Firewall, to install on armbian

[Tido]

Hi,

 

In order to secure my BPi-R1 I want to install a firewall on top of armbian.

So please, no tipps for complete 'firewall distribution like IPcop, IPfire'.

 

So I thought about, what is necessary to protect 'my cloud', which may be not the first interest for a hacker.
My test candidates:

• Open Edgewize
• Shorewall
• ConfigServer Security & Firewall (csf)
• iptables (do it on your own)

 

I collected some information of their functions, but I don't know what is crucial.

• Application Layer Filtering
• Just managing your network by port numbers and ip addresses is no longer sufficient.
• With the growing levels of web use, and http based applications, deep packet inspection is needed to properly manage your network securely.
• User authentication (invite some friends to share pictures)
• Blacklist
• Whitelist

 

As the R1 can hold a HDD I want to load it with things like:

1. LAMP
2. http://ampache.org/ 
3. http://www.seafile.com/en/home/ 
4. http://syncthing.net/
5. https://sourceforge.net/projects/xbian/
6. OpenMediaVault
7. may be testing owncloud

I would like to know, what is your take on that and how do you secure your devices?

 

Cheers

Tido

[Igor]

I would go for iptables (do it on your own). It's also fun to learn the basis. Other usually just have some more or less fancy interface.

 

For a simple mostly static setup is more than enough. It's supported by most kernels by default.

 

Perhaps start here:

https://help.ubuntu.com/community/IptablesHowTo

 

Basically you pack commands into some startup script and voila.

[Tido]

Well, I don't know how or what these solution do different to iptables and because I have basically no clue about firewalls

I thought it was good to go with a built solution.

 

For whatever reason, while I was google'ing for this topic I found this to me very interesting posting: http://rolfebozier.com/archives/51

It is not long, but I got the impression that he goes into each detail.

So either this or shorewall will become my firewall solution

[blindpet]

You will probably find it easier to use ufw which sets iptables for you, looks simpler than shorewall

[petrmaje]

I'm using webmin, there is module "Linux firewall", where you can nicely configure everything about IPTABLES using mouse. Try it!

[drscheme]

Not so sure about the webmin. After playing with that one device was børked when I updated things...

 

Creating a simple firewall setting is not that difficult. I like to start with this "everything that is not allowed is denied" setting:

#!/bin/bash

#reset iptables; drop all rules
iptables -F
iptables -X


#allow loop
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT


# ALLOW DNS
iptables -A INPUT -p udp --sport 53 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT


# ALLOW ICMP
iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT


<-- insert everything you want to allow -->


# DROP rest
iptables -A INPUT -j REJECT
iptables -A OUTPUT -j REJECT

The recipe to allow traffic to the device looks like that:

 

# ALLOW incoming SSH from eth0
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

This just says:

- new packets or those belonging to a established session may pass the firewall from outside to inside.

- packets related to an established session may exit the device

 

The recipe that allows the device to access the network looks like that:

# ALLOW outgoing HTTP/S connection establishment/session (important for apt-get update/upgrade)
iptables -A OUTPUT -o eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

 

Again:

- new packets or those related to a established session may exit the device

- packets related to an established session may enter the device

 

I know that is not perfect, but it works form me quite well.

[nevyn]

Hi Tido,

I strongly recommend learning iptables over Smoothwall. It's a more transferable skill (you'll always find iptables on a system whereas smoothwall might not be available on a system you're working on).

I've only just recently learnt IPTables myself. My notes are here:
http://nevsramblings.blogspot.co.nz/2015/12/notes-about-iptables.html

 

[blindpet]

I finally settled on Configserver Firewall, here is a pretty complete guide.

[Igor]

http://www.fwbuilder.org

 

Yet another way of setting up firewall on Linux.

[Rui Ribeiro]

I am using pure iptables + IPsec VLAN (strongswan) + VLANs. And NAT obviously.

 

As services, I am running in the Lamobo R1:

- VPN

- routing+NAT to the Internet

- Asterisk

- DLNA server

- NgINX

- BIND

- ISC DHCP

- rpimonitor

- ssh

 

 

My take on security is first creating VLANs. The external Internet facing Interface is separated from the rest, a separate VLAN for voIP, another for the normal wifi, and yet another VLAN for the guest wifi SSID.

 

The wifi comes from a Archer C7 v2 with openWRT, as the R1 wifi sucks.

 

I also bind most of the services to internal interfaces. The external interface only answers to VPN and asterisk. I also disabled pings in the linux kernel.  Most of the services can be persuaded through normal configurations to bind to a specific network interface; miniDLNA is an exception, and it forced me to modify the source code.

 

 

I also have dynamic DNS from FreeDNS.

 

You can scan my IP from the Internet, you only see isakmp open, nothing else. My iptables only allow ipsec inside my network.

 

Even to ssh I have to go into the VPN. The IPsec VPN is setup in a way that the native IPsec clients of OS/X and Mac can go in without needing additional software.

 

As for possible substitutes to iptables, you have got firehol. Firehol is interesting in what lets you write firewall rules in a high-level language, and more interestingly enough got a try mode of 1 minute and something where it does automatically rollback  the configurations, which is a very interesting functionality in order to not lose control of a remote system.

 

Is is also worthwhile to investigate sysctl. The best policy of Unix is using the minimum of services you need. e.g. I do not use IPv6 at home, I do kill the IPv6 stack; I only use protocol so, so and so in strongswan, I deactivate all the other protocols...you got the idea.

 

It goes without saying that I am running too many services in a border router/server. I will soon buy a 64 bits ARM and move some of these services to there.

 

 https://firehol.org  

 

As for application layer firewalls (WAF), that is another layer, and often it is specific on the service. In our Apache servers at work, we use modsecurity. For BIND, you can use RPZ, and at home I am using RPZ lists for banning adverts and malware; for updating servers we have here APT proxies for them not to contact directly with the Internet...

 

As for iptables, (work in progress):

 

iptables -t nat -F

# force stations inside VPN to use my own DNS, despite what they have configured

iptables -t nat -A PREROUTING -p udp --dport 53 -s 192.168.100.0/24 ! -d 192.168.201.1 -j DNAT --to-destination 192.168.201.1:53

iptables -t nat -A PREROUTING -p tcp --dport 53 -s 192.168.100.0/24 ! -d 192.168.201.1 -j DNAT --to-destination 192.168.201.1:53

iptables -P INPUT DROP

iptables -I INPUT -i lo -j ACCEPT

iptables -I INPUT -i br0 -j ACCEPT

iptables -I INPUT -i eth0 -j ACCEPT

iptables -I INPUT -i eth0.102 -j ACCEPT

iptables -I INPUT -i eth0.103 -j ACCEPT

iptables -I INPUT -s 192.168.100.0/24 -j ACCEPT

iptables -I INPUT -i eth0.101 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

iptables -t nat -A POSTROUTING -o eth0.101 ! -p esp -j SNAT --to-source `ip addr show eth0.101 | grep inet | awk ' { print $2 } ' | cut -f1 -d "/"`

# internal LAN is trusted

iptables -A FORWARD -i br0 -j ACCEPT

# ipsec

iptables -A INPUT -i eth0.101 -p 50 -j ACCEPT

iptables -A INPUT -i eth0.101 -p udp --dport 500 -j ACCEPT

iptables -A INPUT -i eth0.101 -p udp --dport 4500 -j ACCEPT

[tkaiser]

It goes without saying that I am running too much services in a border router/server. I will soon buy a 64 bits ARM and pass some of this services to there.

 

Just to add some more confusion here

 

I learned today that Linksys WRT1200AC is based on Marvell's Armada 38x (see Clearfog Pro -- using the internal 128MB NAND for u-boot and combining this with external USB/eSATA storage it would be even possible to run Armbian on it).

 

And since a new toy arrived today the next thing I'll try is to get an USB3-to-GbE adapter. This board idles at 2W, Ethernet throughput 940 Mbits/sec, quick USB3 storage test showed 170 MB/s (didn't had a faster drive to test). But definitely no candidate for Armbian support

 

 

 

 

 

[Rui Ribeiro]

@tkaiser, my concern running those services is not CPU...is from the security point of view.

 

load average: 0.00, 0.01, 0.05

 

$vmstat

procs -----------memory---------- ---swap-- -----io---- -system-- ------cpu-----

 r  b   swpd   free   buff  cache   si   so    bi    bo   in   cs us sy id wa st

 0  0      0 146800  55760 647672    0    0     1    11   16   19  1  1 98  0  0

 

$ mpstat -P ALL

Linux 4.3.3-sunxi (.) 02/04/2016 _armv7l_ (2 CPU)

 

02:58:37 PM  CPU    %usr   %nice    %sys %iowait    %irq   %soft  %steal  %guest  %gnice   %idle

02:58:37 PM  all    0.73    0.27    0.95    0.03    0.00    0.27    0.00    0.00    0.00   97.75

02:58:37 PM    0    0.85    0.27    0.99    0.05    0.00    0.01    0.00    0.00    0.00   97.83

02:58:37 PM    1    0.61    0.27    0.91    0.01    0.00    0.53    0.00    0.00    0.00   97.67

[Rui Ribeiro]

(I edited my previous answer for some English errors, and for adding iptables rules)

[Tido]

I finally settled on Configserver Firewall, here is a pretty complete guide.

 

This useless comment - I spent hours !!  pretty complete guide

 

In the first posting I mention more than once 'R1' and his pretty complete guide does not even cover bridged interfaces.

WTF.

Besides, I wrote him an A4 about problems or weird comments in his guide - not one word back to me. Looks like he just disappeared under a rock.

 

---

 

So, if you want to use the csf with the R1 you have to add additional commmands for br0 which are not in the standard csf!

I have  N O T  tested it by now - I will come back when done, in opposite to the pretty complete guide guy.

Bridged Interface br0

Custom iptables rules with CSF Firewall

 

 

I had to add these lines in  nano /etc/csf/csfpost.sh because I append these rules

iptables --append FORWARD --in-interface br0 --source 192.168.9.0/24 --jump ACCEPT
iptables --append FORWARD --in-interface eth0.101 --destination 192.168.9.0/24 --jump ACCEPT
iptables --append POSTROUTING --out-interface eth0.101 --table nat --jump MASQUERADE

Now I have to check, that I did not open anything on the firewall. I am not a developer (learning by doing)

[Rui Ribeiro]

Custom iptables rules with CSF Firewall

 

 

I had to add these lines in  nano /etc/csf/csfpost.sh because I append these rules

iptables --append FORWARD --in-interface br0 --source 192.168.9.0/24 --jump ACCEPT
iptables --append FORWARD --in-interface eth0.101 --destination 192.168.9.0/24 --jump ACCEPT
iptables --append POSTROUTING --out-interface eth0.101 --table nat --jump MASQUERADE

Now I have to check, that I did not open anything on the firewall. I am not a developer (learning by doing)

 

 

hi Tido,

 

read my previous post for an alternative syntax to this. I also know I had to use SNAT instead of MASQUERADE, but at the moment I do remember why.

[Tido]

Hi Rui,

You are using pure iptables. I am using the CSF Firewall which is pretty handy and because of the bridged interface I have to add those three commands.
I ran yesterday a first scan with nmap on TCP and I will run more tests. So far my code works.
By the way, I am not using VPN.
 

Google is your friend (mostly :-) )
Difference between SNAT and Masquerade

 

[Rui Ribeiro]

oh I know the difference, I just lost in time the reason why I had to choose one over the other.

[Tido]

I just wanted to leave a plug for a good podcast about how you can secure your box:

Sunday Morning Linux Review - Episode 223 – Securing Linux

Tony Bemus, Tom Lawrence and special guest Phil Porada

 

I like especially: security by obscurity   min: 06:45

[giri@nwrk.biz]

If your board is directly connected to the internet here a nice iptable script to secure your system against portscans and smurf attacks: http://sharadchhetri.com/2013/06/15/how-to-protect-from-port-scanning-and-smurf-attack-in-linux-server-by-iptables/

 

Only useful if your board is not behind a router with firewall.

[Tido]

have you tested the script on armbian and checked with scans if it works?

[giri@nwrk.biz]

On 6/16/2017 at 2:22 PM, Tido said:

have you tested the script on armbian and checked with scans if it works?

 

I did test it on several debian based installations, but i did not test it on armbian. I do not see a reason why this should not work on armbian.