Firewall

What Is Firewall?
Fencing your property protects your house and keeps trespassers at bay; similarly, firewalls are
used to secure a computer network. Firewalls are network security systems that prevent
unauthorized access to a network. It can be a hardware or software unit that filters the incoming
and outgoing traffic within a private network, according to a set of rules to spot and prevent
cyber-attacks.

Firewalls are used in enterprise and personal settings. They are a vital component of network
security. Most operating systems have a basic built-in firewall. However, using a third-party
firewall application provides better protection.

How Does a Firewall Work?

As mentioned previously, firewalls filter the network traffic within a private network. It
analyses which traffic should be allowed or restricted based on a set of rules. Think of
the firewall like a gatekeeper at your computer’s entry point which only allows trusted sources,
or IP addresses, to enter your network.

A firewall welcomes only those incoming traffic that has been configured to accept. It
distinguishes between good and malicious traffic and either allows or blocks specific data
packets on pre-established security rules.

These rules are based on several aspects indicated by the packet data, like their source,
destination, content, and so on. They block traffic coming from suspicious sources to prevent
cyber-attacks.

For example, the image depicted below shows how a firewall allows good traffic to pass to the
user’s private network.

Fig: Firewall allowing Good Traffic

However, in the example below, the firewall blocks malicious traffic from entering the private
network, thereby protecting the user’s network from being susceptible to a cyber-attack.
 Fig: Firewall blocking Bad Traffic

This way, a firewall carries out quick assessments to detect malware and other suspicious
activities.

There are different types of firewalls to read data packets at different network levels. Now, you
will move on to the next section of this tutorial and understand the different types of firewalls.

Types of Firewalls
A firewall can either be software or hardware. Software firewalls are programs installed on each
computer, and they regulate network traffic through applications and port numbers. Meanwhile,
hardware firewalls are the equipment established between the gateway and your network.
Additionally, you call a firewall delivered by a cloud solution as a cloud firewall.

There are multiple types of firewalls based on their traffic filtering methods, structure, and
functionality. A few of the types of firewalls are:

 Packet Filtering

A packet filtering firewall controls data flow to and from a network. It allows or blocks the data
transfer based on the packet's source address, the destination address of the packet, the
application protocols to transfer the data, and so on.

 Proxy Service Firewall

This type of firewall protects the network by filtering messages at the application layer. For a
specific application, a proxy firewall serves as the gateway from one network to another.

 Stateful Inspection

Such a firewall permits or blocks network traffic based on state, port, and protocol. Here, it
decides filtering based on administrator-defined rules and context.

 Next-Generation Firewall
According to Gartner, Inc.’s definition, the next-generation firewall is a deep-packet inspection
firewall that adds application-level inspection, intrusion prevention, and information from
outside the firewall to go beyond port/protocol inspection and blocking.

 Unified Threat Management (UTM) Firewall

A UTM device generally integrates the capabilities of a stateful inspection firewall, intrusion
prevention, and antivirus in a loosely linked manner. It may include additional services and, in
many cases, cloud management. UTMs are designed to be simple and easy to use.

 Threat-Focused NGFW

These firewalls provide advanced threat detection and mitigation. With network and endpoint
event correlation, they may detect evasive or suspicious behavior.

Advantages of Using Firewalls

Now that you have understood the types of firewalls, let us look at the advantages of using
firewalls. Firewalls play an important role in the companies for security management. Below
are some of the important advantages of using firewalls.

 It provides enhanced security and privacy from vulnerable services. It prevents

unauthorized users from accessing a private network that is connected to the internet.
 Firewalls provide faster response time and can handle more traffic loads.
 A firewall allows you to easily handle and update the security protocols from a single
authorized device.
 It safeguards your network from phishing attacks.

How to Use Firewall Protection?

To keep your network and devices safe, make sure your firewall is set up and maintained
correctly. Here are some tips to help you improve your firewall security:

 Constantly update your firewalls as soon as possible: Firmware patches keep your
firewall updated against any newly discovered vulnerabilities.
 Use antivirus protection: In addition to firewalls, you need to use antivirus software to
protect your system from viruses and other infections.
 Limit accessible ports and host: Limit inbound and outbound connections to a strict
whitelist of trusted IP addresses.
 Have active network: To avoid downtime, have active network redundancies. Data
backups for network hosts and other critical systems can help you avoid data loss and
lost productivity in the case of a disaster.
 iptables
In linux operating system, the firewalling is taken care of using netfilter. Which is a kernel
module that decides what packets are allowed to come in or to go outside. iptables are just
the interface to netfilter.

How to use iptables?

Make sure you run terminal as super user.

 To install:

Apt-get install iptables

 To stop every single packet from going in/out of your system. For security reasons, make sure
to do this so that no other packet that you explicitly specify, is going to be transferred.

iptables -P INPUT DROP

iptables -P OUTPUT DROP
iptables -P FORWARD DROP

-P for policy. There are different policies such as those mentioned above.

 To allow packets inside your loopback interface to travel without problem.

iptables -A INPUT -i lo -j ACCEPT

iptables -A OUTPUT -o lo -j ACCEPT

-A for append. You can also insert, delete or update with different switches.

-i for input interface. The interface that packets arrive at.

-o for output interface. The interface the packets travel through.

-j for jump. You can choose to accept, reject, drop, log etc. with a packet.

 To allow DNS & DHCP packets to travel in & out your computer.

iptables -A INPUT -p udp --dport 67 -j ACCEPT

iptables -A INPUT -p tcp --dport 67 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --dport 68 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 68 -j ACCEPT

-p for protocol. Different protocols can be used such as tcp, udp, gre and so on.

--dport for destination port. You can also use --sport for source port.

 To open SSH connection when your computer is a client you have to add two rules in both
direction.
iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

-m is a switch to use iptables’ extension. You can read more about different extensions using
man iptables-extension. Another example of these extenstions is limit which restricts the
number of packets to a rule.

SSH connections does not happen in one direction only. Instead, you would send a packet to
destination port 22, and the packets would come to your computer with the state of RELATED
and ESTABLISHED. Connection tracker distinguishes that for you and you don’t have to worry
yourself about it.

 To allow SSH connection when your computer is a server.

iptables -A INPUT -p tcp --dport 22 -j ACCEPT

iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

This is the opposite direction of the previous rule, which opens packets to 22, and send
success packets having the state of RELATED and ESTABLISHED back to the client.

 If you want to be able to ping other computers, and let other computers ping yours, you
should allow icmp packets.

iptables -A INPUT -p icmp -j ACCEPT

iptables -A OUTPUT -p icmp -j ACCEPT

 If you want to be able to browse web pages, this is what you should do.

iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT

iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT

This will open both HTTP and HTTPS traffic to go out of your system.

 You would definitely want to log the rest of the packets which are not accepted so that you
have a visual of what’s going on. It will also help you if you wanted to open a port in the
future.

iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A OUTPUT -j LOGGING
iptables -A FORWARD -j LOGGING
iptables -A LOGGING -j LOG --log-level error --log-prefix "iptables-
dropped: "
iptables -A LOGGING -j DROP

The first line creates a new chain. And in the next 3 lines, we will forward every packet to the
newly created chain.

It doesn’t take genius to figure out that the last 2 lines will log a packet, and it will drop it
afterwards.

--log-prefix is an argument to the LOG target, which you can read more about in man
iptables-extension.
--log-level is also an argument to LOG target, which indicates how verbose we want to
receive the log. error is a pretty good log level as we’re only interested about non-allowed
packets.

The difference between DROP and REJECT is that DROP does not notify the sender about
the dropped packet, which REJECT explicitly notifies the sender.

When you send a packet to REJECT target, the sender will receive connection reset by
peer.

 If you want to apply NAT to your iptables, depending on whether you want to apply it to
incoming connections or outgoing connection, or whether your computer’s IP address is
static or dynamic, you can use the following rules.

iptables -t nat -A OUTPUT -p tcp --dport 22 --destination 192.168.40.40 -j

DNAT --to-destination 123.123.123.123:4040

After the above command, every outgoing traffic from your computer heading to IP address
192.168.40.40 port 22 will be sent to IP address 123.123.123.123 port 4040. This makes it
possible for a NAT in the destination network to be accessible from outside that network.

NAT or Network Address Translation is an act of having a private IP address inside a network
that can not be accessible from outside, unless a configuration is involved inside the router.

--destination flag will filter packets based on the destination IP address. Which is obvious
of course but worth mentioning.

To negate a filter use exclamation point.

You can always negate a rule by preceding it with !. For example ! --source
192.168.40.40 will take effect for any source address other than 192.168.40.40 .

iptables -t nat -A POSTROUTING -p tcp --dport 80 -j SNAT --to-source

10.0.0.56:8000-8010

After applying the above rule, every packet for any destination IP address and with port 80
will change the source address to 10.0.0.56:8000–8010, which is a range of ports specified by
a dash . This makes it possible for a NAT inside the current network of your computer to be
accessible from the outside world (internet). Perhaps your router’s (access point) IP address is
10.0.0.56 and you want the packets arrive safely back to their origin.

iptables -A FORWARD -i wlan0 -j ACCEPT

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE