LFCE Preparation Guide: Network Administration – Implementing Packet Filtering

Introduction

By “packet filtering,” the Linux Foundation here appears to be referring to iptables in the CentOS environment.  While iptables is still usable on RHEL/CentOS 7, it is by default replaced by firewalld (part of the systemd software suite), which has yet to reach full feature parity with iptables in certain critical areas (such as logging).  I have never experienced a situation which iptables couldn’t handle and I have only once dealt with a problem that iptables shouldn’t handle (restricting a system’s HTTP traffic by URL – way too much administrative overhead for a packet-based filtering tool – squid is the superior solution).

Anyone seriously considering candidacy for the LFCE examination should already be well aware of firewalls and their purposes.  Those lacking this knowledge need to build it first, and once the concepts are well grasped, dive into the iptables man page and revel in the command’s structure.  Read the available commands and try them out on your virtual machine.

It is also useful to understand the older TCP Wrappers technology, though iptables can accomplish anything TCP Wrappers can accomplish (but not vice versa).  It is rather simple and probably won’t be a part of a packet filtering portion of the examination, but it’s worth knowing about since it is still supported and used on occasion in the CentOS 6 environment.

Perhaps the most important advice I can give to a realistic exam candidate for the LFCE certification is to not overlook the amazing suite of match extensions for iptables.  If you can read through that portion of the iptables man page and understand all of the match extensions and some theoretical implementations, you’re in good shape for anything the LFCE exam might throw at you.  I suggest you get a nice drink with the almighty Google by your side, and read that man page, checking up on anything you don’t understand.

Resources

  • Manual pages
    • iptables(8) – The main manual page of interest to a system administrator
  • CentOS Documentation
  • The Linux Bible, 8th Edition – Chapter 25

Techniques

  • Commands
    • iptables
    • netstat
  •  Files
    • /etc/sysconfig/iptables

Common Procedural Examples

  • Secure a system by using a default DROP policy for the INPUT chain
  • Secure a system by using a default ACCEPT policy for the INPUT chain
  • Secure a system by using a default DROP policy for the OUTPUT chain
  • Secure a virtual host platform using the FORWARD chain
  • Determine the port on which a process is listening (using netstat) and add appropriate rules to the appropriate chains to allow communication.
  • Audit the system (using netstat) for rules which do not need to exist.

Tactical Exercises

The first piece of advice I can give is:  don’t use a GUI.  The second piece of advice is:  don’t edit /etc/sysconfig/iptables directly. Both of these approaches are for n00bs and will enslave you to copy and paste operations relying on previously-defined rules for building your chains.  If, on the other hand, you are a command line ninja with iptables, you will find it to be one of your most frequently engaged skill sets in modern system administration.

Use the command line interface with the iptables command – it is the most flexible and powerful option, and it’s usually required on Enterprise Linux systems, since GUIs are rare (and that advice basically goes for the entire preparation guide, but iptables has a lot of GUI tools available to do work for you which should be avoided).

Common real-world administrative tasks include:

  • The examination of systems for current firewall rules and their suitability to the system’s purpose
  • Developing organizational firewall policies (do we DROP packets by default?  Do we enforce rigorous outbound rules using the OUTPUT chain?)
    • Generally, proper enforcement of outbound rules is a security best practice (if malware works its way onto your system, it can be made impossible for it to reach its command and control infrastructure if you allow only the communication necessary to the machine’s operation), but it may be difficult to achieve if the internal infrastructure to the organization is poorly understood or unstable, or if the applications being installed on the systems are insecurely designed.
  • Ensuring systems on which applications are to be installed are properly secured (allowing only necessary communication) for the given applications.

Some convenient and informative exercises with your VM are:

  1. Install a software package which performs a network-related task of your choosing (httpd, vsftp, etc.).  Investigate the package using the manual and info pages on the system and create firewall rules which allow its traffic to securely enter and exit the machine.
  2. Set the OUTPUT chain policy to DROP.  See if you can get your system to function normally while utilizing network resources of your choice (even certain websites with single IP addresses would be fine for experimentation) by adding the necessary rules.
  3. Perform some iptables gymnastics regularly.  Learn how to inspect the rules of a given chain, delete a rule, insert a rule into an appropriate place in the chain, and save the resulting configuration from the command line.  Make use of match extensions to find creative ways to practice.
Advertisements
This entry was posted in Academics, Information Technology and tagged , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s