Linux Mint – Configuring and testing the iptables firewall

How to configure nginx for Magento 2

Firewalls are another aspect of security worth considering. If your computer is connected to a router with a built-in firewall (most routers contain firewalls by default), then you are already reasonably protected from the outside world. However, a firewall in your router doesn’t protect you from hacking attempts from inside your local network.

Note

Although activating a firewall helps on a portable device used on public networks, it’s still not a substitute for using a VPN service to pass your Internet traffic through an encrypted tunnel. If you use a laptop in a public place such as a Net Cafe, consider using a VPN service to protect your machine from packet sniffing tools used by someone around you. Sometimes, the biggest hacking threat may even be in the same room as you, without you knowing it.

Linux Mint comes with a preinstalled firewall known as iptables. The iptables firewall is very common in the Linux world and is installed by default in many distributions. However, simply having this firewall installed is not enough; it needs to be configured in order to be effective. Although Mint includes it by default, it’s not configured and is easily accessible. For a visual example of this, consider the following command:


sudo iptables -L | grep policy

After executing the previous command, you’ll see that the policies that are in place for
INPUT,
OUTPUT, and
FORWARD are all set to
ACCEPT. This basically means that anything that is incoming, outgoing, as well as forwarded, is all accepted without question. Essentially, it’s the same as the firewall not being present at all. Configuring iptables involves setting the default policy to DROP or REJECT and then selectively allowing the traffic that you want. A bit of work is required to configure iptables, since as soon as you set the default policy to DROP or REJECT, literally all the network connections will cease until you allow each service that you wish to use. For example, if you set a default policy to DROP, none of your browsers would be able to contact any website, and all the existing connections on your machine will cease working until you enable the services that you want. From a completely disabled firewall, you would then enable each component you want access to, one by one.

Note

There is an important difference between DROP and REJECT with regard to iptables. With REJECT, the traffic is denied, and the source computer is notified about the rejected traffic. With DROP, the traffic is simply deleted and a confirmation is not sent to the source computer. In most cases, DROP is preferred. Unless you have a specific obligation to keep the source computer in the loop about what you want and don’t want to do, there’s no reason to inform the source of the rejection.

Setting up an iptables policy via shell commands is beyond the scope of this tutorial and may be a frustrating endeavor for someone who has never configured iptables before. In the earlier versions of Linux Mint (Version 15 and earlier), a graphical configuration tool was included to help you configure iptables simply and easily. For some reason or the other, the Firewall configuration tool was dropped in Linux Mint Version 16. Thankfully, there is a third-party graphical tool that we can install to allow us to configure iptables just as easily. You can install the Gufw package using the following command:


sudo apt-get install gufw

Once the package is installed, Firewall Configuration will be listed in your Applications menu and will give you a very friendly graphical interface through which one can configure iptables. The following screenshot shows the main application window for the Gufw firewall configuration utility:

With Gufw, you can configure your policy based on preinstalled profiles ( Home, Office, and Public) and set your policies for incoming and outgoing traffic. While the default configuration should satisfy most of the users, you can set individual rules if you wish for a more advanced configuration.

To test how effective your firewall is, consider the following experiment. The GRC website was mentioned earlier in this chapter, for its Password Haystacks tool. There is another useful tool on the GRC website known as ShieldsUP!!. You can use this tool to test the port security on your system. To do this, perform an Internet search for ShieldsUP!!, and you should be able to find the grc.com page that links to the tool in the search results. Once there, click on the Proceed button and then the All Service Ports link to begin a scan. The tool will see which ports it’s able to communicate with on your machine, and report the information to you. The following screenshot shows the main selection for GRC’s ShieldsUP!! tool:

If the ShieldsUp!! tool is able to communicate with a port on your machine, then that means others would be able to as well. If a port is open on your machine, consider closing it using an iptables rule (which you can configure using Gufw). To further test the effectiveness of your firewall, consider plugging your computer directly into your Internet modem without a router in between and run another scan. If the ShieldsUp!! tool is not able to communicate with any port on your machine, you’ll see a response showing PASSED, such as the one shown in the following screenshot:

Comments are closed.