A firewall is a vital component in protecting an individual computer system or network of computers from external attacks (typically from an internet connection). Any computer connected directly to an internet connection should ideally run a firewall to protect against malicious activity. Similarly, any internal network must have some form of firewall between it and an external internet connection.
CentOS Stream 9 is supplied with powerful firewall technology known as iptables built-in. Entire books can, and indeed have, been written about configuring iptables. If you would like to learn about iptables, we recommend the following:
https://www.linuxtopia.org/Linux_Firewall_iptables/index.html
This chapter will cover some basic concepts of firewalls, TCP/IP ports, and services. In addition, firewall configuration on CentOS 9 will be covered in the chapter entitled CentOS Stream 9 Firewall Configuration with firewalld.
Understanding Ports and Services
The predominant network communications protocol in use these days is TCP/IP. It is the protocol used by the internet and, as such, has swept away most of the formerly popular protocols used for local area networks (LANs).
You are reading a sample chapter from CentOS Stream 9 Essentials. Buy the full book now in eBook or Print format.
Full book includes 34 chapters and 290 pages. Learn more. |
TCP/IP defines a total of 65,535 ports, of which 1023 are considered well-known ports. It is essential to understand that these are not physical ports into which network cables are connected but rather virtual ports on each network connection which can be used by applications and services to communicate over a TCP/IP network connection. In reality, the number of ports used by popular network clients and services comprises an even smaller subset of the well-known group of ports.
An operating system can provide several different TCP/IP services. A comprehensive list of such services is provided in the table at the end of this chapter. Still, such services include HTTPS for running a secure web server, FTP for allowing file transfers, SSH for providing secure remote login access and file transfer, and SMTP for transporting email messages. Each service is, in turn, assigned to a standard TCP/IP port. So, for example, HTTPS is assigned to port 443, while SSH communication occurs on port 22.
Securing Ports and Services
A large part of securing servers involves defining roles and, based on the roles, defining which services and ports should be enabled. For example, a server that acts solely as a web server should only run the HTTPS service (in addition to perhaps SSH for remote administration access). All other services should be disabled and, ideally, removed entirely from the operating system (thereby making it harder for an intruder to re-enable the service).
Securing a system involves removing any unnecessary services from the operating system and ensuring that the ports associated with the non-essential services are blocked using a firewall. The rules that define which ports are accessible and under what circumstances are determined using iptables.
Many operating systems are installed with several services installed and activated by default. Before installing a new operating system, the installation must be carefully planned. This planning involves deciding which services are not required and identifying which services have been installed and enabled by default. Deployment of new operating system installations should never be rushed. The fewer services and open ports available on a system, the smaller the surface area and opportunities for attackers.
You are reading a sample chapter from CentOS Stream 9 Essentials. Buy the full book now in eBook or Print format.
Full book includes 34 chapters and 290 pages. Learn more. |
CentOS Stream 9 Services and iptables Rules
By default, a newly installed system has no iptables rules defined to restrict access to ports. The following command may be executed in a terminal window to view the current iptables settings:
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Code language: plaintext (plaintext)
As illustrated in the above output, no rules are currently defined. While this may appear to be an unsafe configuration, it is essential to remember that a newly installed CentOS 9 system also has few services running by default, making the ports useless to a potential attacker. For example, accessing a web server on a newly installed CentOS 9 system is impossible because no web server services are installed or running by default. Once services begin to be activated on the system, it will be essential to establish a firewall strategy by defining iptables rules.
Several methods are available to define iptables rules, including command line tools and configuration files. For example, to block access to port 25 (used by the SMTP mail transfer protocol) from IP address 192.168.2.76, the following command could be issued in a terminal window:
# iptables -A INPUT -s 192.168.2.76 -p tcp --destination-port 25 -j DROP
Code language: plaintext (plaintext)
If we now check the current rules, we will see that this one is currently listed:
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- 192.168.2.76 anywhere tcp dpt:smtp
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Code language: plaintext (plaintext)
The rule may subsequently be removed as follows:
You are reading a sample chapter from CentOS Stream 9 Essentials. Buy the full book now in eBook or Print format.
Full book includes 34 chapters and 290 pages. Learn more. |
# iptables -D INPUT -s 192.168.2.76 -p tcp --destination-port 25 -j DROP
Code language: plaintext (plaintext)
Given the complexity of iptables, it is unsurprising that several user-friendly configuration tools have been created to ease the rule-creation process. One such tool is the firewall-cmd command-line tool which will be covered in the chapter CentOS Stream 9 Firewall Configuration with firewalld.
Well-Known Ports and Services
Before moving on to cover more complex firewall rules, it is first worth taking time to outline some of the critical services that can be provided by a CentOS 9 system, together with the corresponding port numbers:
Port |
Assignment |
Description |
20 |
FTP | File Transfer Protocol (Data) – The File Transfer protocol provides a mechanism for transferring specific files between network-connected computer systems. The transfer is typically performed using the FTP client. Modern web browsers can also browse and download files on a remote FTP server. FTP uses TCP (rather than UDP) to transfer files, which is considered a highly reliable transport mechanism. However,FTP does not encrypt data and is not considered a secure file transfer protocol. Secure Copy Protocol (SCP) and Secure File Transfer Protocol (SFTP) are strongly recommended in place of FTP. |
21 |
FTP |
File Transfer (Control) – Traditionally, FTP has two ports assigned (port 20 and port 21). Port 20 was initially considered the data transfer port, while port 21 was assigned to communicate control information. However, in modern implementations, port 20 is rarely used, with all communication taking place on port 21. |
22 |
SSH |
Secure Shell – The Secure Shell provides a safe, encrypted, remote login session to a host over a TCP/IP network. The original mechanism for remote access was the Telnet protocol. However, because Telnet transmits data in plain text, its use is strongly discouraged in favor of the secure shell, which encrypts all communications, including login and password credentials. SSH also provides the mechanism by which files can be securely transferred using the Secure Copy Protocol (SCP) and is also the basis for the Secure File Transfer Protocol (SFTP). SSH also replaces both the rsh and rlogin clients. |
23 |
Telnet |
Telnet – Telnet is a terminal emulation protocol that can log into a remote system over a TCP/IP connection. The access is text-based, allowing the user to type into a command prompt on the remote host, and text displayed by the remote host is displayed on the local Telnet client. Telnet encrypts neither the password nor the text communicated between the client and server. As such, the use of telnet is strongly discouraged. Most modern systems will have port 23 closed and the telnet service disabled to prevent its use. SSH should be used in place of Telnet. |
25 |
SMTP |
Simple Mail Transfer Protocol – SMTP defines the mechanism by which email messages are sent from one network host to another. SMTP is a straightforward protocol requiring the mail service to always be available at the receiving host. Typically the receiving host will store incoming messages in a spool for subsequent access by the recipient using the POP3 or IMAP protocols. In addition, SMTP uses the TCP transport protocol to ensure error-free message delivery. |
53 |
DNS |
Domain Name Server – The service used by TCP/IP networks to translate host names and Fully Qualified Domain Names (FQDN) to IP addresses. |
69 |
TFTP |
Trivial File Transfer Protocol – TFTP is a stripped-down version of the File Transfer Protocol (FTP). It has a reduced command set and lacks authentication. The most significant feature of TFTP is that it uses UDP to transfer data. This results in high-speed transfer speeds but, consequently, lacks data reliability. TFTP is typically used in network-based booting for diskless workstations. |
80 |
HTTP | Post Office Protocol – The POP3 protocol stores and retrieves incoming email messages from a server. In most corporate environments, incoming email is stored on an email server and then downloaded to an email client running on the user’s desktop or laptop when the user checks email. However, POP3 downloads all new messages to the client and does not allow the user to choose which messages to download, view headers, or download only parts of messages. For this reason, the IMAP protocol is increasingly being used in place of POP3. | |||
110 |
POP3 | Network Time Protocol – A protocol to synchronize computer clocks with an external time source. Using this protocol, an operating system or application can request the current time from a remote NTP server. The remote NTP server is usually based on the time provided by a nuclear clock. NTP is useful for ensuring that all systems in a network are set to the same, accurate time of day. This is particularly important in security situations when, for example, a file was accessed or modified on a client or server is in question. | |||
119 |
NNTP |
Network News Transfer Protocol – The protocol responsible for posting and retrieving messages to and from Usenet News Servers (i.e., newsgroups and discussion forums hosted on remote servers). NNTP operates at the Application layer of the OSI stack and uses TCP to ensure error-free message retrieval and transmission. | |||
123 |
NTP |
Network Time Protocol – A protocol designed to synchronize computer clocks with an external time source. Using this protocol, an operating system or application can request the current time from a remote NTP server. The remote NTP server is usually based on the time provided by a nuclear clock. NTP is useful for ensuring that all systems in a network are set to the same, accurate time of day. This is of particular importance in security situations when, for example, the time a file was accessed or modified on a client or server is in question. | |||
143 |
IMAP4 |
Internet Message Access Protocol, Version 4 – IMAP4 is an advanced and secure email retrieval protocol. IMAP is similar to POP3, allowing users to access email messages stored on an email server. However, IMAP includes many additional features, such as the ability to selectively download messages, view message headers, search messages, and download part of a message. In addition, IMAP4 uses authentication and fully supports Kerberos authentication. | |||
161 |
SNMP |
Simple Network Management Protocol – Provides a mechanism whereby network administrators can collect information about network devices (such as hubs, bridges, routers, and switches). The SNMP protocol enables agents running on network devices to communicate their status to a central manager and, in turn, allows the manager to send new configuration parameters to the device agent. The agents can further be configured to notify the manager when certain events, known as traps, occur. SNMP uses UDP to send and receive data. | |||
443 |
HTTPS |
Hypertext Transfer Protocol Secure – The standard HTTP (non-secure) protocol transfers data in clear text (i.e., with no encryption and visible to anyone who might intercept the traffic). While this is acceptable for most web browsing purposes, it poses a severe security risk when confidential information such as credit card details needs to be transmitted from the browser to the web server. HTTPS addresses this using the Secure Sockets Layer (SSL) to send encrypted data between the client and server. | |||
2049 |
NFS |
Network File System – Originally developed by Sun Microsystems and subsequently widely adopted throughout the industry, NFS allows a file system on a remote system to be accessed over the network by another system as if the file system were on a local disk drive. NFS is widely used on UNIX and LINUX-based systems. Later versions of Microsoft Windows can also access NFS-shared file systems on UNIX and LINUX-based systems. |
Summary
A newly installed CentOS Stream 9 system is generally considered secure due to the absence of services running on the system ports. However, once the system begins to be configured for use, it is essential to ensure that it is protected by implementing a firewall. When configuring firewalls, it is essential to understand the various ports and the corresponding services.
Several firewall options are available, the most basic being the command-line configuration of the iptables firewall interface. In addition, more intuitive and advanced options are available via firewalld, which will be covered in the next chapter.