Firewall

Firewalls control access to and from systems based on network packet attributes like IP address, port, payload and more.

The Netfilter framework in the Linux kernel performs packet filtering and provides the means for implementing a software firewall in Linux. Clear Linux* OS has a couple different firewall front-end options for managing the Linux firewall.

Default ruleset

Clear Linux OS does not impose a firewall policy out of the box. All traffic is allowed inbound and all traffic is allowed outbound. However, tallow is installed by default and may dynamically create a rule temporarily restricting access from external hosts.

Warning

Changing firewall configuration can cause abrupt network disconnection. If this happens on a remote host, local recovery may be required.

Be sure to test your firewall configuration before committing it permanently to ensure your system will remain accessible remotely, if required.

Firewall software

iptables

iptables is a well-known user-space administration tool for configuring IPv4 Linux firewall rules. ip6tables is the complimentary tool for configuring IPv6 Linux firewall rules.

Below is information on using iptables on Clear Linux OS:

  1. Make sure the iptables bundle is installed

    sudo swupd bundle-add iptables
    
  2. Define new iptables rules/chains for the running configuration using the iptables command. See man iptables for iptables concepts and configuration options.

    Below is a common restrictive firewall configuration which denies all incoming connections, unless the connection was initiated by the host.

    # Set default chain policies
    sudo iptables -P INPUT DROP
    sudo iptables -P FORWARD DROP
    sudo iptables -P OUTPUT ACCEPT
    
    # Accept on localhost loopback device
    sudo iptables -A INPUT -i lo -j ACCEPT
    sudo iptables -A OUTPUT -o lo -j ACCEPT
    
    # Allow established sessions to receive traffic
    sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    
  3. Test the running firewall configuration to make sure it behaving as you expect.

  4. Run the iptables-save service to make the running configuration persistent. This will perform a one-time save of the running configuration to /etc/iptables.rules :

    sudo systemctl start iptables-save
    
  5. Enable the iptables-resolve service the iptables rules to be automatically applied at boot from the /etc/iptables.rules file:

    sudo systemctl enable iptables-restore.service
    

ipset

ipset is a framework in the Linux kernel for storing and efficiently indexing combinations of IP addresses, networks, (TCP/UDP) port numbers, MAC addresses, and interface names.

IP sets makes writing network policy rules simpler and processing them against a large and/or changing sets of hosts more efficient.

By themselves, IP sets do not enforce network traffic rules but can be used to extend iptables rules for matching. It is important to note that the ipset must be defined before a netfilter rule can match against it.

  • Running IP sets can be manipulated with the ipset utility.
  • Custom IP sets can be stored in the /etc/ipset.conf file
  • IP sets in /etc/ipset.conf can be automatically applied at boot by enabling the ipset service with the command sudo systemctl enable ipset.

See man ipset to learn more about using ipsets.

firewalld

firewalld is based on nftables, the successor to iptables and parts of the netfilter framework. The description of firewalld helps highlight some of the differences compared to iptables:

firewalld provides a dynamically managed firewall with support for network/firewall zones to define the trust level of network connections or interfaces. It has support for IPv4, IPv6 firewall settings and for ethernet bridges and has a separation of runtime and permanent configuration options. It also supports an interface for services or applications to add firewall rules directly.

See man firewalld for more information.

Below is information on using firewalld on Clear Linux OS:

  1. Install he firewalld bundle:

    sudo swupd bundle-add firewalld
    
  2. Disable iptables and ipset services as they conflict with firewalld:

    sudo systemctl mask iptables-restore ipset
    
  3. firewall-cmd can be used to configure the running or permanent firewall configuration. See the firewalld documentation to learn more about firewalld concepts and configuration options.

    Below is a common example to allow HTTPS traffic in public zones:

    sudo firewall-cmd --permanent --zone=public --add-service=https
    
  4. Enable the firewalld service the so that the firewalld daemon is automatically started and rules applied at boot from the /etc/firewalld/* file:

    sudo systemctl enable --now firewalld.service
    
  5. Verify that firewalld is running:

    sudo firewall-cmd --state
    

Troubleshooting

When troubleshooting connectivity issues that may be related to firewall rules.

  • Consider restrictions at the physical network level.
  • For inbound connections, make sure your application is listening on the network port you’re expecting with lsof or netstat.
  • For outbound connections, make sure the destination host is responding to the network port you’re expecting with nc. If the connection is refused, then there may be a problem with the destination server.
  • If you’re using firewalld, check the daemon status with the command: systemctl status firewalld.