This week we applied security measures for a Fedora server IP firewall by configuring stringent permit and deny rule sets. I appended the INPUT, OUTPUT, and FORWARD chains to permit HTTP, ICMP ping, and SSH access and to deny all other access.
First, I checked to see if iptables was installed, install if no. Then I used iptables with -L switch to list the current host-based firewall rules. The system returned a list of the existing chains indicating that there were no firewall rules set for any of them. I proceeded with the -F switch which flushed all rule chains and began with an empty rule chain to add my own.
Rules I applied:
INPUT to allow HTTP (web) access
INPUT to allow secure shell (SSH) connections
INPUT to allow ICMP pings
INPUT to deny all other traffic from the INPUT chain
One common activity that improves any server's security is installing software updates. This ensures that any application running on the server has the latest bug fixes and patches. One of the most common ways to protect a network or server is to filter incoming and outgoing traffic through a firewall. A firewall can be a physical device, such as your home's cable modern, or it can be an application running on a computer, such as iptables on a Linux computer. The network administrator establishes a set of rules for the firewall to enforce. Network traffic can be filtered based on the packer's IP address or pot, or on the application. i.e. if you have a web server running on your computer or LAN, incoming traffic to port 80 would be permitted. If that was the only server running, you would block or deny any other traffic coming into your network.
A single firewall configuration is most likely how the home network is set up. A single firewall is seldom used in organizations that run their own servers because all server traffic must enter the LAN. If a service is compromised behind the firewall, the malicious hacker may have access to all the computers on the organization's LAN.
A single host is an alternative for an organization. A single host may be placed outside the firewall. In this configuration, the single host must run its own software firewall, such as iptables. The firewall protecting the private LAN can now be more restrictive because there are no public services provided on the LAN. This provides higher security for the organization's information on the LAN.
Another alternative configuration that protects the LAN uses a single firewall device that has three network connections. This is called a three-legged firewall. All network traffic for the LAN and the servers pass through the firewall. The firewall routes and applies one set of filter rules to traffic going to the servers. It routes LAN traffic to the LAN and can apply a different set of rules to that traffic.
Another configuration that separates the serves from the Lan is the dual-firewall demilitarized zone (DMZ) configuration. This configuration has all traffic for the organization pass through the outer firewall. Traffic for the servers is allowed through, as well as any traffic destined for users on the LAN so the rules for this firewall area combination of the allow or permit rules for both the servers and the LAN. The inner firewall has a more restrictive set of rules to protect traffic on the LAN.