prompt to start the text-mode version.

 

Basic

Basic

After starting the program, choose the appropriate security level for your system:

 

Local Hosts

If there are Ethernet devices on the system, the Local Hosts page allows you to configure whether the firewall rules apply to connection requests sent to each device. If the device connects the system to a local area network behind a firewall and does not connect directly to the Internet, select Yes. If the Ethernet card connects the system to a cable or DSL modem, it is recommended that you select No.

Local Hosts

 

DHCP

If you are using DHCP to activate any Ethernet interfaces on the system, say Yes to the DHCP question. If you say no, you will not be able to establish a connect using the Ethernet interface. Many cable and DSL Internet providers require you to use DHCP to establish an Internet connection.

DHCP

 

Configuring Services

GNOME Lokkit also allows you to turn common services on and off. If you answer Yes to configuring services, you are prompted about the following services:

To disable other services that you do not need, use Services Configuration Tool (see Section 14.3 Services Configuration Tool) or ntsysv (see Section 14.4 ntsysv), or chkconfig (see Section 14.5 chkconfig).

 

Activating the Firewall

Clicking Finish will write the firewall rules to /etc/sysconfig/iptables and start the firewall by starting the iptables service.

If you have a firewall configured or any firewall rules in the /etc/sysconfig/iptables file, the file will be deleted if you select Disable firewall and click Finish to save the changes.

It is highly recommended that you run GNOME Lokkit from the machine, not from a remote X session. If you disable remote access to your system, you will no longer be able to access it or disable the firewall rules.

Click Cancel if you do not want to write the firewall rules.

 

Mail Relay

A mail relay is a system that allows other systems to send email through it. If your system is a mail relay, someone can possibly use it to spam others from your machine.

If you chose to enable mail services, after you click Finish on the Activate the Firewall page, you will be prompted to check for mail relay. If you choose Yes to check for mail relay, GNOME Lokkit will attempt to connect to the Mail Abuse Prevention System website at http://www.mail-abuse.org/ and run a mail relay test program. The results of the test will be displayed when it is finished. If your system is open to mail relay, it is highly recommended that you configure Sendmail to prevent it.

 

Basic Firewall Configuration

Just as a firewall in a building attempts to prevent a fire from spreading, a computer firewall attempts to prevent computer viruses from spreading to your computer and to prevent unauthorized users from accessing your computer. A firewall exists between your computer and the network. It determines which services on your computer remote users on the network can access. A properly configured firewall can greatly increase the security of your system. It is recommended that you configure a firewall for any Red Hat Linux system with an Internet connection.

 

Security Level Configuration Tool

During the Firewall Configuration screen of the Red Hat Linux installation, you were given the option to choose a high, medium, or no security level as well as allow specific devices, incoming services, and ports.

After installation, you can change the security level of your system by using the Security Level Configuration Tool. If you prefer a wizard-based application, refer to Section 13.2 GNOME Lokkit.

To start the application, select Main Menu Button (on the Panel) => System Settings => Security Level or type the command redhat-config-securitylevel from a shell prompt (for example, in an XTerm or a GNOME terminal).

Security Level Configuration Tool

Select the desired security level from pulldown menu.

High

If you choose High, your system will not accept connections (other than the default settings) that are not explicitly defined by you. By default, only the following connections are allowed:

If you choose High, your firewall will not allow the following:

  • Active mode FTP (passive mode FTP, used by default in most clients, should still work)

  • IRC DCC file transfers

  • RealAudio

  • Remote X Window System clients

If you are connecting your system to the Internet, but do not plan to run a server, this is the safest choice. If additional services are needed, you can choose Customize to allow specific services through the firewall.

If you select a medium or high firewall, network authentication methods (NIS and LDAP) will not work.

Medium

If you choose Medium, your firewall will not allow remote machines to have access to certain resources on your system. By default, access to the following resources are not allowed:

  • Ports lower than 1023 — the standard reserved ports, used by most system services, such as FTP, SSH, telnet, HTTP, and NIS.

  • The NFS server port (2049) — NFS is disabled for both remote severs and local clients.

  • The local X Window System display for remote X clients.

  • The X Font server port (by default, xfs does not listen on the network; it is disabled in the font server).

If you want to allow resources such as RealAudio while still blocking access to normal system services, choose Medium. Select Customize to allow specific services through the firewall.

If you select a medium or high firewall, network authentication methods (NIS and LDAP) will not work.

No Firewall

No firewall provides complete access to your system and does no security checking. Security checking is the disabling of access to certain services. This should only be selected if you are running on a trusted network (not the Internet) or plan to do more firewall configuration later.

Choose Customize to add trusted devices or to allow additional incoming services.

Trusted Devices

Selecting any of the Trusted Devices allows access to your system for all traffic from that device; it is excluded from the firewall rules. For example, if you are running a local network, but are connected to the Internet via a PPP dialup, you can check eth0 and any traffic coming from your local network will be allowed. Selecting eth0 as trusted means all traffic over the Ethernet is allowed, put the ppp0 interface is still firewalled. If you want to restrict traffic on an interface, leave it unchecked.

It is not recommended that you make any device that is connected to public networks, such as the Internet, a Trusted Device.

Allow Incoming

Enabling these options allow the specified services to pass through the firewall. Note, during a workstation installation, the majority of these services are not installed on the system.

DHCP

If you allow incoming DHCP queries and replies, you allow any network interface that uses DHCP to determine its IP address. DHCP is normally enabled. If DHCP is not enabled, your computer can no longer get an IP address.

SSH

Secure SHell (SSH) is a suite of tools for logging into and executing commands on a remote machine. If you plan to use SSH tools to access your machine through a firewall, enable this option. You must have the openssh.server package installed in order to access your machine remotely, using SSH tools.

Telnet

Telnet is a protocol for logging into remote machines. Telnet communications are unencrypted and provide no security from network snooping. Allowing incoming Telnet access is not recommended. If you do want to allow inbound Telnet access, have the telnet-server package installed.

WWW (HTTP)

The HTTP protocol is used by Apache (and by other Web servers) to serve webpages. If you plan on making your Web server publicly available, enable this option. This option is not required for viewing pages locally or for developing webpages. You must have the apache package installed if you want to serve webpages.

Enabling WWW (HTTP) will not open a port for HTTPS. To enable HTTPS, specify it in the Other ports field.

Mail (SMTP)

If you want to allow incoming mail delivery through your firewall, so that remote hosts can connect directly to your machine to deliver mail, enable this option. You do not need to enable this if you collect your mail from your ISP's server using POP3 or IMAP, or if you use a tool such as fetchmail. Note that an improperly configured SMTP server can allow remote machines to use your server to send spam.

FTP

The FTP protocol is used to transfer files between machines on a network. If you plan on making your FTP server publicly available, enable this option. The vsftpd package must be installed for this option to be useful.

Click OK to activate the firewall. After clicking OK, the options selected are translated to iptables commands and written to the /etc/sysconfig/iptables file. The iptables service is also started so that the firewall is activated immediately after saving the selected options.

If you have a firewall configured or any firewall rules in the /etc/sysconfig/iptables file, the file will be deleted if you select No Firewall and click OK to save the changes.

The options selected are also written to the /etc/sysconfig/redhat-config-securitylevel file so that the setting can be restored the next time the application is started. Do not edit this file by hand.

To activate the iptables service to start automatically at boot time, refer to Section 13.3 Activating the iptables Service for details.

 

Home