Firewall writing for Redhat/Cent OS/Fedora

Hi

Writing rules for firewall is became nightmare( but it’s good) for me when I am setting up server for my application. After bagging my head two days I found how to program a firewall and how it works. Here is the stuff for you.

First of all before diving into actual content I hope that everyone knows what is firewall and why we use it. It is recommended to know prior to read this post if you don’t know.
Netfilter:
Netfilter is a host based firewall for linux systems. It controls by a program called IPtables and it is activated by default. It works at kernel level, before a program can even process the data from the network packet.

Iptables are located at /etc/sysconfig/iptables. 
How to Turn on Firewall:


chkconfig iptables on
 service iptables start
 # restart the firewall
 service iptables restart
 # stop the firewall
 service iptables stop

Understanding  Firewall :
There are total 4 chains:
INPUT – The default chain is used for packets addressed to the system. Use this to open or close incoming ports (such as 80,25, and 110 etc) and ip addresses / subnet (such as 202.54.1.20/29).

OUTPUT – The default chain is used when packets are generating from the system. Use this open or close outgoing ports and ip addresses / subnets.

FORWARD – The default chains is used when packets send through another interface. Usually used when you setup Linux as router. For example, eth0 connected to ADSL/Cable modem and eth1 is connected to local LAN. Use FORWARD chain to send and receive traffic from LAN to the Internet.

RH-Firewall-1-INPUT – This is a user-defined custom chain. It is used by the INPUT, OUTPUT and FORWARD chains.
How rules works :
Each packet starts at the first rule in the chain .
A packet proceeds until it matches a rule.
If a match found, then control will jump to the specified target (such as REJECT, ACCEPT, DROP).
Target Meanings:
The target ACCEPT means allow packet.
The target REJECT means to drop the packet and send an error message to remote host.
The target DROP means drop the packet and do not send an error message to remote host or sending host.
When you open firewall you will find something like below:

 *filter
 :INPUT ACCEPT [0:0]
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
 :RH-Firewall-1-INPUT - [0:0]
 -A INPUT -j RH-Firewall-1-INPUT
 -A FORWARD -j RH-Firewall-1-INPUT
 -A RH-Firewall-1-INPUT -i lo -j ACCEPT
 -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
 -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
 -A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -j ACCEPT
 -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
 -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
 -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
 COMMIT

If you want to drop all traffic, update the rules like below and restart the firewall. If you write firewall rules correctly the firewall will restart successfully otherwise it won’t.

 :INPUT DROP [0:0]
 :FORWARD DROP [0:0]

Here is some rules to open ports . Add below rules before commit line.

To open HTTP port

 A RH-Firewall-1-INPUT -m tcp -p tcp --dport 80 -j ACCEPT

To open HTTPS port

 -A RH-Firewall-1-INPUT -m tcp -p tcp --dport 443 -j ACCEPT

To open SMTP port :

 -A RH-Firewall-1-INPUT -m tcp -p tcp --dport 25 -j ACCEPT

To open FTP port:

 -A RH-Firewall-1-INPUT -m tcp -p tcp --dport 21 -j ACCEPT

Explanation for above rules:
-A = To append a rule for firewall
RH-Firewall-1-INPUT = one of the chains in filter Iptable
-p = To specify the protocol
–dport = To specify destination port
-j = Jump if rule matches with the IPpacket
ACCEPT = It allows the packet through the firewall.
For detail explanation check man pages of IPtables in any linux distribution. Last but not least checkout  http://ping.eu this website to check whether port has been opened or not.

I hope you enjoy this post. Any queries or suggestions would be welcome.

Advertisements

generating self signed certificate with openSSL

Hi

All you people might know what is SSL and why should we use SSL? But few of people know only how to configure SSL for nginx server.

What is SSL?

SSL means secure socket layer which will work on application layer of TCP/IP network model. It will be used for secure communication between two computers.

How SSL works ?

SSL uses asymmetric cryptography ( public key cryptography). It generates two keys. 1) public key and 2) private key. By using these two keys data encryption and decryption done.

Why SSL certificate?

SSL certificate would be used to that the server your communicating is genuine or not.

Now to generate certificate we have many tools available. Among them openSSL is one tool. After certificate generation has done we have signed that certificate with CA ( certificate Authority like Thawte) or we can generate self signed certificate for testing purpose. Here is the steps to follow for self signed certificate:

1)  Generate a Private Key :

 openssl genrsa -des3 -out server.key 1024 # generates private key using RSA algorithm of length 1024

2)  Generate a CSR (Certificate Signing Request)


openssl req -new -key server.key -out server.csr

3)  Remove Passphrase from Key


cp server.key server.key.org
openssl rsa -in server.key.org -out server.key

4) Generating a Self-Signed Certificate


openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Now you have self signed certificate on your hand. Now we have to configure this certificate with nginx webserver. Proir to the installation we have configure ssl module for your nginx server. After that copy .crt file and .key files into appropriate locations.

Now how we will came to know whether SSL properly configured or not. To verify, access your website and observer there would be one lock will be appear on the status bar of the web browser. Nothing to worry if it will say not authorized certificate because the certificate is self signed. Click on the lock symbol and you will the certificate.