Linux iptables with Gufw Firewall

While firewalls remain an important network defensive tool, commercial firewall vendors have gone in seemingly different directions when it coems to managing firewalls.  It's important that people entering the security field have a good grasp of generic firewall capabilities.  A good way of learning about firewalls is using iptables available on almost every Linux distro.  A tool that can help getting started is Gufw Firewall.

The Linux firewall is iptables.  Using iptables the root user (or equivalenty) uses access control lists (ACLs) to define filtering policies.  ACLs can be multiple lines long with each line of the ACL being an access control element or ACE.  ACLs and  ACEs should be ordered from the leact specific match policies to the most specific policies.  That means that specific hosts and protocols to be blocked should be defined first (at the top of the table) and whole networks that should be later. 

If you are just getting started with firewalls and want to deploy a restrictive policy consider this command: 'iptables -P INPUT DROP'.  This command configures the firewall so that every connection that originates from the outside interface is dropped until explicitly allowed by an ACL. This configuration; where traffic is denied by default is a standard feature of most firewalls and referred to as an implicit deny.  

The iptables firewall in Linux is configured and maintained using a command line interface (CLI).  It'd important that firewall administrators learn how that CLI, but getting started it can be difficult.  I recommend the use of the Gufw Firewall utility, an open source graphical user interface (GUI) utility that is supported on many distros.  Using the Gufw utility the admin can configure basic policies and compare the GUI amd command line output. 

 

  

Implicit deny and discard versus drop

Many or most open source and commercial firewall have some basic rules that are configured when the product is first installed.  These rules are defined in an access control list (ACL).  One such rule is based on concept of the Implicit Deny.  Implicit Deny means that the default answer to whether a communication is allowed to transit the firewall is always No or Deny.  An implicit deny is often the last rule or ACL in the firewall configuration.

When first getting started the majority of ACLs tend to allow traffic to pass.  This is important in order to let traffic from authorized users and sites into the network where each connection will be authorized.  Examples of this would be allowing virtual provate network (VPN) inbound to a VPN concentrator; where individual users are authorized.  

Firewalls process communication inbound or outbound, based on the highest priority or most specific  ACL that applies to the lowest or most generic ACL.  Once a  access control element (ACE) is found with conditions that match, that ACL is executed by the firewall.  Allow, Deny & Discard are actions that the firewall can be configiured to take for any communication that match a particular ACL.  

When traffic is found to match the conditions of an ACL with the Deny action, the communication will not be permitted to proceed.  The communication is dropped by the firewall.  A RST (reset) packet sent back to the originating device and the communication will be ended.  The RST packet is a communication that goes back to the originator of the traffic stating that the connection has been closed.  

An ACL using the Drop action is often referred to as a stealth mode rule.  This option is much like Deny in that it will stop and drop the communication.  However using Drop action, the firewall will not send a RST packet as described in the Deny action above.  When the RST packet does not go back, the originator has no confirmation that there is a device to respond at the IP address that is trying to reach.  Even if the originator suspects that it is a security function that is stopping it, they will still not know anything for sure. 

The implicit deny feature is used when traffic comes into the firewall and no ACL meets the condition to allow it through, the firewall will drop the communication.