Chapter 5. Class #5 - Securing Linux: IP Tables, SELinux & TCP Wrappers

Table of Contents

Intro to IP Tables
Installing IP Tables
IP Tables Configuration
IP Tables as a Service
Commands to Manipulate IP Tables
New in RHEL 7 - firewalld
Intro to SELinux
Installing SELinux
SELinux Configuration
SELinux as a Service
Commands to Manipulate SELinux
Understanding SELinux
Intro to TCP Wrappers
Installing TCP Wrappers
TCP Wrappers Configuration Files
TCP Wrappers Protects Select Services
Additional Notes & Considerations for TCP Wrappers
Utilities that Make Use of the Above
Reference Material for this Chapter

This class touches on some crucial information for the RHCSA/RHCE exam as well as System Administration in general. Security is increasingly more important day by day. This class offers three services/configuration schemes for securing a Linux machine.

Intro to IP Tables

RHEL6 implements a packet filtering firewall called IP Tables. Depending on how deeply technical you need to become with this service, it can be relatively easy or dauntingly complex. For the purposes of our class, we will keep it as simple as possible. An excellent reference for creating a series of IPTables rules is available at the Oceanpark IPTables Tutorial .

[Important] Manual Customization of IP Tables Firewall

The ability to manually customize the IP Tables configuration is an excellent skill for a system administrator to have.

There are several terms that are important to understand. The four tables below categorize the terms, and begin to define this complex maze of information.

Table 5.1. IP Tables Important Terms

Term Description
Rule A one-line rule defining a packet type and how it should be handled.
Chain A list of rules.
Table A list of rules aggregating all of the chains and rules taking a particular path through the network stack.
Policy A default rule that applies in the absence of other rules.

The table below address chains - or aggregates of rules.

Table 5.2. IP Tables Built In Chains

Chain Description
INPUT Applies to traffic with your server as the destination.
OUTPUT Applies to traffic origination on your server as the source.
FORWARD Applies to traffic being routed by your system from one network to another

The table below lists several targets - what to do with a packet once it has matched a rule.

Table 5.3. IP Tables Targets

IP Tables Targets Description
ACCEPT Allows the packet to proceed to its destination.
DROP Silently drop the packet.
REJECT Drop the packet with a rejection message.
LOG Log the packet and move to next rule in the chain (which may then accept, drop, or reject).

Iptables can filter packets based on their relationship with previous traffic. The table below shows how IP Tables views these relationships.

Table 5.4. IP Tables Connection Tracking States

Connection Tracking States Description
NEW The packet has started a new connection.
ESTABLISHED Applies to packets that are part of an established TCP connection (packets have already been delivered in both directions).
RELATED The packet is starting a new connection, but associated with an existing connection.
INVALID The packet is associated with no known connection.

Installing IP Tables

IP Tables in installed by default on Red Hat machines. It should be configured for select services and set to start at boot as well.

IP Tables Configuration

The key files that configure IP Tables are '/etc/sysconfig/iptables' and '/etc/sysconfig/iptables-config'.

[Caution] IP Tables Manual vs. GUI Configuration

The typical manual vs. GUI configuration caveat applies to IP Tables. If you, at any time, configure the firewall by manually editing the configuration files or from the command line, then use the GUI, you will lose your manual changes. Approach this practice with caution!!!

IP Tables as a Service

The service that IP Tables runs as is called iptables. By default, it's set in chkconfig to start at boot. It can be started and stopped with the typical service call that is used: `service iptables {start|stop|reload|etc}`.

Commands to Manipulate IP Tables

There are several commands to manipulate IP Tables beyond manually editing the configuration files. Red Hat has GUI configuration utility that can be invoked with the command `system-config-firewall`. On a headless system try `system-config-firewall-tui`. The optionss available to the iptables command are worthy of (and have) voluminous manuals. The most basic commands to see the state of the firewall are `iptables -vnL` and `iptables -vnL --line-numbers`. NOTE that rules can be added and altered from the command line.

[Note] IP Tables GUI Limitation

The GUI that manipulates the firewall has limited capability when considering the complex amount of options that are available to IP Tables. For an idea of what these options are invoke `man iptables`.

The command below will show connections being accepted or rejected in realtime.

    watch -d -n 2 `iptables -vnL`

Listed here are several noteworthy options that can be used to alter IP Tables from the command line.

Table 5.5. Ip Tables Command Options

Option Description
-vnL --line-numbers List all rules currently loaded with line numbering.
-A <chain> <rule> -j <target> Adds a rule to the end of the chain.
-D <chain> <rule#> Deletes a rule by number.
-F <chain> Flushes all rules from the chain.
-s Matches the source IP or network that is listed.
-d Matches the destination IP or network that is listed.
-p udp --sport 68 --dport 67 Matches the protocol (UDP/TCP) and ports as listed.
-p icmp --icmp-type echo-reply Matches the protocol (ICMP) and and packet type as listed.
-i ETH0 Matches the inbound network interface ETH0.
-o ETH0 Matches the outbound network interface ETH0.
-m state --state ESTABLISHED,RELATED An example of state tracking. Will match any packet of any protocol on any device that is of the listed state.

[Warning] Altering IP Tables from the Command Line

When adding, deleting, or altering IP Tables rules from the command line, the new configuration is saved in memory only. That new configuration will not persist unless the new rules are saved with the command `iptables-save` and set to be loaded at system boot.

New in RHEL 7 - firewalld

RHEL 7 has incorporated a new version of the firewall called firewalld. This new utility has brought some long-requested features such as dynamic loading and zones. For more information, see firewalld at Fedora Project or firewalld Red Hat Documentation or firewalld at Cert Depot for more info.