Linux firewalls - iptables
This web page is a sequel to my previous web page about Linux firewalls and ufw in particular - and the various problems that I found with ufw.
ufw is the default userspace "app" for configuring netfilter firewall rules on Linux distributions such as Debian, Ubuntu, and Mint.
Kali Linux is based on Debian - so this web page may be relevant to Kali - but if you are using Kali for penetration testing then your firewall requirements are very different from the firewall requirements for more normal desktops, laptops, or servers.
Linux distributions such as Red Hat, Centos, Fedora and possibly OpenSUSE are more likely to be using firewalld, and this web page isn`t so relevant to these distributions.
Having found the various problems with ufw, I reckoned I would prefer to go back to using iptables as the userspace "app" - and it wasn`t difficult to write a shell script that used the iptables commands.
Historically there was always a problem with using iptables - in that the configuration of the netfilter firewall rules is volatile - restart the computer and the configuration is lost.
Two additional "apps" went some way to overcome this problem - iptables-save allowed you to save the configuration in a file - iptables-restore allowed you to restore the rule set from the file back into the kernel.
However there was then the problem of including the iptables-restore command into the Linux boot up sequence - there has always been a considerable lack of consistency in the way the boot up sequence is configured in different Linux distributions, and even in different versions of the same distribution - so this can be quite a problem.
However there is now a much better way of doing it - since Debian version 6.0 and Ubuntu 10.04 LTS there has been a fourth iptables "app" called iptables-persistent - this "app" creates an entry in the boot up sequence for the restoration - so all the donkey work is done for you.
Note that you cannot use iptables-persistent on a Linux installation that already has ufw or firewalld as the firewall configuration "app" - you will end up with a mess.
You must remove all traces of ufw or firewalld or any other userspace firewall configuration "app" from the Linux installation before trying to use iptables-persistent.
Removing ufw
There are a few steps that need to be taken to fully remove ufw from a Linux installation.
As you are removing the firewall, it is probably safer to disconnect from the internet for the next while.
Go into the command line and disable ufw -
ufw disable
Then do a restart - if you do a restart after you have disabled ufw all of the ufw chains and rules should be removed.
Start by removing gufw if it is installed -
apt purge gufw
Now remove ufw -
apt purge ufw
This should remove all the various folders and files that are part of the ufw installation - however I recommend then checking that they have all been removed - none of the following should now exist -
/etc/ufw
/etc/gufw
/etc/default/ufw
/lib/ufw
Depending on the boot up mechanism that is used by the Linux installation, you may also want to check that the boot up files in the following possible locations have been removed -
/etc/init.d
/etc/rc0-6.d
/etc/rcS.d
Another restart is a good idea.
Installing iptables-persistent
At this point you have a choice - you can configure the netfilter firewall rules now, and then the installation of iptables-persistent can save them during the installation, or you can configure the netfilter firewall rules after doing the installation, and manually save them using iptables-save.
The following will require an internet connection, so it is probably better to have a firewall ruleset in place.
On Debian, Ubuntu, and Mint the installation of iptables-persistent is done using
apt install iptables-persistent
As part of the installation process apt will create two files which are used to save the rule set into -
/etc/iptables/rules.v4
and
/etc/iptables/rules.v6
The installation process gives you the option of saving the existing ruleset into these files - you definitely don`t want to save the ufw ruleset into these files, which is why it is important to do the restarts as described above, to get rid of the ufw ruleset.
You probably do want to save the new wanted ruleset into these files.
You should be able to install iptables-persistent on other Linux distributions such as Red Hat, Centos, Fedora, OpenSUSE - but the installation process will be different, and the file locations will be different - I think they are -
/etc/sysconfig/iptables
and
/etc/sysconfig/ip6tables
However I haven`t done it so can`t add any more to that.
Adding to or changing the rule set
Adding to or changing the rule set after installing iptables-persistent is quite straightforward - make the required additions or changes, then save them using
iptables-save > /etc/iptables/rules.v4
or
ip6tables-save > /etc/iptables/rules.v6
as appropriate.
IPv4 and IPv6
Modern versions of Linux are fully IPv6 compliant - and this includes the netfilter firewall.
If you create a rule set for IPv4, but don`t create a rule set for IPv6, then there is no firewall for IPv6, and the Linux installation is wide open to attack via IPv6.
It may be advisable to create a rule set for IPv6 - if you don`t want any kind of IPv6 traffic, you could create and save a rule set which drops all IPv6 traffic.
Kernel modules
The number of kernel modules loaded on boot up varies depending on what the developers of the Linux distribution deemed necessary - and this includes the netfilter modules.
ufw adds some more - but again this may depend on what the developers of the Linux distribution deemed necessary - some installations of ufw add the following modules -
nf_conntrack_ftp
nf_nat_ftp
nf_conntrack_netbios_ns
If you remove ufw, you may have to load various netfilter modules to enable netfilter to work as you require.
Finally
Having now removed ufw from several machines - including three installations of Mint and an installation of Debian on a Chromebook - it is quite a straightforward procedure.
One of the Mint installations is running an Apache web server, so I had to modify the ruleset to accomodate that - but again it worked okay.
website design by ron-t
website hosting by freevirtualservers.com
© 2024 Ron Turner
