This is a read-only archive. Find the latest Linux articles, documentation, and answers at the new Linux.com!

Linux.com

Feature: Security

iptables as a replacement for commercial enterprise firewalls

By John C. A. Bambenek on December 14, 2007 (9:02:00 AM)

Share    Print    Comments   

With IT budgets getting tighter, managers need to trim costs. Service contracts are expensive for any technology; firewalls are no exception. Netfilter, the project that provides the packet filtering program iptables, is a free firewall alternative. While it lacks the service contract of commercial solutions and a pretty interfaces to make firewall modification easy, it has solid performance, performs effectively at firewalling, and allows for add-on functionality to enhance its reporting and response functions.

As a case study to demonstrate the feasibility of iptables as an enterprise firewall, consider the network I manage at University of Illinois at Urbana-Champaign. The network supports 2,000 devices and has a 1-gigabit uplink with two firewall zones (DMZ and secure). Daily bandwidth outbound averages around 100 gigabytes. The network is protected by two dedicated firewall machines running iptables, each with three network cards (two for the bridging firewall, one for management access), and each running 1.5GHz single-core processors with 1GB RAM. Processing power is not critical in this case; you could save money by using a machine with a lower-end CPU.

We experience no latency attributed to the firewalls, and they do as good a job as can be expected of blocking bad traffic. Once the firewalls were properly tuned, we saw no downtime due to software issues.

There are, however, a couple of "gotchas" to keep in mind. The connection table can get filled on firewalls that are routinely being scanned or are on high-traffic networks. To solve this problem, increase the net.ipv4.ip_conntrack_max kernel parameter (mine is currently at 131071) and decrease net.ipv4.tcp_keepalive_time (3600 is a good choice). As long as the firewalls have plenty of memory to spare, these settings should not pose a problem, and the firewalls will happily run without needing any hand-holding. The result is a firewall with no packet loss and unnoticeable latency that's highly available (assuming good hardware).

Effectiveness at filtering traffic according to policy

A firewall is only as good as its ruleset, no matter which firewall you are using. The rules for iptables are generally easy to understand. Here is an example rule:

iptables -A INPUT -m state -p tcp --dport 80 -s 192.168.5.0/24 --state NEW,ESTABLISHED,RELATED -j ACCEPT

This command adds (-A) an input rule (traffic going to the machine the firewall is on) that checks state (-m) for any new, established, or related traffic from the 192.168.5.0 subnet on port 80 (Web traffic). If you want to log dropped packets (and you should) you also have to create both a DROP rule and a REJECT rule just to handle the logging.

You can block malformed packets (i.e. packets which may be part of a SYN scan) easily with rules checking just the TCP header flags. Other tools such as fwsnort allow for more detailed packet inspection to block clearly malicious traffic. fwsnort converts Snort rules into iptables rules that embed some IPS capability into the iptables. However, iptables allows for easy addition of IP address blacklists to stop all traffic from known hostile netspaces. Once you're familiar with the conventions for writing iptables rules and you have a basic knowledge of IP headers, you'll find it easy to write new rules.

Add-on functionality for reporting and active response

Several add-on tools can help you get more out of iptables log data. Most standard system log scanners can be configured to pull out interesting information, but they certainly aren't designed for that purpose. psad can be configured to provide email alerting on apparent attacks above a certain threshold, and to actively block hostile IP addresses once a defined threshold has been met.

You can perform additional management of the connection tables with the conntrack-tools from Netfilter. This software allows command-line access to the connection tables and allows for grabbing statistics on that information. Lastly, you can set up firewalling up to layer 7 (the application layer) with l7-filter. For instance, an academic environment could use l7-filter to limit peer-to-peer traffic bandwidth as a way to cut back on those fun MPAA/RIAA cease-and-desist letters.

On the downside, because iptables doesn't do the heavy lifting of making rules for you like commercial firewall appliances, it requires users have a more in-depth understanding of firewalling. While tools such as Firewall Builder and KMyFirewall making configuring iptables more user-friendly, a security admin will have to learn about firewalling and the applications in general. This means lots of time and up-front testing.

There is also the problem that when things break there is no one to call to fix it. This requires that knowledge be cultivated in house. However, information on open source solutions tends to be in the public domain, so training costs tend to be a factor of time and perhaps buying some books at Amazon.

At the end of the day, organizations can gain tremendous cost savings by using iptables for firewalls. An added bonus is the additional flexibility that an open source solution provides.

John Bambenek is a handler at the Internet Storm Center and a security administrator at the University of Illinois at Urbana-Champaign. He has written numerous articles on security, contributed to several computer security courses, and recently contributed the chapter out "Botnets: Proactive System Defense" to the book Botnets: Countering the Largest Security Threat.

Share    Print    Comments   

Comments

on iptables as a replacement for commercial enterprise firewalls

Note: Comments are owned by the poster. We are not responsible for their content.

iptables as a replacement for commercial enterprise firewalls

Posted by: Anonymous [ip: 84.60.15.64] on December 14, 2007 10:38 AM
The question rather is: "Commercial firewalls as a replacement for iptables?"

#

iptables as a replacement for commercial enterprise firewalls

Posted by: Anonymous [ip: 212.247.14.38] on December 14, 2007 11:31 AM
Maybe when ip6tables is integrated into iptables.

#

iptables as a replacement for commercial enterprise firewalls

Posted by: Anonymous [ip: 69.182.21.180] on December 14, 2007 02:04 PM
SuseFirewall2 is also a nice front end to iptables / netfilter. Definitely easier to use than FWBuilder.

#

Re: iptables as a replacement for commercial enterprise firewalls

Posted by: Anonymous [ip: 84.113.210.145] on December 17, 2007 09:49 PM
Be carefull, if you have to many forward_masq rules, Yast2 will just cut off the string written to /etc/sysconfig/SuSEfirewall2, leaving it unterminated. Besides that I'm too happy with it, since I allways keep a backup of my handcrafted configuration file. But writing my own script is still on my todo list.

#

iptables as a replacement for commercial enterprise firewalls

Posted by: Anonymous [ip: 72.237.174.94] on December 14, 2007 03:09 PM
Webmin sports a nice iptables interface.

#

iptables as a replacement for commercial enterprise firewalls

Posted by: Anonymous [ip: 199.191.74.20] on December 14, 2007 05:15 PM
My experience with the frontends - firestarter mainly - has been that they do a great job if you have a simple net setup but fall apart when you need several interfaces with varying levels of interaction/isolation. At a certain point you really need to get in there and look at the rules yourself to make sure that the setup is really what you intended.

#

Re: iptables as a replacement for commercial enterprise firewalls

Posted by: Anonymous [ip: 127.0.0.1] on December 14, 2007 10:26 PM
Shoreline Firewall (http://shorewall.net) is one iptables frontend that does not fall apart when you have a complicated setup. Check it out!

#

Re: iptables as a replacement for commercial enterprise firewalls

Posted by: Anonymous [ip: 10.0.0.105] on December 17, 2007 02:00 PM
Well, there are some frontends to iptables that can actually make simple setups really simple and more complex setups rather easy.

I've used FireHOL (http://firehol.sourceforge.net) to build not-so-simple firewalls (multiple interfaces + multiple VLANs + different levels of isolation between them + NAT) and I think it is one of those unexplored gems that only Linux has. Its syntax is simple and based on bash (i.e. programmable), and it even allows straight iptables commands if you need to do something out of the ordinary.

It is kind of slow on startup though, but the generated rules are very nice and secure, so I guess it is worth it.

#

Linux.com = full of retarded coders

Posted by: Anonymous [ip: 68.126.191.42] on December 14, 2007 08:52 PM
Why the fuck can't you get the comment system to work properly? Now we get spam bots. Do us all a favor: fix your lack of a \n to break tag function (please don't make your own when PHP comes with a nl2br()), weed out existing spam, place controls for moderators so that spam can be monitored by many people.

#

iptables as a replacement for commercial enterprise firewalls

Posted by: Keith Winston on December 14, 2007 10:00 PM
I maintain an iptables firewall using an X app called Firewall Builder (http://www.fwbuilder.org/). It replaced a poorly performing Watchguard appliance and was an improvement in every sense. Coupled with squid and squidGuard, it is a testament to open source goodness.

#

iptables as a replacement for commercial enterprise firewalls

Posted by: Anonymous [ip: 74.237.31.254] on December 15, 2007 01:42 AM
iptables makes it easy to deploy simple or complex rules quickly via some scripts. We have a home brewed system that all I have to do it touch a certain file and a script dynamically writes the correct firewall for the box. With the logging, we can blacklist an ip or network in seconds across our whole network, world wide. The Natting is pretty simple which I like. You can also get some modules for it to extend it even further. The iptables interface leads its self to scripting or there are plenty of cool Perl mods to help. When you have a large distributed network, who wants to deal with thousands of firewalls in a GUI, or maintain all those and overly complicated config files. You cant even do this with windows unless you used weak ass IPSEC. iptables is truly a tribute to Linux and is one of the many things that makes Linux great.

#

No more difficult than Cisco's PIX/ASA firewall box

Posted by: Anonymous [ip: 70.169.167.212] on December 15, 2007 05:51 AM

I run Cisco PIX and ASA firewalls all day. I also do iptables and pf (from OpenBSD). Learning the iptables interface is no more difficult than learning Cisco's access-lists. All you have to do is, as my Dad says, *do your homework*.


If you want pointy-n-clicky on your firewall, then you're an MCSE who needs to call someone who actually knows what he's doing. Building an enterprise firewall strategy is not for those who don't understand what's going on and how to do it right. I agree with the person who said that front-ends like KMyFirewall are fine for basic home usage, but not enterprise usage. They are emphatically not ready for the "big stuff."


Your organization should always have someone on staff that knows this stuff, even if you farm it out. If you don't have someone like that, then you don't know how to keep the contractor in line. And it's better to have this stuff in-house anyway, because no outside company is going to care for your security the way your own people will. It's an extension of the old axiom, "nobody cares about your business as much as you do."


--TP

#

Re: No more difficult than Cisco's PIX/ASA firewall box

Posted by: Dummy00001 on December 19, 2007 04:53 PM

You sound like real IT admin: you are paid your salary to respond "No" to all user requests. From tone of your post I can also guess that you are soon to be unemployed.

In realistic situations (where IT is part of company workflow - not barrier against company workflow) then you really need some tool to implement and maintain all the stupid exceptions for all the silly needs of users - universally across your IT system.

#

iptables as a replacement for commercial enterprise firewalls - NOT

Posted by: Anonymous [ip: 88.115.33.50] on December 15, 2007 02:13 PM
Of course you do not use iptables but pf (OpenBDS). The logging mechanism of the iptables is so stupid: why do you have to write a rule for logging. It should be a paramater like ipchains had (-l) and pf (log) does. Real firewalls log every rule indepentedly.

#

After reading the man page further, I have to disagree with this

Posted by: Anonymous [ip: 70.183.3.230] on December 15, 2007 11:36 PM

At first glance, it does look cumbersome, and the PF syntax does look cleaner. However, a further review of the iptables man page gives me some insight as to perhaps why they did it this way. Apparently you can choose to log more than just the fact that the packet matched the rule. You can also log the UID of the process that generated the packet (this of course presumes that the packet originated locally--good for things like LTSP servers). You also apparently can log at different syslog levels per individual rule; I'm not aware that PF can do this. There are a couple other things that could prove handy as well, stuff that I could see myself using at work. If anything, this is taking "logging every rule independently" to the next level.



So, yes, you do need to make two rules (the rule for blocking/allowing, and the rule for logging). But you do gain some additional useful flexibility.



--TP

#

Re: After reading the man page further, I have to disagree with this

Posted by: Anonymous [ip: 88.115.40.240] on December 23, 2007 11:09 AM
This is utter bullshit. No clue what firewall is and what logging means. Merry christmas.

#

iptables as a replacement for commercial enterprise firewalls

Posted by: Anonymous [ip: 142.179.167.225] on December 18, 2007 02:30 AM
I'm currently running IPCOP, this is a very nice implementation of partly iptables. Works like a charm.

#

mixing up words

Posted by: Anonymous [ip: 91.89.13.242] on December 22, 2007 10:20 PM
Why is that people are naming a packetfilter "firewall"?
A "FireWall" is a concept of different applications which are securing your network.
A "FireWall" consists of more then just a packetfilter. E.G. content-proxies, content-filter, vpn points etc. pp.
Please, if someone writes such an article, please refer to the correct wording.

#

Kurutma

Posted by: Anonymous [ip: 81.214.164.187] on December 26, 2007 08:02 PM

iptables as a replacement for commercial enterprise firewalls

Posted by: Anonymous [ip: 62.226.204.135] on March 10, 2008 08:47 AM
Yes, thats what i`m looking for. Here my <a href="http://wiki.mobbing-gegner.de/Linux/Sicherheit/NetzWerk/FireWall">personal notes</a> about

#

This story has been archived. Comments can no longer be posted.



 
Tableless layout Validate XHTML 1.0 Strict Validate CSS Powered by Xaraya