firewalling Ubuntu Linux/iptables with fwbuilder

Not too long ago, I switched entirely to Ubuntu for my Linux needs. Long-disenchanted with RedHat, I eventually skipped out on gentoo because I am lazy, and meanwhile I never found a compelling reason to run SuSe. I had begun using Debian Linux for servers and was very happy (in general) with the dpkg system, and along came Debian-based Ubuntu with unparalleled hardware support. I like to run Linux from a single vendor if possible since it simplifies things considerably, so now everything is based on some flavor of Ubuntu. In looking for a firewall GUI configurator which would run on and configure my laptop-based firewall system, I settled on fwbuilder.

My internet gateway, an IBM Thinkpad A21p, runs Ubuntu 7.10 Gutsy Gnu (desktop.) I'm in the process of switching everything to low-power laptops and SFF desktop systems. I now have no desktop systems which run 24/7, and keeping them off most of the time has considerably reduced my power draw. The 'net gateway has a Xircom 10/100 ethernet plus 56k modem in its cardbus slot, supplementing the 3Com modem/ethernet, whose modem is unsupported by Linux as are all 3Com soft modems.

The gateway also includes my apt mirror, constructed by apt-move; it's running as an LTSP server to support one whole system in my house; the system is also running dhcp3-server, dnsmasq, and the bidentd forwarding identd server. In order to keep this system secure, it needed to be firewalled. I'm capable of writing basic configs by hand with the iptables command, turning on forwarding, and those kind of things, but it's much easier to get good results by starting with some kind of template, and working from there. I tried using ipmasq and firestarter but each has its problems. Firestarter is very home-net-centric and is really intended for systems with no more than two interfaces, and ipmasq is simply unwieldy. Both allow customization through post-scripts and the like, but I wanted something more user-friendly. The answer, as it turned out, is fwbuilder.

There's a small handful of firewall configuration utilities which will run on Linux. fwbuilder is notable among them in that it has support for a seriously broad collection of hardware and is free. Of the other options, some of them are very limited, and some of them require that you pay money for full functionality, but fwbuilder does not have this problem and you can install it on Ubuntu simply by installing the package fwbuilder. fwbuilder is a Qt3 application, but I found it to be mostly reliable and fairly fast.

The first thing you may notice upon running the application is that it does not look like a mess. Honestly this came as a bit of a surprise to me. My (long) past experiences with firewall GUIs had prepared me for disappointment so I had not viewed the screenshots, but I was quite pleasantly surprised. The interface is laid out in a fairly straightforward manner, with a pane for various types of objects on the left and the firewall configuration pane on the right. The main pane has three tabs; one for filter rules, one for NAT rules, and one for routing table entries. The latter are added to the routing table, which is always populated at least with routes to the networks to which the system's interfaces belong.

fwbuilder includes templates for configuring firewalls. The process to begin is as simple as creating a new firewall. You can do this in any number of ways, but the easiest is from the little menu in the object pane. Just pull down the menu and select new firewall:

The user is presented with a dialog asking a few questions about the firewall. These are usually pretty easy, and anyone wanting to secure a current Linux distribution only needs to select Linux and iptables (besides entering a name for the object.) It is convenient for the names of the objects to be the same as their primary hostnames, but it is not necessary. While answering these questions the user is offered a check box to "Use preconfigured firewall template objects". This is an excellent starting point, and I suggest that you use it. I did. In fact, here is the template I actually selected:

This template creates a DMZ and inside network. I actually have two inside networks; one is hardwired-only, and the other has my Belkin 802.11g access point connected to it and provides wireless services. I formerly used this approach because I was using non-encrypted WiFi, and blocked all non-VPN traffic. Eventually, the 802.11g AP will probably go onto another interface, and I'll bring back my Linksys 802.11b AP in order to serve clients which do not support WPA2. Now, I just need another interface...

When you create a firewall with this template and select it, you will see that a policy has been created. This policy has a decent set of basic rules, which include NAT, logging, blocking all non-ssh traffic to the firewall, et cetera.

In order to make this policy do what I wanted, it was necessary to add a few rules. First, I went to the nat tab and deleted all but the basic NAT rule. I changed the external interface to ppp0 and changed it to a dynamic interface, since it is. And then I realized I needed a whole bunch of rules, because by default we block all access to the firewall. But I need it to provide SMB (it's the domain master and browse master) as well as DHCP service, http for my apt mirror, and so on. This is simple enough to accomplish provided you know a little something about the protocols in question. I'll explain how to add DHCP/bootp support.

The easiest way is to copy a rule similar to what you want. We don't have one that's all that close, but I'll give it a shot anyway. We'll copy the rule for permitting SSH. After clicking its number, then right-clicking and selecting "Copy" we can right-click there again and say "Paste Below". This inserts a duplicate rule below the one you've copied.

Once you've done this, you can start modifying the rule. ssh access is controlled via IP source and destination addresses and thus works on all interfaces, but we only want to listen on certain interfaces. Here, we'll specify the inside interface. Since DHCP requests are usually made via broadcast, it's easiest to simply accept ALL DHCP requests. In order to actually be most secure, you would create two rules: one would be based on the interface and permit access from the interface and only to the broadcast address while the other would be based on the network and permit access from the network on that interface and only to the address of the DHCP server. However, I am lazy, and elected to simply permit all bootp-related traffic:

You can see what I have done here, and it was all accomplished by simple drag and drop. The entire configuration is made in much the same way. I had to add a lot more services; I found the interface quite convenient, especially as it allows including multiple ports in a single rule and such. This makes editing them dramatically easier.

When you're done, you can simply Compile the rules and you will find out if they are valid. You can then send them to the host. When you elect to install the files, fwbuilder will ask you how to contact the system. I have permitted ssh root login (oooh!) so I can simply use root's username and password here; I'm not sure what is necessary to make an average user able to manipulate netfilter/iptables. The program will optionally store a copy of the config in /etc under hostname.fwb and a script to actually add your firewall rules in the same place as hostname.fw. This is a bourne shell script you can run, so you can add the following to /etc/rc.local to load it if it is present:

# run fwbuilder rules
FW="/etc/`hostname`.fw"
if [ -x $FW ]; then ${FW}; fi

If a referenced interface is not configured (or perhaps just if it's not present) then the rules will not take effect. This doesn't harm me from a security standpoint in itself, but if the firewall is not configured when I DO bring that interface up (in this case, my ppp connection) then I will be vulnerable. So, I put the following in a file /etc/network/if-up.d/fwbuilder:

#!/bin/sh -e
# purpose: execute any fwbuilder script present for the current hostname

# uncomment next line to only trigger on ppp
# otherwise all dynamic updates trigger an update
#[ "`echo $IFACE | sed 's/^\(...\).*$/\1/'`" = "ppp" ] || exit 0

case "$METHOD" in
        dhcp|NetworkManager) ;;
        *) exit 0
esac

# execute fwbuilder script if present
FW="/etc/`hostname`.fw"
if [ -x $FW ]; then ${FW} || exit 1; fi

The comments pretty much tell the whole story here. In theory, if you do this, you don't need to modify /etc/rc.local. I've had problems with these scripts firing at the right time with ppp interfaces in the past, so I did both. If it's not configured with the interface for whatever reason, then it will end up configured at the end of the boot sequence, which leaves a fairly small window for attacks.

Finally, I will close with just one more script, that which clears your iptables rules. It's handy if you mess up:

#!/bin/sh
IPTABLES=/sbin/iptables
cat /proc/net/ip_tables_names | while read table; do
  $IPTABLES -t $table -L -n | while read c chain rest; do
      if test "X$c" = "XChain" ; then
        $IPTABLES -t $table -F $chain
      fi
  done
  $IPTABLES -t $table -X
done
$IPTABLES -P OUTPUT  ACCEPT
$IPTABLES -P INPUT   ACCEPT
$IPTABLES -P FORWARD ACCEPT

This script (lifted in pieces from a fwbuilder script) flushes all present chains and changes the default action for all the major, mandatory chains to "ACCEPT". This is the default state of netfilter/iptables, which permits all traffic.

fwbuilder is by far the easiest general-purpose firewall-configuring solution to install on Ubuntu, and it's easy to use, as well. It also has a discovery mode and support for a broad variety of targets; it doesn't only configure Linux. If you've been looking for one firewall GUI to rule them all, you probably can't do much better than fwbuilder no matter whose software you use. If all you want is simple home-user-only stuff, then firestarter is great (although I find the GUI to be very crashy) and ipmasq is probably acceptable; otherwise, this is my pick.