Linux - Linux firewall

A Linux firewall is a system that controls incoming and outgoing network traffic based on predefined security rules. It acts as a barrier between your computer and the outside world, helping protect against unauthorized access, attacks, and data leaks.

Core Concepts of a Linux Firewall

1. Packet Filtering

The firewall inspects each packet of data and decides whether to allow or block it based on rules.

2. Rules and Policies

Rules define what traffic is allowed or denied. Policies are default actions (e.g., deny all unless explicitly allowed).

3. Chains and Tables

Linux firewalls use chains (INPUT, OUTPUT, FORWARD) and tables (filter, nat, mangle) to organize rules.

Common Linux Firewall Tools

1. iptables

A powerful and flexible tool for configuring firewall rules.

INPUT: Controls incoming traffic
OUTPUT: Controls outgoing traffic
FORWARD: Controls traffic routed through the system

Example:

sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

Allows incoming SSH traffic on port 22.

2. ufw (Uncomplicated Firewall)

A user-friendly frontend for iptables, common on Ubuntu.

Enable firewall:
```
sudo ufw enable
```
Allow SSH:
```
sudo ufw allow ssh
```
Deny a port:
```
sudo ufw deny 80
```
Check status:
```
sudo ufw status
```

3. firewalld

Used in Red Hat-based systems. It supports zones and services.

Start firewalld:
```
sudo systemctl start firewalld
```

Allow HTTP:

sudo firewall-cmd --add-service=http --permanent
sudo firewall-cmd --reload

List active rules:
```
sudo firewall-cmd --list-all
```

Zones in firewalld

Zones define trust levels for network interfaces:

public: Least trusted
home: Trusted for home networks
internal: Trusted for internal networks

You assign interfaces to zones and set rules per zone.

Best Practices

Default deny: Block all traffic unless explicitly allowed.
Limit exposure: Only open necessary ports.
Use logging: Monitor dropped or suspicious packets.
Keep rules organized: Use comments and scripts for clarity.