From Mageia wiki
Jump to: navigation, search


This page is a draft. It requires improvements.

If you want to improve it, simply log in and click on the edit tab.
Please remove this {{Draft}} template, when you're sure the page is complete and correct.

View the other draft pages

View all other pages to improve and maintain.


Mageia Firewall

Drakfirewall Configuration
The firewall GUI in Mageia Control Centre (drakfirewall) is a front end for the Shoreline Firewall more commonly known as Shorewall

Shorewall is itself a frontend for iptables, the Linux kernel firewall. Shorewall allows very complex firewalls to be configured using (relatively) easy to understand text configuration files which are located at /etc/shorewall.

Configuring the firewall GUI in Mageia Control Centre creates a file /etc/rules/shorewall/rules.drakx which is included with the shorewall configuration files and allows for simple blocking and admission of ports to your computer.

Is the Firewall Actually Needed?

In a typical home network, there is usually a perfectly good firewall on your internet router. This firewall will normally be configured to block all inbound packets from the internet unless specific rules have been defined to forward named ports to specific devices on the local network. If you trust the router firewall, and if you trust all the devices on your local subnet, then there is no real need for a firewall on your linux computer as well. If you do decide you want to run a firewall on your Linux computer then you should be aware that unless you open some ports on the firewall then you may have difficulty with functions such as printing or browsing other computers.

Desktop Notifications

The Mageia firewall GUI allows you to configure desktop notifications so you are alerted whenever the defined port is accessed by another computer. By default you will receive notifications for all the open services. New users are sometimes alarmed when they see alerts for services like port 601 (cups), or port 5353 (mdns). These services chatter between devices all the time and are not sinister. Disabling the desktop alert for the service will save you being troubled by them. However any traffic on port 22 (ssh) for example not originated by yourself could be an attack.

Advanced Firewall Tricks

By manually editing the shorewall files it is possible to create much more sophisticated firewalls in addition to the simple firewall provided by drakfirewall.

Blacklisting Countries

Unfortunately a lot of attacks on computers come from particular places in the world. If you have a server where you know where its users are located, then it is possible to use shorewall to block access from other locations.

These instructions assume you are using Mageia 4 or higher

This trick makes use of a feature in shorewall called ipsets which is a dynamic list of IP address ranges. Ipsets depends on a package called xtables, so we must start by installing some packages. Open a terminal and enter su to become root user.

# urpmi xtables-addons xtables-geoip xtables-addons-kernel-desktop-latest
or xtables-addons-kernel-server-latest if you are using the server kernel.

After installing the packages we can confirm that Ipsets are available in shorewall with the command

# shorewall show capabilities | grep Ipset
   Ipset Match (IPSET_MATCH): Available

Next we create a script which will download a list of country IP address ranges and put them into an ipset.

Use a text editor to create a file called /usr/local/bin/ipset-geoblock-country.sh

#!/bin/bash

ipset -exist create geoblock hash:net
ipset flush geoblock

wget -O /tmp/GeoIPCountryCSV.zip -T 5 -t 1 http://geolite.maxmind.com/download/geoip/database/GeoIPCountryCSV.zip 
unzip  -p /tmp/GeoIPCountryCSV.zip | tr -d '"' |  cut -d"," -f5,1-2  | awk -F, '\
BEGIN 	{

#Define list of countries to block
Countries = "CN BR";

split(Countries, countries, " ");
 } \
{
for (i in countries) {
                if (countries[i] == $3) {
                        system("ipset -A geoblock " $1 "-" $2 " -exist");
                }
        }
}	\
' 
ipset save geoblock > /etc/shorewall/geoblock
rm -f /tmp/GeoIPCountryCSV.zip

Here I am blocking access from China and Brazil. A list of country codes can be found at [1] After the ipset is created it is saved as /etc/shorewall/geoblock.

Make the script executable

#chmod +x /usr/local/bin/ipset-geoblock-country.sh
and set up a cron job to run it once a month
#cd /etc/cron.monthly
ln -s /usr/local/bin/ipset-geoblock-country.sh .

Now run the script manually and view the contents of the ipset you have created.

/usr/local/bin/ipset-geoblock-country.sh
ipset list | more

Now to configure shorewall to blacklist these ip address ranges edit the file /etc/shorewall/blrules

#
# Shorewall version 4 - Blacklist Rules File
#
# For information about entries in this file, type "man shorewall-blrules"
#
# Please see http://shorewall.net/blacklisting_support.htm for additional
# information.
#
##################################################################################################################################################
#################################################
#ACTION		SOURCE			DEST			PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
#									PORT	PORT(S)		DEST		LIMIT		GROUP
DROP	net:+geoblock		all

The last line means that all packets coming from the internet with source IP address contained in the ipset called geoblock are to be dropped.

Finally we must configure shorewall to load the ipset from the saved file when it starts. (Shorewall will not start if the ipset is not defined.)

Add this text to the file /etc/shorewall/init

# restore geographical blacklist if present
if [ -f /etc/shorewall/geoblock ]; then
  ipset destroy geoblock
  ipset -file /etc/shorewall/geoblock restore geoblock
fi

To activate the new configuration give the command

shorewall safe-restart
This will compile the firewall rules and will highlight any errors in the configuration, and will ask your confirmation before activating them.

Whitelisting Countries

Countries can be whitelisted in a similar manner to blacklisting above. First we create a script to create an ipset. In this example I am making an ipset for the United Kingdom (gb).

/usr/local/bin/ipset-whitelist-country.sh

#!/bin/bash

ipset -exist create geowhitelist hash:net
ipset flush geowhitelist

wget -O /tmp/GeoIPCountryCSV.zip -T 5 -t 1 http://geolite.maxmind.com/download/geoip/database/GeoIPCountryCSV.zip 
unzip  -p /tmp/GeoIPCountryCSV.zip | tr -d '"' |  cut -d"," -f5,1-2  | awk -F, '\
BEGIN 	{

#Define list of countries to whitelist
Countries = "GB";

split(Countries, countries, " ");
 } \
{
for (i in countries) {
                if (countries[i] == $3) {
                        system("ipset -A geowhitelist " $1 "-" $2 " -exist");
                }
        }
}	\
' 
ipset save geowhitelist > /etc/shorewall/geowhitelist
rm -f /tmp/GeoIPCountryCSV.zip 

Make it executable, and set up a weekly cron job to update it as above.

Instead of editing shorewall/blrules we edit /etc/shorewall/rules like this

#
# Shorewall version 4 - Rules File
#
# For information on the settings in this file, type "man shorewall-rules"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-rules.html
#
##################################################################################################################################################
##################
#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS
#							PORT	PORT(S)		DEST		LIMIT		GROUP
ACCEPT	net:+geowhitelist	fw	tcp	80,443
ACCEPT		net:192.168.1.0/24	fw	tcp	22,80,443
Ping(ACCEPT)	net:192.168.1.0/24	fw
#SECTION ALL
#SECTION ESTABLISHED
#SECTION RELATED
#INCLUDE	rules.drakx

The line ACCEPT net:+geowhitelist fw tcp 80,443 opens ports 80 and 443 (http and https) only to users in the geowhitelist ipset. Note that the last line to include the drakfirewall configuration is commented out to stop drakfirewall from opening ports without using the whitelist. With this line commented out, opening ports in the drakfirewall GUI will not have any effect so you must edit the rules file manually to open any ports you require as can be seen in the following lines

The line ACCEPT net:192.168.1.0/24 fw tcp 22 opens port 22 (ssh) as well as ports 80 and 443 to users in the local subnet. The line Ping(ACCEPT) net:192.168.1.0/24 fw allows the computer to respond to ping requests only from the local subnet.

Now configure shorewall to load the ipset when it restarts. Add this text to the file /etc/shorewall/init

# Restore whitelist from file
if [ -f /etc/shorewall/geowhitelist ]; then
  ipset destroy geowhitelist
  ipset -file /etc/shorewall/geowhitelist restore geowhitelist
fi

Activate the new configuration with

#shorewall safe-restart

Rate Restrict connection attempts

One of the most common attacks against a firewall are repeated login attempts against SSH servers. A properly configured SSH server should use passwordless logins using public key authentication, and so will not be in any danger of being breached, but that does not stop script kiddies around the world trying to log on with dictionary attacks which make repeated connection attempts using common passwords. Even if there is no danger of a successful login it fills up the system log, and wastes your bandwidth.

A simple but effective defence against this type of attack is to use the shorewall firewall to restrict the number of new connections it is possible to make to a port within a given time period. Dictionary attacks only work because a large number of password combinations can be tried in a very short time. If shorewall slows the number of connections to for example five per minute, then the automated algorithms driving these attacks will soon give up and move on to an easier target.

Restricting the connection rate to a service is very easy with shorewall. Edit the file /etc/shorewall/rules and add lines like this :-

Limit:none:SSHA,5,60	net	$FW		tcp	ssh
Limit:info:POP3,4,60	net	$FW		tcp	110
Limit:info:FTP,4,240	net	$FW		tcp	ftp

These commands will limit connections to SSH to five attempts in sixty seconds, or four attempts to log into a POP3 mail server in sixty seconds, or four attempts in four hours to log into an FTP server. Lines tagged info will cause a log entry when a connection attempt is refused.

Activate the new configuration with

#shorewall safe-restart

Note that you should not use the drakfirewall GUI to open ports to the same services. If the GUI is used to allow connections to SSH for example, then the firewall will have two rules for the same service and will not rate restrict connections.

An alternative method to stop persistent login attempts is to use fail2ban

There is another alternative way to block unwanted traffics and attacks for Mageia firewall. The free services can be found at http://ip2location.com/free/visitor-blocker