Wiki » Firewall

Other languages English ; français ;

Mageia Firewall

The firewall GUI in Mageia Control Centre (drakfirewall) is a front end for the Shoreline Firewall more commonly known as Shorewall

Shorewall is itself a frontend for iptables, the Linux kernel firewall. Shorewall allows very complex firewalls to be configured using (relatively) easy to understand text configuration files which are located at /etc/shorewall.

Configuring the firewall GUI in Mageia Control Centre creates a file /etc/shorewall/rules.drakx which is included with the shorewall configuration files and allows for simple blocking and admission of ports to your computer.

Is the Firewall Actually Needed?

In a typical home network, there is usually a perfectly good firewall on your internet router. This firewall will normally be configured to block all inbound packets from the internet unless specific rules have been defined to forward named ports to specific devices on the local network. If you trust the router firewall, and if you trust all the devices on your local subnet, then there is no real need for a firewall on your Linux computer as well. If you do decide you want to run a firewall on your Linux computer then you should be aware that unless you open some ports on the firewall then you may have difficulty with functions such as printing or browsing other computers.

Desktop Notifications

Warning! seems to be obsolete ; to be confirmed

The Mageia firewall GUI allows you to configure desktop notifications, so you are alerted whenever the defined port is accessed by another computer. By default, you will receive notifications for all the open services. New users are sometimes alarmed when they see alerts for services like port 601 (cups), or port 5353 (mdns). These services chatter between devices all the time and are not sinister. Disabling the desktop alert for the service will save you from being troubled by them. However, any traffic on port 22 (ssh) for example not originated by yourself could be an attack.

Advanced Firewall Tricks

By manually editing the shorewall files it is possible to create much more sophisticated firewalls in addition to the simple firewall provided by drakfirewall.

Blacklisting Countries

Unfortunately, a lot of attacks on computers come from particular places in the world. If you have a server where you know where its users are located, then it is possible to use shorewall to block access from other locations.

These instructions assume you are using Mageia 4 or higher

Warning! since this section has been written, an account at https://www.maxmind.com is required to download the database. The link on the below script will have to be checked as well.

This trick makes use of a feature in shorewall called ipsets which is a dynamic list of IP address ranges. Ipsets depends on a package called xtables, so we must start by installing some packages. Open a terminal and enter the command /bin/sudo -i to become root user.

$ urpmi xtables-addons xtables-geoip xtables-addons-kernel-desktop-latest

or

# urpmi xtables-addons xtables-geoip xtables-addons-kernel-server-latest

if you are using the server kernel.

After installing the packages we can confirm that Ipsets are available in shorewall with the command

# shorewall show capabilities | grep Ipset Ipset Match (IPSET_MATCH): Available

Next, we create a script that will download a list of country IP address ranges and put them into an ipset.

Use a text editor to create a file called /usr/local/bin/ipset-geoblock-country.sh

#!/bin/bash ipset -exist create geoblock hash:net ipset flush geoblock wget -O /tmp/GeoIPCountryCSV.zip -T 5 -t 1 http://geolite.maxmind.com/download/geoip/database/GeoIPCountryCSV.zip unzip -p /tmp/GeoIPCountryCSV.zip | tr -d '"' | cut -d"," -f5,1-2 | awk -F, '\ BEGIN { #Define list of countries to block Countries = "CN BR"; split(Countries, countries, " "); } \ { for (i in countries) { if (countries[i] == $3) { system("ipset -A geoblock " $1 "-" $2 " -exist"); } } } \ ' ipset save geoblock > /etc/shorewall/geoblock rm -f /tmp/GeoIPCountryCSV.zip

Here I am blocking access from China and Brazil. A list of country codes can be found at [1] After the ipset is created it is saved as /etc/shorewall/geoblock.

Make the script executable

# chmod +x /usr/local/bin/ipset-geoblock-country.sh

and set up a cron job to run it once a month

# cd /etc/cron.monthly && ln -s /usr/local/bin/ipset-geoblock-country.sh

Now run the script manually and view the contents of the ipset you have created.

# . /usr/local/bin/ipset-geoblock-country.sh && ipset list | more

Now to configure shorewall to blacklist these ip address ranges edit the file /etc/shorewall/blrules

# # Shorewall version 4 - Blacklist Rules File # # For information about entries in this file, type "man shorewall-blrules" # # Please see http://shorewall.net/blacklisting_support.htm for additional # information. # ################################################################################################################################################## ################################################# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH # PORT PORT(S) DEST LIMIT GROUP DROP net:+geoblock all

The last line means that all packets coming from the internet with source IP address contained in the ipset called geoblock are to be dropped.

Finally we must configure shorewall to load the ipset from the saved file when it starts. (Shorewall will not start if the ipset is not defined.)

Add this text to the file /etc/shorewall/init

# restore geographical blacklist if present if [ -f /etc/shorewall/geoblock ]; then ipset destroy geoblock ipset -file /etc/shorewall/geoblock restore fi

To activate the new configuration give the command

# shorewall safe-restart

This will compile the firewall rules and will highlight any errors in the configuration, and will ask for your confirmation before activating them.

Whitelisting Countries

Countries can be whitelisted similarly to blacklisting above. First, we create a script to create an ipset. In this example, I am making an ipset for the United Kingdom (gb).

/usr/local/bin/ipset-whitelist-country.sh

#!/bin/bash ipset -exist create geowhitelist hash:net ipset flush geowhitelist wget -O /tmp/GeoIPCountryCSV.zip -T 5 -t 1 http://geolite.maxmind.com/download/geoip/database/GeoIPCountryCSV.zip unzip -p /tmp/GeoIPCountryCSV.zip | tr -d '"' | cut -d"," -f5,1-2 | awk -F, '\ BEGIN { #Define list of countries to whitelist Countries = "GB"; split(Countries, countries, " "); } \ { for (i in countries) { if (countries[i] == $3) { system("ipset -A geowhitelist " $1 "-" $2 " -exist"); } } } \ ' ipset save geowhitelist > /etc/shorewall/geowhitelist rm -f /tmp/GeoIPCountryCSV.zip

Make it executable, and set up a weekly cron job to update it as above.

Instead of editing shorewall/blrules we edit /etc/shorewall/rules like this

# # Shorewall version 4 - Rules File # # For information on the settings in this file, type "man shorewall-rules" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-rules.html # ################################################################################################################################################## ################## #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS # PORT PORT(S) DEST LIMIT GROUP ACCEPT net:+geowhitelist fw tcp 80,443 ACCEPT net:192.168.1.0/24 fw tcp 22,80,443 Ping(ACCEPT) net:192.168.1.0/24 fw #SECTION ALL #SECTION ESTABLISHED #SECTION RELATED #INCLUDE rules.drakx

The line ACCEPT net:+geowhitelist fw tcp 80,443 opens ports 80 and 443 (http and https) only to users in the geowhitelist ipset.

Note: The last line to include the drakfirewall configuration is commented out to stop drakfirewall from opening ports without using the whitelist. With this line commented out, opening ports in the drakfirewall GUI will not have any effect, so you must edit the rules file manually to open any ports you require as can be seen in the following lines

The line ACCEPT net:192.168.1.0/24 fw tcp 22 opens port 22 (ssh) as well as ports 80 and 443 to users in the local subnet. The line Ping(ACCEPT) net:192.168.1.0/24 fw allows the computer to respond to ping requests only from the local subnet.

Now configure shorewall to load the ipset when it restarts. Add this text to the file /etc/shorewall/init

# Restore whitelist from file if [ -f /etc/shorewall/geowhitelist ]; then ipset destroy geowhitelist ipset -file /etc/shorewall/geowhitelist restore geowhitelist fi

Activate the new configuration with

# shorewall safe-restart

Blacklisting of IP villains reported by the community

Nowadays, many organizations (non profit or commercial) maintain lists of IP known as being potential threats. Bots can scan internet using these IP or cyber-criminal can be using these IP to launch attacks. These lists can be downloaded and can feed the firewall to block them upfront.

In this section, I chose to use the lists from spamhaus.org and abuseipdb.com

Based on my readings and my daily practice, I trust these providers; more can be proposed by others.

There is no need to get an account from the Spamhaus project to get their list. However, a free account is required to get the list from Abuseipdb.com

You can sign up for a free account here : [2]

If you run a server with fail2ban installed, you can also report the IP blocked to Abuseipd.com

If you don't want to open an account at abuseipdb.com, you can just remove on the below scripts the blocks related to abuseipdb and keep only the parts related to the spamhaus project. Just to share my experience, I haven't noticed any commercial pressure or spam from abuseipdb.com to switch to a commercial plan.

Like for blacklisting countries, the ipset feature is required and the same packages need to be installed, as root :

# urpmi xtables-addons xtables-geoip xtables-addons-kernel-desktop-latest

or

# urpmi xtables-addons xtables-geoipxtables-addons-kernel-server-latest

if you are using the server kernel.

Then, the approach is the same :

1. Create a script to download the lists of IP to block, to set the iptables through ipset and to save them.
2. Instruct the firewall to block these ipsets.
3. Make this rule persistent.
4. Create a cron job to update the IP list to block new threats and to avoid blocking obsolete ones.

Script to download IP lists and to initialize the iptables

As root, create with your favorite text editor (nano, vi,...) the file /usr/local/bin/shorewall-vilains.sh

Then, copy and paste the following block inside :

#!/bin/bash # Thanks to many # To be stored in /usr/local/bin ############################# # Set script variables SPAMHAUS_DROP="/usr/local/src/drop.txt" SPAMHAUS_eDROP="/usr/local/src/edrop.txt" ABUSE_DROP="/usr/local/src/abuseip.txt" SPAMURL="https://www.spamhaus.org/drop/drop.txt" eSPAMURL="https://www.spamhaus.org/drop/edrop.txt" DROP_ADD_TO_FW="/usr/local/src/DROP2.txt" eDROP_ADD_TO_FW="/usr/local/src/eDROP2.txt" ABUSE_ADD_TO_FW="/usr/local/src/abuseipv4.txt" SAVE_SPAM="/etc/shorewall/spamhaus" SAVE_SPAME="/etc/shorewall/espamhaus" SAVE_ABUSE="/etc/shorewall/abuseipdb" # Firewall list names ABUSE="abusedrop"; SPAM="spamhausdrop"; SPAME="spamhausedrop"; # echo ">>" echo "Start: $(date)" echo ">" # # Purge previous IP # echo "Create ipset DROP rules" /usr/sbin/ipset -exist create $ABUSE hash:net counters /usr/sbin/ipset -exist create $SPAM hash:net counters /usr/sbin/ipset -exist create $SPAME hash:net counters echo "Purge former ipset DROP rules" /usr/sbin/ipset flush $ABUSE /usr/sbin/ipset flush $SPAM /usr/sbin/ipset flush $SPAME # # ABUSEIPDB.com # echo ">" echo "Download ABUSEIP list and extract IP" curl -G https://api.abuseipdb.com/api/v2/blacklist -d confidenceMinimum=90 -H "Key: your_key_from_abuseipdb_site" -H "Accept: text/plain" > $ABUSE_DROP #remove IPv6 IP sed '/:/d' $ABUSE_DROP > $ABUSE_ADD_TO_FW echo "Update ipset avec ABUSEIP list" while read IP; do /usr/sbin/ipset -exist add $ABUSE $IP done < "$ABUSE_ADD_TO_FW" echo "Save ipset ABUSEIP list" ipset save $ABUSE > $SAVE_ABUSE # # "The Spamhaus Project" - https://www.spamhaus.org # echo ">" echo "Download SPAMHAUS DROP list and extract IP" wget -q -O - "$SPAMURL" > $SPAMHAUS_DROP grep -v '^;' $SPAMHAUS_DROP | cut -d ' ' -f 1 > $DROP_ADD_TO_FW echo "Update ipset with SPAMHAUS DROP list" while read IP; do /usr/sbin/ipset -exist add $SPAM $IP done < "$DROP_ADD_TO_FW" echo "Save ipset SPAMHAUS list" ipset save $SPAM > $SAVE_SPAM # # "The Spamhaus Project" - https://www.spamhaus.org # echo ">" echo "Download SPAMHAUS eDROP list and extract IP" wget -q -O - "$eSPAMURL" > $SPAMHAUS_eDROP grep -v '^;' $SPAMHAUS_eDROP | cut -d ' ' -f 1 > $eDROP_ADD_TO_FW echo "Update ipset with SPAMHAUS eDROP list" while read IP; do /usr/sbin/ipset -exist add $SPAME $IP done < "$eDROP_ADD_TO_FW" echo "Save ipset eSPAMHAUS list" ipset save $SPAME > $SAVE_SPAME # #make new list active in memory # echo ">" echo "Reload firewall" echo "--------------- " shorewall restart # # Controls # echo " " systemctl status --no-pager shorewall echo " " shorewall show bl echo " " echo "spamhausDrop size" /usr/sbin/ipset list "$SPAM" | wc -l echo "spamhauseDrop size" /usr/sbin/ipset list "$SPAME" | wc -l echo "abusedrop size" /usr/sbin/ipset list "$ABUSE" | wc -l echo ">" echo Fin: $(date) echo ">>"

As root, make this script as executable :

# chmod u+x /usr/local/bin/shorewall-vilains.sh

Instruct shorewall to block these IP lists

To configure shorewall to blacklist these ip address ranges edit the file /etc/shorewall/blrules and add the following lines at the bottom :

DROP:info:abuseip net:+abusedrop all DROP:info:spamhaus net:+spamhausdrop all DROP:info:spamhausE net:+spamhausedrop all

Make this blacklist persistent

As the ipset created will be gone after reboot, to make them persistent, you have to instruct shorewall to restore them at startup or after a restart. Let remember these ipsets have been saved inside the /etc/shorewall folder thanks to the above script. Hence, as root, let edit the file /etc/shorewall/init and add the following block at the bottom :

# restore Abuseipdb and Spamhauss blacklists if present if [ -f /etc/shorewall/abuseipdb ]; then ipset destroy abusedrop ipset -file /etc/shorewall/abuseipdb restore fi if [ -f /etc/shorewall/spamhaus ]; then ipset destroy spamhausdrop ipset -file /etc/shorewall/spamhaus restore fi if [ -f /etc/shorewall/espamhaus ]; then ipset destroy spamhausedrop ipset -file /etc/shorewall/espamhaus restore fi

You can now perform an initial test by running in a console, as root, the shorewall-vilains.sh script :

# /usr/local/bin/shorewall-vilains.sh

Blacklist update

In order to update the list of IP to block, you need to run shorewall-vilains.sh script on a regular basis. Don't do it more than daily though, as you are limited in number of list download per day.

As for blacklisting country, as root, you can create a link to the script in a cron folder like :

# ln -s /usr/local/bin/shorewall-vilains.sh /etc/cron.daily

Personally, having multiple cron job to manage on a server, I find it more convenient to use the timer feature of systemd. To do so, you need to create 2 files as below.

As root, create /usr/lib/systemd/system/shorewall-spamcron.service with your favorite text editor and paste the following block in :

[Unit] Description=IP spam list update for shorewall [Service] User=root ExecStart=/usr/local/bin/shorewall-vilains.sh [Unit] Description=Run shorewall-vilains.sh daily at 0:30

Do the same for /usr/lib/systemd/system/shorewall-spamcron.timer and with the following block:

[Unit] Description=Run shorewall-vilains.sh daily at 0:30 [Timer] OnCalendar=*-*-* 00:30:00 Persistent=true Unit=shorewall-spamcron.service [Install] WantedBy=timers.target

Then, as root, enable and start this service :

# systemctl enable --now shorewall-spamcron.timer

The list of vilain will be updated every day at 3:00AM

The following command allows checking when the script has been run and when it will be next :

# systemctl list-timers shorewall-spamcron.timer

Rate Restrict connection attempts

One of the most common attacks against a firewall is repeated login attempts against SSH servers. A properly configured SSH server should use passwordless logins using public key authentication, and so will not be in any danger of being breached, but that does not stop script kiddies around the world trying to log on with dictionary attacks which make repeated connection attempts using common passwords. Even if there is no danger of a successful login it fills up the system log, and wastes your bandwidth.

A simple but effective defense against this type of attack is to use the shorewall firewall to restrict the number of new connections it is possible to make to a port within a given time period. Dictionary attacks only work because many password combinations can be tried in a very short time. If shorewall slows the number of connections to for example five per minute, then the automated algorithms driving these attacks will soon give up and move on to an easier target.

Restricting the connection rate to a service is very easy with shorewall. Edit the file /etc/shorewall/rules and add lines like this :-

Limit:none:SSHA,5,60 net $FW tcp ssh Limit:info:POP3,4,60 net $FW tcp 110 Limit:info:FTP,4,240 net $FW tcp ftp

These commands will limit connections to SSH to five attempts in sixty seconds, or four attempts to log into a POP3 mail server in sixty seconds, or four attempts in four hours to log into an FTP server. Lines tagged info will cause a log entry when a connection attempt is refused.

Activate the new configuration with

# shorewall safe-restart

Warning! You should not use the drakfirewall GUI to open ports to the same services. If the GUI is used to allow connections to SSH for example, then the firewall will have two rules for the same service and will not rate restrict connections.

An alternative method to stop persistent login attempts is to use fail2ban

There is another alternative way to block unwanted traffics and attacks for Mageia firewall. The free services can be found at http://ip2location.com/free/visitor-blocker