IPTABLES personal firewalling for the beginner:
Advanced topics and manual configuration


Disclaimer: This tutorial is aimed at toward the Linux newcomer who wishes to install and setup a reasonable secure firewall with a minimum of effort. Additionally, this tutorial requires an application that is not standard (yet) with any Linux distribution that I am aware of.

This tutorial will assume that you have read and followed along the previous tutorial: IPTABLES personal firewalling for the beginner (or: How to use Firestarter). I got the idea for this little HOWTO/tutorial from reading some of the posts on the Firestarter user mailing list.

Advanced topics:
Some of the reasons I happen to like Firestarter over the other firewall and iptables scripts I have seen are:
1) It uses a graphical, intuitive wizard to build the chains for you - no more need to know the ins and outs of iptables rule configuration
2) it has been much more thorough than every other iptables script I have seen to date
3) it uses many kernel processes (in the /proc filesystem) to lower your overhead
4) it will use any and all modules for networking and netfiltering that are available to your kernel
5) you can still go into the generated script and manually change, add, or tweak the script.
* These reasons were copied from the basics tutorial.

In this section we will give a couple of examples of more advanced things we can accomplish once the basic firewall script has been generated. We want to
1) lock down all ports that are not specifically opened to the public (tcp and udp both)
2) we want to add a custom or non-listed service to our available public services
3) we want to change the custom service to only allow connections from specific IP addresses.

Example 1: Locking down (black-holing) all attempted connections not specifically opened to the public.
What this means is that we want all non-public service ports to be black holes to any port scanner (most scanners only scan ports 1 - 1024, but its possible to be maliciously attacked on port 60,000, so we want to stop those connection attempts).
By default, Firestarter creates a STATE chain which on first glance would block all connection attempts on non-specified ports. In actuality this is not the case - the ports appear 'open' when scanned. The section of the firewall script (/etc/firestarter/firewall.sh) that contains the STATE chain is this:
# Create a new 'stateful module check' (STATE) convenience chain.
$IPT -N STATE 2> /dev/null
$IPT -F STATE
$IPT -I STATE -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A STATE -m state --state NEW -i ! lo -j ACCEPT
$IPT -A STATE -j $STOP

We want to change the chain to be like this:
$IPT -N STATE 2> /dev/null
$IPT -F STATE
$IPT -I STATE -m state --state NEW -i ! lo -j ACCEPT
$IPT -A STATE -m state --state ESTABLISHED -j ACCEPT
$IPT -A STATE -p tcp -s 0/0 -d $NET --dport 1024:65535 -m state --state RELATED -j ACCEPT
$IPT -A STATE -p udp -s 0/0 -d $NET --dport 1024:65535 -m state --state RELATED -j ACCEPT
$IPT -A STATE -j $STOP

Example 2: We want to open our Oracle server to the public (tcp port 1521).

To do this, go to almost the end of the firewall.sh script where the public services are listed. You should see something like the following:
# --------( Rules Configuration - Inbound Traffic - Ruleset Filtered by GUI )--------

#FTP
$IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --dport 20 ! --syn -j ACCEPT
$IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --dport 21 -j ACCEPT

Since we are adding another service, we can just copy the 2nd ftp service line and modify to our needs, so that would become:
# --------( Rules Configuration - Inbound Traffic - Ruleset Filtered by GUI )--------

#FTP
$IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --dport 20 ! --syn -j ACCEPT
$IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --dport 21 -j ACCEPT

#Oracle - added <initials> mm/dd/yyyy
$IPT -t filter -A INPUT -p tcp -s 0/0 -d $NET --dport 1521 -j ACCEPT

Example 3: Setup the Oracle service so it a) will only accept connections from 209.81.146.11 and 209.81.146.6, and b) will only accept connections for the IP range 209.81.146.1-209.81.146.254

a) the solution to this is to modify the -s modifier to specify only these 2 addresses - this will require 2 lines instead of 1 line. Hence the Oracle section would read:
#Oracle - added <initials> mm/dd/yyyy
$IPT -t filter -A INPUT -p tcp -s 209.81.146.6/32 -d $NET --dport 1521 -j ACCEPT
$IPT -t filter -A INPUT -p tcp -s 209.81.146.11/32 -d $NET --dport 1521 -j ACCEPT

b) This can be done with a single line such as:
#Oracle - added <initials> mm/dd/yyyy
$IPT -t filter -A INPUT -p tcp -s 209.81.146.0/24 -d $NET --dport 1521 -j ACCEPT

NOTE: IPv4, the IP format used by Firestarter uses the 4 dotted number format. Each of the 4 numbers can range from 0 to 255 - an 8-bit number. In an iptables script, when you specify the source address (using the -s <address>/<netmask> format), you normally specify the address in address/mask-level format. Here are the most common netmask to mask-level equivalents:
netmask: mask-level:
255.0.0.0 /8
255.255.0.0 /16
255.255.255.0 /24
255.255.255.128 /28 *
255.255.255.255 /32

*this is not exactly a common netmask. It was thrown in to illustrate that the netmask and mask-level do not have to be 0 or 255 .. they can in fact be any number in between. In the case of a netmask of 255.255.255.128, this would correspond to an IP range of x.x.x.129-255 (255 is set aside for network broadcasting, so isn't used for a machine's ip).

I hope that this and the previous tutorial have helped people who are new to Linux setup their own firewall and hopefully has helped others get a better feel for what is possible. If you should have any questions, doubts, or concerns about the firewall script that Firestarter generates - whether you modify it manually or not - look at the script directly first. It's very cleanly laid out, logical in its structure, and reasonably well documented. Between the comments in /etc/firestarter/firewall.sh and the manpage for iptables (or any of the netfilter HOWTO's available on the web), you should be able to learn everything you need to customize your firewall script.

Safe Surfing,
LeeryOne