Debian 8 Firewall selection, installation, and configuration

[hanzer]

Code: Select all

Linux helix 3.16.0-4-686-pae #1 SMP Debian 3.16.7-ckt11-1+deb8u3 (2015-08-04) i686 GNU/Linux

I would like to set up a firewall on my system. Is the fwbuilder package alone sufficient to get started?

I'm coming from OpenBSD (~7 years), before that FreeBSD (~9 years), and during the 90's Solaris/SunOS (~8 years). The Debian documentation that I've found seems to be a lot of discombobulated chatter without much content. (Sorry, frustrated).

[hanzer]

Update:

I found simple instructions at https://wiki.debian.org/iptables that doesn't require fwbuilder. Now I just need to figure out how to write some basic iptables rules for each of the interfaces (wlan0, eth0) and set up NAT.

[GarryRicketson]

I don't know enough to explain much:

Now I just need to figure out how to write some basic iptables rules for each of the interfaces (wlan0, eth0) and set up NAT.

like give some examples,..don't really understand how it all works , to me it seems complicated.
Here is a option, http://easyfwgen.morizot.net/gen/
It is a simple, script that does everything for you, you first fill out some info, on the website, that is needed to generate the script, for your system , IP , etc. It is pretty self explanatory. After you fill in the blanks and the script is generated, you then download it

3. To have it applied at startup, copy this script to
# /etc/init.d/iptables. It accepts stop, start, save, and restore
# arguments. (You may wish to save the existing one first.)
# Alternatively, if you issue the 'service iptables save' command
# the init.d script should save the rules and reload them at runtime.

Be sure to set the permissions as executable. After you copy it to

Code: Select all

 /etc/init.d/iptables

, unless you have all ready set up some sort of "iptables" there will not be a file named iptables yet, once you copy it to /etc/init it will be there.
Then

Code: Select all

# ./iptables start 

will start it.To stop it,

Code: Select all

# ./iptables stop 

This is what it will look like, if everything goes smoothly,..

Code: Select all

root@debian:/etc/init# ./iptables start
Loading kernel modules ...
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.secure_redirects = 1
net.ipv4.conf.all.log_martians = 1
Flushing Tables ...
Create and populate custom rule chains ...
Process INPUT chain ...
Process FORWARD chain ...
Process OUTPUT chain ...
Load rules for nat table ...
Load rules for mangle table ...

When you stop it:

Code: Select all

root@debian:/etc/init# ./iptables stop
Loading kernel modules ...
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.secure_redirects = 1
net.ipv4.conf.all.log_martians = 1
Flushing Tables ...
Firewall completely flushed!  Now running with no firewall.
root@debian:/etc/init#

This will list the chains, and rules, so you can check and see what the rules look like, for your system,..probably you don't have any yet, after you run the script you will.

Code: Select all

iptables -L -n

The first time I tried it, I had entered some info relate to the "wlan0" settings, and was unable to access anything online, I don' remember now, exactly what it was, but running the

Code: Select all

 ./iptables stop 

cleared it, and everything was back to normal, later when I worked out what the wlan0 needed to be,
The script is intended for servers but just fine for "home systems" to, but really, if you are not running any kind of server at home, besides a localhost, you probably do not need this.
There is a thread here: http://www.stopforumspam.com/forum/view ... hp?id=5860 This is in the "registered users" , which means you would have to register to see the thread, but also there is someone that could really explain a whole lot better the me, "Alex Kemp", so it might be worth it to register,
There is more details, but it is in a area not even view able by normal "registered users", only admins, but Alex would be able to answer any questions, and happy too ( I think),
I think also:

Is the fwbuilder package alone sufficient to get started?

I think that should be sufficient, if I remember correctly "fwbuilder" is very similar to the
EFG , ( Easy Fire Wall Generator), but has a little more GUI, and is in the debian repository, in the long run, for debian, that ( "fwbuilder" )probably would be the better choice. Oh, and kind of kidding, but seriously, don't hold me responsible, for anything that goes wrong, in either one of them. EFG worked fine, for me at the time,when I needed a good firewall.,.. right now, I don't really need it.

[Head_on_a_Stick]

Some more links for you:
https://wiki.debian.org/Firewalls
https://wiki.debian.org/DebianFirewall
https://wiki.archlinux.org/index.php/Si ... l_firewall

[millpond]

Gracias for that site.

IPtables are a beast to wrap ones head around, and that script does the basics.

I fully agree that we really should not *need* a firewall on home systems, especially if we are sitting behind NAT (this system is behind two)

What would be really good, would be to have a discussion on all the best ways to keep the internet out and to keep unsolicited connections from getting out.

I disable sshd and am particularly interested in any other things that can possibly present a login prompt to someone outside the network. Even on my network, Samba refuses connections to the Linux machine.

Linux seems to lack a robust version of the Mac *Little Snitch*. There is LeopardFlower, but it seems very, very Alpha.

https://l3net.wordpress.com/projects/firejail/
is more of a sandbox.

On servers there is .htaccess (but I only infrequently run them on localhost)

If i had a clear understanding of what was a real threat, I believe I have the tools to create or assist in making some real defenses.

The simplest is mv.
Move any suspcted chatterbox apps out of the path and see if they shut up.

[hanzer]

I don't know enough to explain much:

Now I just need to figure out how to write some basic iptables rules for each of the interfaces (wlan0, eth0) and set up NAT.

like give some examples,..don't really understand how it all works , to me it seems complicated.
Here is a option, http://easyfwgen.morizot.net/gen/
It is a simple, script that does everything for you, you first fill out some info, on the website, that is needed to generate the script, for your system , IP , etc. It is pretty self explanatory. After you fill in the blanks and the script is generated, you then download it

Thanks! I don't think I would use that generator's script as-is but I can reverse engineer the salient parts into my rules file. This should bootstrap basic firewall functionality while I collect and digest more information about IPtables.

In my situation the firewall should be up all of the time and I prefer to keep configurations comprehensible and flexible so (comments on this tactic are welcome) I think I will:

1) Put kernel configuration parameters in

Code: Select all

/etc/sysctl.d/local.conf

2) If any kernel modules are needed, specify them in

Code: Select all

/etc/modprobe.d/local.conf

3) Put the firewall rules in

Code: Select all

/etc/iptables.rules

4) Start the firewall on boot with

Code: Select all

/etc/network/if-pre-up.d/iptables

wich contains

Code: Select all

#!/bin/sh
 /sbin/iptables-restore < /etc/iptables.rules

What do you think? Would this approach be maintainable and survive system updates?

[andre@home]

Quite some guides links for a FW are given.
Will add mine, using it for 3 yrs, changed most options in deny as mentioned, give you the original link choos to deny what you want.
It protects our webdav server, so only https/443 port is open. I commented out the rest and as iptables strategy is to start with all "deny", you never can make a mistake. Leave only the rule in it that you need, the rest of the ports will stay closed.

Follow this guide and a very simple but excellent FW:
http://goodworkaround.com/node/32
All ports you want to close: change in /etc/iptables_secure.sh
ALLOW
into
DENY
that's all.
Follow the desciption as written there.
The files you can make with a filemanager as root
And then the last part starting at "Now use chmod to make.."
Open the Terminal as root or login as root on a terminal with su
and do what is written.

[Bulkley]

Update:

I found simple instructions at https://wiki.debian.org/iptables that doesn't require fwbuilder. Now I just need to figure out how to write some basic iptables rules for each of the interfaces (wlan0, eth0) and set up NAT.

Go with the simple iptables. They work. Then make sure your Internet router has a firewall set.

[hanzer]

Go with the simple iptables. They work.

That's the current setup. Other options to configure the Netfilter seem to be an /etc/init.d script, an /etc/rc.local script, use of netfilter-persistent(8), or as a systemd service.

My priorities/goals are:

• 1. have the Netfilter configured before any packets are passed.
  2. avoid a situation where system updates might disable my Netfilter configuration.
  3. prevent my Netfilter configuration from interfering with any system updates.

I'm not sure if the current setup meets these requirements...

Then make sure your Internet router has a firewall set.

This Debian machine is an Internet facing gateway/NAT for the rest of the LAN. Until very recently, an OpenBSD system served that function but that machine had a rather spectacular hardware failure and I am currently making do with what's available...