Using SuSE Linux 11.4 as a network firewall

 

Having used SUSE 9.1 as a firewall, it turned out there wasn`t too much of a development curve to use 11.4 as a firewall, a lot of the inside of 11.4 is the same as, or similar to, 9.1.

So you may want to read that page first - the previous page about using SuSE 9.1 as a firewall is an updated version of a webpage that I wrote back in 2004 - the original is in the e-nor archive.

iptables and netfilter is a very powerful mechanism for building firewalls that can be single or multi layered, and do stateful packet filtering, stateless packet filtering, address and port translation, or any combination of these.

It is quite a testimony to the success of netfilters and iptables that they are still going strong in 2017, and are used in SuSE Linux Leap 42.3 - the current version of SuSE Linux, as well as many other distributions of Linux, both desktop and server versions.

 

Installing 11.4

SUSE Linux 11.4 has proved to be a rock solid operating system on a couple of desktop pc`s, but it is now a bit too dated to use for desktop computers, as it is increasingly limiting the applications that can be used on it.

So having got some newer pc`s, and moved onto SUSE Leap 42.3, it seemed a good idea to see how 11.4 would work as network firewalls.

For firewalls, no applications need to be run on it - indeed a firewall should not be used for any other purpose, so limitations on applications don`t matter.

An additional bit of information - 11.4 was the last version of SUSE Linux that used the Gnome 2 desktop environment - from 12 onwards SUSE Linux used Gnome 3, and older or middle aged graphic cards can`t handle it. Again it doesn`t matter for a firewall.

Another factor in favour of 11.4 is the fact that SUSE is still offering a set of updated software throught their update repositories for it.

I have had no problem installing 11.4 on some 1.6 / 1.8 GHz Pentium 4 based machines, but although 11.4 will work on Pentium 3 based machines, I had a bit of a problem getting it to work.

It would install okay, and I would then have a working computer running 11.4 - however after restarting the computer, it wouldn`t work - it didn`t boot up at all.

Eventually I worked out that it was the age and limitations of the BIOS on the motherboard - and by partitioning the hard drive so that the "/" partition was the first partition on the hard drive, and also using the MBR to store the boot sector on, rather than the "/" partition, the BIOS would then find things, and it would boot up.

Storing the boot sector on the "/" partition is the default, so you have to change that during the installation.

I did eventually get a firewall running on this Pentium 3 machine with a 10GB hardrive - those were the days !

I do recommend that a completely new installation of 11.4, rather than deploying an existing installation that has been exposed to the world.

For a firewall, I also recommend that any on-board LAN socket is disabled in the BIOS, and two matching plug-in network cards are used.

 

Hardening 11.4

It seems like a good idea to do a bit of hardening on the new installation of 11.4, before configuring it as a firewall.

As a start, don`t install software you are not going to be using - office software, media software, graphic software, for example.

In addition it might be worthwhile not installing some software which is normally installed by default, and would be better by not being there - such as - cifs-utils, telnet, apache, empathy, gnome-user-share, lukemftp, pullin-flash-player, samba, telepathy.

YAST is one of the best configuration tools going, but it can sometimes be a bit of a pain when uninstalling software, as it gets it into its head that it needs to have certain bits of software installed, and it is not possible to persuade it otherwise.

It seems to be a bit more accommodating to taking out software from the default list of software that will be installed - it is a bit of a pain doing it, but I have reduced the amount of software to be installed by 1GB, which is quite a lot.

Some distributions of Linux include a version which is a minimal installation of Linux suitable for firewalls - I don`t think SUSE do that, so doing it manually appears to be the only option.

In the past I have held the opinion that a firewall should not have a GUI - such as Gnome or KDE.

I am not sure about that now, a GUI can provide some useful facilities, such as Wireshark, which can help to show what is going on the network, both inside and outside the firewall.

So it`s your choice.

Disable services that are not required, or definitely not wanted - some of these may be disabled by default, but it would be worth checking their status, and some of them will not be there if you have not installed them.

• avahi-daemon
• avahi-dnsconfd
• bluez-coldplug
• cifs
• cups
• nmb
• postfix
• splash
• splash_early

Make sure that the two services SuSEfirewall2_init and SuSEfirewall2_setup are running, as you want the protection they provide when doing the updates.

Set up one of the network cards so the computer can connect to the update repositories - if you don`t need it, disable ipv6, and make sure that IP Forwarding is not enabled.

Preferably set up the computer on a secure protected network to do the updates, rather than on a wide open connection.

Make sure there is a working normal user account - don`t connect to the internet whilst logged in as root.

Login as the normal user, and do the updates - several hundred megabytes of them !

After doing the updates, I think it is a good idea to stop 11.4 going off to the repositories and doing automatic refresh - maybe okay on a desktop computer, I don`t think it is a good idea on a firewall.

Do it manually as required, when you can see what it is doing.

After completing the updates, disconnect from the network.

Sad to say, but the SUSE online update process may well put some software on the machine which you don`t want - I have found that despite the fact that I had removed the "pullin-flash-player" package before doing the update, the update process installed the Flash player.

Now Flash Player must be one of the most insecure and evil pieces of software that was ever created, as it allows applications to switch on cameras and microphones without your knowledge, and to store large amounts of data about your browsing in a location that browsers can`t get to, so all the "safe" browsing in the world doesn`t stop it.

As well as that it is fundamentally insecure, and despite a regular flow of new versions, the insecurities just go on and on. Get rid of it.

I don`t think I can criticise SUSE enough for doing this.

Resign youself to going back into YAST and looking through all the installed software to make sure there is nothing there you don`t want.

The SUSE website has some very detailed documentation about securing SUSE Linux Enterprise Server 11 SP4 - this will have a lot of relevance to securing 11.4 to act as a firewall, so might be worth a read.

The thought occurs that if SUSE are now pushing down evil and unwanted software onto the desktop version of 11.4, are they doing it on the Enterprise Server 11 SP4 version as well ?

 

SuSEfirewall2

I reckon it is a good idea to get rid of SuSEfirewall2 as a mechanism for programming netfilters - netfilters is the name given to the software of the packet filtering framework inside the linux kernel.

SuSEfirewall2 provides a script that you can modify by using the built in key phrases - then having done that, SuSEfirewall2 then reads that script and turns it into set of rules for iptables to use to write the netfilter rules.

The SuSEfirewall2 script that you modify is really not intuitive at all, and it is quite difficult to use the provided key phrases to provide the rule set you are trying to create.

It seems to be far better to create your own bash shell script using iptables commands directly to set up the required rule set.

In addition, the way to check the ruleset is through the use of iptables commands withing a command prompt environment, and you can write your bash shell script in a way that it closely resembles the kernel view of the rule set.

So having used the default rule set created by SuSEfirewall2 so that you can safely do the online update, it is now time to get rid of SuSEfirewall2 - turn it off through YAST / System Services (Runlevel) - or through YAST / Security and Users / Firewall.

Bear in mind that with SuSEfirewall2 disabled, a default minimalist rule set has been written which accepts anything and everything from anywhere, so don`t connect to any network until the whole of the rest of this web page has been done.

 

Network cards

Time to configure the network cards - hopefully you will be able to configure your networks so that the secure internal network is using one of the private network address spaces, not a public address space, and you can configure the firewall to do NAT - also sometimes known as Masquerading - there seems to be a variety of opinion as to whether there is a difference between NAT and Masquerading, or whether Masquerading is a special type of NAT.

The usual private address spaces in the IPv4 world are within 192.168.0.0/16 and 10.0.0.0/8.

I think you will find it useful to set up eth0 as the network card for the external network, and eth1 as the network card for the internal secure network.

And of course the ip address given to eth1 will be the default gateway for all the machines on the internal network, so it will have to be static, and easily remembered, such as 192.168.0.1.

Another advantage of a secure private network and NAT is that there is a good chance you can avoid using IPv6 on the network - IPv6 is configured quite differently from IPv4, and is more complicated, so if you can avoid using it, so much the better.

It also means that you can avoid security issues associated with IPv6 such as tunneling.

It also makes the firewall rule set so much simpler.

 

Providing a home for iptables

Iptables is a program that understands the commands written in the shell script, and turns them into the netfilters kernel ruleset - and it needs a working directory both for the shell script, and for iptables to store the kernel ruleset.

SuSEfirewall2 uses several locations for its various bits, many of them within /etc/sysconfig and /usr/share/.

Iptables doesn`t mind where it is, so you can choose a location.

My preference is to stay away from /etc/sysconfig, as it is part of the system construction of Linux, so maybe a new location such as /usr/share/iptables/ would do for everything to do with this setup of iptables.

In this folder create an empty file for iptables to store the kernel ruleset in - call it what ever you like, but for this webpage it will be "kernel-ruleset".

You can also use this folder to hold your bash shell script.

 

Bash shell script

It isn`t possible to provide a working script here - every firewall has to be configured to suit the network environment and the application environment it is going to be working in - so this is just a sample of the sort of shell script that you will need to write.

# This section sets the default policies to DROP

       iptables -t filter -P INPUT DROP
       iptables -t filter -P FORWARD DROP
       iptables -t filter -P OUTPUT DROP


# This section removes all rules previously set

       iptables -t filter --flush

       iptables -t nat --flush

       iptables -t mangle --flush

       iptables -t filter --delete-chain

       iptables -t nat --delete-chain

       iptables -t mangle --delete-chain


# This first section sets up the nat table rules


       iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 10.0.0.10



# --------- start of incoming section --------



# Create new chains for incoming packet processing

       iptables -t filter -N incoming-1

       iptables -t filter -N incoming-2


# Send all packets coming in through eth0 to the incoming chain

       iptables -t filter -A FORWARD -i eth0 -j incoming-1


# This section drops various types of packets that we
# definitely don`t want.

       iptables -t filter -A incoming-1 -p tcp --syn -j DROP

       iptables -t filter -A incoming-1 -p tcp ! --syn -m state --state NEW -j DROP

       iptables -t filter -A incoming-1 -p icmp --icmp-type 0 -m state --state NEW -j DROP 

      iptables -t filter -A incoming-1 -p all -m state --state INVALID -j DROP

       iptables -t filter -A incoming-1 -p all -m state --state NEW -j DROP 


# This section drops suspicous incoming packets. They might look
# like authentic packets to the rest of the rule set, so they need 
# to be dropped before the rest of the rule set sees them.

       iptables -t filter -A incoming-1 -s 192.168.0.0/24 -j DROP

       iptables -t filter -A incoming-1 -s 127.0.0.0/8 -j DROP

       iptables -t filter -A incoming-1 -s 0.0.0.0/32 -j DROP

       iptables -t filter -A incoming-1 -s 10.0.0.0/8 -j DROP

       iptables -t filter -A incoming-1 -s 172.16.0.0/12 -j DROP

       iptables -t filter -A incoming-1 -s 192.0.2.0/24 -j DROP

       iptables -t filter -A incoming-1 -s 192.168.0.0/16 -j DROP

       iptables -t filter -A incoming-1 -s 240.0.0.0/5 -j DROP

       iptables -t filter -A incoming-1 -s 224.0.0.0/4 -j DROP




# Start of incoming tcp and udp port filtering.


# DNS

       iptables -t filter -A incoming-1 -p tcp --sport 53 -j incoming-2

       iptables -t filter -A incoming-1 -p udp --sport 53 -j incoming-2


# HTTP

       iptables -t filter -A incoming-1 -p tcp --sport 80 -j incoming-2

       iptables -t filter -A incoming-1 -p udp --sport 80 -j incoming-2



# HTTPS

       iptables -t filter -A incoming-1 -p tcp --sport 443 -j incoming-2

       iptables -t filter -A incoming-1 -p udp --sport 443 -j incoming-2


# Adding rules for stateful packet filtering on TCP and UDP
# packets which have successfully passed through the above 
# protocol and port filters.

       iptables -t filter -A incoming-2 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT

       iptables -t filter -A incoming-2 -p udp -m state --state ESTABLISHED -j ACCEPT



# ---------- start of outgoing section ----------- 



# This section creates new chains for outgoing packets 

       iptables -t filter -N outgoing-1

       iptables -t filter -N outgoing-2


# This line specifies eth1 as the source network device for outgoing packets

       iptables -t filter -A FORWARD -i eth1 -j outgoing-1


# -------------------------


# In order to prevent spoofing ( ie, sending out packets with fictous
# ip addresses ) we need to define what ip addresses should appear in
# the source ip address section of outgoing packets 


       iptables -t filter -A outgoing-1 -s 192.168.0.0/24 -j outgoing-2

       iptables -t filter -A outgoing-1 ! -s 192.168.0.0/24 -j DROP


# This section does port blocking on outgoing packets - outgoing
# packets with other TCP and UDP destination port numbers which 
# are not listed here will be dropped by the default DROP policy. 


# DNS

       iptables -t filter -A outgoing-2 -p tcp --dport 53 -j ACCEPT

       iptables -t filter -A outgoing-2 -p udp --dport 53 -j ACCEPT

# HTTP

       iptables -t filter -A outgoing-2 -p tcp --dport 80 -j ACCEPT

       iptables -t filter -A outgoing-2 -p udp --dport 80 -j ACCEPT



# HTTPS

       iptables -t filter -A outgoing-2 -p tcp --dport 443 -j ACCEPT

       iptables -t filter -A outgoing-2 -p udp --dport 443 -j ACCEPT



exit 0

 

IP Forwarding

A firewall requires that the kernel can be instructed to forward packets from one network card to the other in both directions - this is known as IP Forwarding.

Now on 11.4 if you set this through the YAST / Network Settings GUI, then it is always on, and you get both IPv4 forwarding as well as IPv6 forwarding.

You don`t want either of these, so need to set it else how.

So to start, set IP Forwarding to off in YAST / Network Settings.

For IPv4, forwarding is controlled by the contents of a file /proc/sys/net/ipv4/ip_forward - if the content is "0", then IPV4 forwarding is not enabled, if it is "1", then IPv4 forwarding is enabled.

By writing into this file we can control whether IPv4 forwarding is enabled or disabled.

Afraid to say that I still haven`t worked out how switch on and of IPv6 forwarding, as I have never required it - IPv6 works quite differently to IPv4, and the configuration within Linux is quite different.

We want a default situation that on boot up, ip forwarding is not enabled, so add a line to the file /etc/init.d/halt-local :-

       


       echo "0" > /proc/sys/net/ipv4/ip_forward

This will set the value to zero on shutdown, so when the machine boots up, it is still set to zero, and IPv4 forwarding is not enabled.

We can subsequently set it to "1" after the ruleset has been set, so IPv4 forwarding is not enabled until after the kernel rule set is in place.

 

Loading the rule set

From a command prompt run the shell script :-

       


       ./shell-script

Check that the rule set has loaded :-

       


       iptables -L

or

       


       iptables -S

Save the kernel rule set into the file we created earlier :-

       


       iptables-save > /usr/share/iptables/kernel-ruleset

To restore the ruleset to kernel space and to enable IPv4 forwarding after a reboot or cold start - add the following lines to /etc/init.d/boot.local :-

       


       iptables-restore < /usr/share/iptables/kernel-ruleset

       echo "1" > /proc/sys/net/ipv4/ip_forward

This should now be a working firewall - however all the above is a start, but not the end - the above hasn`t looked at

• allowing IPv6 through the firewall
• the further capabilities of the numerous netfilter kernel modules
• filtering on the basis of time - ie, the rate at which incoming packets are trying to get through the firewall
• logging failed attempts to get through the firewall - such logs can provide useful feedback about attacks
• customising the kernel to maximise packet throughput
• what additional filtering capabilities are provided by newer kernel builds in newer versions of linux

So iptables and netfilter have a lot more to offer if you want to go deeper into it.

 

----------------------------------------------

 

PS - an update - after writing all the above, I installed 11.4 on another machine in order to set up another firewall.

I went into YAST/ Software Management in order to download a package that I couldn`t get off the DVD, and in the process I found that SUSE had every intention of downloading and installing another twenty or so packages - including the dreaded Flash player.

Now I very carefully made sure that the package "pullin-flash-player" was not installed - but despite this SUSE was going to install Flash on my computer.

I didn`t want it, I tried to make sure I didn`t get it - yet despite that SUSE was going to push it down.

Then after that I went to YAST / Online Update, and set up to do the updates - and looking through them before starting, I found that SUSE was going to push down Firefox 15 - disguised as a security update - even though I did not have any version of Firefox installed.

So what on earth are they up to ?

This is a Microsoft mindset - pushing down evil software that you don`t want, disguised as security updates - has SUSE been taking lessons from Microsoft ?

Historically, there has been a bit of a tie-up between SUSE and Microsoft - there was a formal agreement signed back in 2006 between Novell and Microsoft, and it was renewed in 2011.

Microsoft and Ubuntu got together to deliver a pseudo Bash shell on Windows 10.

Microsoft are pushing into the linux world - they paid a lot of money to buy themselves into the Linux Foundation - tie ups with SUSE and Ubuntu - is this the way that linux is going to go ?

If SUSE is going down this road, I`ll be looking for another linux distribution that behaves itself a bit better.

 

 

 

 

• home page
• image gallery
• about this website
• about the colour bar

 

website design by ron-t

 

website hosting by freevirtualservers.com

 

© 2024   Ron Turner

 

+                                   +  

 

 

• grayscale