Apache Security - Ivan Ristic [127]
In case the main firewall is misconfigured, breaks down, or has a flaw
To protect from other hosts on the same LAN and from hosts from which the main firewall cannot protect (e.g., from an internal network)
On Linux, a host-based firewall is configured through the Netfilter kernel module (http://www.netfilter.org). In the user space, the binary used to configure the firewall is iptables. As you will see, it pays off to spend some time learning how Netfilter works. On a BSD system, ipfw and ipfilter can be used to configure a host-based firewall. Windows server systems have a similar functionality but it is configured through a graphical user interface.
Whenever you design a firewall, follow the basic rules:
Deny everything by default.
Allow only what is necessary.
Treat internal networks and servers as hostile and give them only minimal privileges.
What follows is an example iptables firewall script for a dedicated server. It assumes the server occupies a single IP address (192.168.1.99), and the office occupies a fixed address range 192.168.2.0/24. It is easy to follow and to modify to suit other purposes. Your actual script should contain the IP addresses appropriate for your situation. For example, if you do not have a static IP address range in the office, you may need to keep the SSH port open to everyone; in that case, you do not need to define the address range in the script.
#!/bin/sh
IPT=/sbin/iptables
# IP address of this machine
ME=192.168.1.99
# IP range of the office network
OFFICE=192.168.2.0/24
# flush existing rules
$IPT -F
# accept traffic from this machine
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -s $ME -j ACCEPT
# allow access to the HTTP and HTTPS ports
$IPT -A INPUT -m state --state NEW -d $ME -p tcp --dport 80 -j ACCEPT
$IPT -A INPUT -m state --state NEW -d $ME -p tcp --dport 443 -j ACCEPT
# allow SSH access from the office only
$IPT -A INPUT -m state --state NEW -s $OFFICE -d $ME -p tcp --dport 22
-j ACCEPT
# To allow SSH access from anywhere, comment the line above and uncomment
# the line below if you don't have a static IP address range to use
# in the office
# $IPT -A INPUT -m state --state NEW -d $ME -p tcp --dport 22 -j ACCEPT
# allow related traffic
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# log and deny everything else
$IPT -A INPUT -j LOG
$IPT -A INPUT -j DROP
As you can see, installing a host firewall can be very easy to do, yet it provides excellent protection. As an idea, you may consider logging the unrelated outgoing traffic. On a dedicated server such traffic may represent a sign of an intrusion. To use this technique, you need to be able to tell what constitutes normal outgoing traffic. For example, the server may have been configured to download operating system updates automatically from the vendor's web site. This is an example of normal (and required) outgoing traffic.
* * *
Tip
If you are configuring a firewall on a server that is not physically close to you, ensure you have a way to recover from a mistake in firewall configuration (e.g., cutting yourself off). One way to do this is to activate a cron script (before you start changing the firewall rules) to flush the firewall configuration every 10 minutes. Then remove this script only after you are sure the firewall is configured properly.
* * *
Advanced Hardening
For systems intended to be highly secure, you can make that final step and patch the kernel with one of the specialized hardening patches:
grsecurity (http://www.grsecurity.net)
LIDS (http://www.lids.org)
Openwall (http://www.openwall.com/linux/)
Security-Enhanced Linux (SELinux) (http://www.nsa.gov/selinux/)
These patches will enhance the kernel in various ways. They can:
Enhance kernel auditing capabilities
Make the execution stack nonexecutable (which makes buffer overflow attacks less likely to succeed)
Harden the TCP/IP stack
Implement a mandatory access control (MAC) mechanism, which provides