82935c14.qxd:Toolbox
10/29/07
1:19 PM
Page 282
Chapter 14: Locking Down Security
Configuring the Built-In Firewall A firewall is a critical tool for keeping your computer safe from intruders over the Internet or other network. It can protect your computer by checking every packet of data that comes to your computer’s network interfaces, then making a decision about what to do with that packet based on the parameters you set. The firewall facility built into the current Linux kernel is called iptables. (You may also hear of ipchains, which was the predecessor of iptables in kernel 2.2 and below.) Ubuntu comes with iptables fully started and configured when you install Linux. The iptables facility (www.netfilter.org) is extraordinarily powerful, yet complex to use from the command line. For that reason, many people set up their basic firewall rules using a graphical interface. To get a graphical interface, install the firestarter package. Firestarter provides a wizard to configure and set up your firewall. To run Firestarter, select System ➪ Administration ➪ Firestarter. You can also try add-on packages such as FWBuilder (fwbuilder package) and Shorewall (shorewall package) for graphically configuring firewalls. When you installed Ubuntu, you installed a firewall on your system. Ubuntu generates an iptables configuration that is a good starting point for simple desktop firewalling, which consists of opening just a few ports for running daemons and blocking the rest. You can customize this default configuration by running the commands shown in the following sections. NOTE Before you go much further, read the IpTables HowTo document for Ubuntu, at https://help.ubuntu.com/community/IptablesHowTo. This document provides a lot of useful information for using iptables on Ubuntu, as this usage differs a lot from other versions of Linux such as Fedora. For more complex needs, as when iptables is used as the firewall in front of multiple machines, we recommend using one of the graphical tools mentioned above. However, there are times when either you don’t have a GUI available or you need a firewall rule that isn’t available through a GUI. In those cases, it’s useful to know the syntax of the iptables command to list current rules and add a new rule yourself. Before you start messing around with your firewall in Ubuntu, you should check how the firewall is set up on your system. Here is how to list the current rules set on your Linux system’s firewall: $ sudo iptables -L Chain INPUT (policy ACCEPT) target prot opt source
destination
Chain FORWARD (policy ACCEPT) target prot opt source
destination
Chain OUTPUT (policy ACCEPT) target prot opt source
destination
282