≡ Menu

firewall

In last months reader poll I asked about Firewall on dedicated UNIX / Linux box.

Poll Result: Do you use a firewall on dedicated Linux / BSD box?

Do we really need a firewall?

Personally, I install firewall on all boxes to filter out unwanted junk and IPs; even if box is only running public service such as a web server. The overall idea is to limit access and reduce liability on my part if serer got rooted (read as compromised). Remember, bad boys never play by the rules.

No Route to Host error and solution

I am getting error that read as No Route to Host. I am trying to ping my ISP gateway as well as DNS server but I am getting this error. How do I solve this problem?

This problem indicate networking conflicts or some sort of networking configuration problem.

Here are things to check:

Can you ping to your local router interface (such as 192.168.1.254)?

Make sure your card (eth0) is properly configured with correct IP address and router address. Use ifconfig command to configure IP address and route command to setup correct router address. If you prefer to use GUI tools:

  • redhat-config-network - Works on Red Hat and Fedora Linux/Cent OS.
  • network-admin - Debian and Other Linux distribution use this GUI too

Use above two GUI tools to setup correct IP address, DNS address and router address.

b) Make sure firewall is not blocking your access

iptables is default firewall on Linux. Run following command to see what iptables rules are setup:
# /sbin/iptables -L -n

You can temporary clear all iptables rules so that you can troubleshoot problem. If you are using Red Hat or Fedora Linux type command:
# /etc/init.d/iptables save
# /etc/init.d/iptables stop

If you are using other Linux distribution type following commands:
# iptables -F
# iptables -X
# iptables -t nat -F
# iptables -t nat -X
# iptables -t mangle -F
# iptables -t mangle -X

c) Finally make sure you are using a router and not a proxy server. Proxy servers are good for Internet browsing but not for other work such as ftp, sending ICMP request and so on.

See also:

Recently I came across very powerful and nifty tool called cutter. Just imagine that people in your private network using peer to peer (P2P) software such as Kazaa, iMesh or others and you want to cut them or just want to cut all ftp connection over your firewall but not all traffic to host. Network security administrators sometimes need to be able to abort TCP/IP connections routed over their firewalls on demand

cutter utility

In the following sample network diagram client workstation 192.168.1.1 sending ftp, http, ssh traffic using 192.168.1.254 (Linux based) router to server outside our network, and you would like to cut ftp traffic without interrupting other connection? So how do you block and cut traffic? Simply, use cutter utility.

client ->    Linux firewall -> Internet --> Servers
FTP    ->    192.168.1.254  -> Internet --> FTP Server
HTTP   ->    192.168.1.254  -> Internet --> HTTP Server
SSH    ->    192.168.1.254  -> Internet --> SSH Server
192.168.1.1

Cutter is an open source program that allows Linux firewall administrators to abort TCP/IP connections routed over Linux based firewall. This tool is very handy in situation like:

  • To terminate connection such as SSH tunnels or VPNs left by your own users
  • To abort crackers attacks as soon as they detected
  • To kill high bandwidth consuming connection
  • To kill peer-to-peer traffic etc

How do I use cutter command?

Use apt-get to install cutter on a Debian / Ubuntu Linux firewall:
# apt-get install cutter

1) Login to your iptables based firewall router

2) Identify your internal connection (use netstat or tcpdump)

3) Use cutter the command as follows:
cutter {IP-address} {Port}

Examples:
Cut all connections from 192.168.1.5 to server
# cutter 192.168.1.5

Cut all ssh connection from 192.168.1.5 to server
# cutter 192.168.1.5 22

Cut all ssh connection from 192.168.1.5 to ssh server 202.54.1.20
# cutter 202.54.1.20 192.168.1.5 22

Please note that cutter has been designed for use as a administrators tool for Linux firewalls do not use this tool for malicious purpose. For more information about this tool & how actually it works by sending FIN -> ACK -> RST sequence of packets to terminate connection, see the official web site.

Update: As pointed out by Mina Naguib you can also use tcpkill command for same purpose.

Related articles:

Here is small script that does this. Debian or Ubuntu GNU/Linux does not comes with any SYS V init script (located in /etc/init.d directory) .

You create a script as follows and use it to stop or flush the iptables rules.

Please don't type rules at command prompt. Use the script to speed up work.

Procedure for Debian / Ubuntu Linux

A) Create /root/fw.stop /etc/init.d/fw.stop script using text editor such as vi:

#!/bin/sh
echo "Stopping firewall and allowing everyone..."
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

(B) Make sure you can execute the script:
# chmod +x /root/fw.stop

(C) You can run the script:
# /root/fw.stop

A note for RedHat and friends Linux user

Please note that RedHat enterprise Linux (RHEL) and Fedora / Centos Linux comes with pre-installed script, which can be used to stop the firewall:
#/etc/init.d/iptables stop
Sample outputs:

Virtuozzo iptables firewall

Recently I got chance to play with Virtuozzo VPS. Good news is they are good to reduced cost and bad news (as of Dec-04, 2004) they do not support full iptables rule set like --state and --log etc. After spending more than 4+ hrs I was able to setup simple but effective firewall on Red hat enterprise linux Virtuozzo VPS. Here is script. Make sure you customize it for your environment.