Contents
Mageia Firewall
The firewall GUI in Mageia Control Centre (drakfirewall) is a front end for the Shoreline Firewall more commonly known as Shorewall
Shorewall is itself a frontend for iptables, the Linux kernel firewall. Shorewall allows very complex firewalls to be configured using (relatively) easy to understand text configuration files which are located at /etc/shorewall.
Configuring the firewall GUI in Mageia Control Centre creates a file /etc/rules/shorewall/rules.drakx which is included with the shorewall configuration files and allows for simple blocking and admission of ports to your computer.
Is the Firewall Actually Needed?
In a typical home network, there is usually a perfectly good firewall on your internet router. This firewall will normally be configured to block all inbound packets from the internet unless specific rules have been defined to forward named ports to specific devices on the local network. If you trust the router firewall, and if you trust all the devices on your local subnet, then there is no real need for a firewall on your linux computer as well. If you do decide you want to run a firewall on your Linux computer then you should be aware that unless you open some ports on the firewall then you may have difficulty with functions such as printing or browsing other computers.
Desktop Notifications
The Mageia firewall GUI allows you to configure desktop notifications so you are alerted whenever the defined port is accessed by another computer. By default you will receive notifications for all the open services. New users are sometimes alarmed when they see alerts for services like port 601 (cups), or port 5353 (mdns). These services chatter between devices all the time and are not sinister. Disabling the desktop alert for the service will save you being troubled by them. However any traffic on port 22 (ssh) for example not originated by yourself could be an attack.
Advanced Firewall Tricks
By manually editing the shorewall files it is possible to create much more sophisticated firewalls in addition to the simple firewall provided by drakfirewall.
Blacklisting Countries
Unfortunately a lot of attacks on computers come from particular places in the world. If you have a server where you know where its users are located, then it is possible to use shorewall to block access from other locations.
These instructions assume you are using Mageia 4 or higher
This trick makes use of a feature in shorewall called ipsets which is a dynamic list of IP address ranges. Ipsets depends on a package called xtables, so we must start by installing some packages. Open a terminal and enter su to become root user.
# urpmi xtables-addons xtables-geoip xtables-addons-kernel-desktop-latest
or xtables-addons-kernel-server-latest if you are using the server kernel.
After installing the packages we can confirm that Ipsets are available in shorewall with the command
# shorewall show capabilities | grep Ipset Ipset Match (IPSET_MATCH): Available
Next we create a script which will download a list of country IP address ranges and put them into an ipset.
Use a text editor to create a file called /usr/local/bin/ipset-geoblock-country.sh
#!/bin/bash ipset -exist create geoblock hash:net ipset flush geoblock wget -O /tmp/GeoIPCountryCSV.zip -T 5 -t 1 http://geolite.maxmind.com/download/geoip/database/GeoIPCountryCSV.zip unzip -p /tmp/GeoIPCountryCSV.zip | tr -d '"' | cut -d"," -f5,1-2 | awk -F, '\ BEGIN { #Define list of countries to block Countries = "CN BR"; split(Countries, countries, " "); } \ { for (i in countries) { if (countries[i] == $3) { system("ipset -A geoblock " $1 "-" $2 " -exist"); } } } \ ' ipset save geoblock > /etc/shorewall/geoblock rm -f /tmp/GeoIPCountryCSV.zip
Here I am blocking access from China and Brazil. A list of country codes can be found at [1] After the ipset is created it is saved as /etc/shorewall/geoblock.
Make the script executable
#chmod +x /usr/local/bin/ipset-geoblock-country.sh
and set up a cron job to run it once a month
#cd /etc/cron.monthly ln -s /usr/local/bin/ipset-geoblock-country.sh .
Now run the script manually and view the contents of the ipset you have created.
/usr/local/bin/ipset-geoblock-country.sh ipset list | more
Now to configure shorewall to blacklist these ip address ranges edit the file /etc/shorewall/blrules
# # Shorewall version 4 - Blacklist Rules File # # For information about entries in this file, type "man shorewall-blrules" # # Please see http://shorewall.net/blacklisting_support.htm for additional # information. # ################################################################################################################################################## ################################################# #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH # PORT PORT(S) DEST LIMIT GROUP DROP net:+geoblock all
The last line means that all packets coming from the internet with source IP address contained in the ipset called geoblock are to be dropped.
Finally we must configure shorewall to load the ipset from the saved file when it starts. (Shorewall will not start if the ipset is not defined.)
Add this text to the file /etc/shorewall/init
# restore geographical blacklist if present if [ -f /etc/shorewall/geoblock ]; then ipset destroy geoblock ipset -file /etc/shorewall/geoblock restore geoblock fi
To activate the new configuration give the command
shorewall safe-restart
This will compile the firewall rules and will highlight any errors in the configuration, and will ask your confirmation before activating them.
Whitelisting Countries
Countries can be whitelisted in a similar manner to blacklisting above. First we create a script to create an ipset. In this example I am making an ipset for the United Kingdom (gb).
/usr/local/bin/ipset-whitelist-country.sh
#!/bin/bash ipset -exist create geowhitelist hash:net ipset flush geowhitelist wget -O /tmp/GeoIPCountryCSV.zip -T 5 -t 1 http://geolite.maxmind.com/download/geoip/database/GeoIPCountryCSV.zip unzip -p /tmp/GeoIPCountryCSV.zip | tr -d '"' | cut -d"," -f5,1-2 | awk -F, '\ BEGIN { #Define list of countries to whitelist Countries = "GB"; split(Countries, countries, " "); } \ { for (i in countries) { if (countries[i] == $3) { system("ipset -A geowhitelist " $1 "-" $2 " -exist"); } } } \ ' ipset save geowhitelist > /etc/shorewall/geowhitelist rm -f /tmp/GeoIPCountryCSV.zip
Make it executable, and set up a weekly cron job to update it as above.
Instead of editing shorewall/blrules we edit /etc/shorewall/rules like this
# # Shorewall version 4 - Rules File # # For information on the settings in this file, type "man shorewall-rules" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-rules.html # ################################################################################################################################################## ################## #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS # PORT PORT(S) DEST LIMIT GROUP ACCEPT net:+geowhitelist fw tcp 80,443 ACCEPT net:192.168.1.0/24 fw tcp 22,80,443 Ping(ACCEPT) net:192.168.1.0/24 fw #SECTION ALL #SECTION ESTABLISHED #SECTION RELATED #INCLUDE rules.drakx
The line ACCEPT net:+geowhitelist fw tcp 80,443 opens ports 80 and 443 (http and https) only to users in the geowhitelist ipset. Note that the last line to include the drakfirewall configuration is commented out to stop drakfirewall from opening ports without using the whitelist. With this line commented out, opening ports in the drakfirewall GUI will not have any effect so you must edit the rules file manually to open any ports you require as can be seen in the following lines
The line ACCEPT net:192.168.1.0/24 fw tcp 22 opens port 22 (ssh) as well as ports 80 and 443 to users in the local subnet. The line Ping(ACCEPT) net:192.168.1.0/24 fw allows the computer to respond to ping requests only from the local subnet.
Now configure shorewall to load the ipset when it restarts. Add this text to the file /etc/shorewall/init
# Restore whitelist from file if [ -f /etc/shorewall/geowhitelist ]; then ipset destroy geowhitelist ipset -file /etc/shorewall/geowhitelist restore geowhitelist fi
Activate the new configuration with
#shorewall safe-restart
Rate Restrict connection attempts
One of the most common attacks against a firewall are repeated login attempts against SSH servers. A properly configured SSH server should use passwordless logins using public key authentication, and so will not be in any danger of being breached, but that does not stop script kiddies around the world trying to log on with dictionary attacks which make repeated connection attempts using common passwords. Even if there is no danger of a successful login it fills up the system log, and wastes your bandwidth.
A simple but effective defence against this type of attack is to use the shorewall firewall to restrict the number of new connections it is possible to make to a port within a given time period. Dictionary attacks only work because a large number of password combinations can be tried in a very short time. If shorewall slows the number of connections to for example five per minute, then the automated algorithms driving these attacks will soon give up and move on to an easier target.
Restricting the connection rate to a service is very easy with shorewall. Edit the file /etc/shorewall/rules and add lines like this :-
Limit:none:SSHA,5,60 net $FW tcp ssh Limit:info:POP3,4,60 net $FW tcp 110 Limit:info:FTP,4,240 net $FW tcp ftp
These commands will limit connections to SSH to five attempts in sixty seconds, or four attempts to log into a POP3 mail server in sixty seconds, or four attempts in four hours to log into an FTP server. Lines tagged info will cause a log entry when a connection attempt is refused.
Activate the new configuration with
#shorewall safe-restart
Note that you should not use the drakfirewall GUI to open ports to the same services. If the GUI is used to allow connections to SSH for example, then the firewall will have two rules for the same service and will not rate restrict connections.
An alternative method to stop persistent login attempts is to use fail2ban
There is another alternative way to block unwanted traffics and attacks for Mageia firewall. The free services can be found at http://ip2location.com/free/visitor-blocker