OpenSUSE 42.3/Firewall en

Configuring the firewall

SuseFirewall2, configured via Yast creates a multitude of obscure filter rules but does not permit closing specific ports for outgoing connections. OpenSim has to be classified insecure at the current state of development. Currently implementation of functionality and bug fixing simply has a higher priority over improving system security. Thus it is highly recommended to close all not necessarily needed ports for limited accounts. This makes it more difficult to use your server for attacks on third party systems – at least as long as the offender fails to gain root privileges.

Take the following three steps (as root) to configure the Linux kernel firewall manually:

1) Disable SuseFirewall in Yast to prevent it from being started upon system reboot. "Security and Users -> Firewall". If you get an error about missing parcels, likely the package SuSEfirewall2 is not installed so far. In this case of course there is no need to disable its start.

2) Create the following bash script exclusively for root access (chmod 700 and place e.g. in the /root directory).

#!/bin/bash

# name of the network interface given by the provider
interface="venet0"

#### IPv6 configuration block ####

# delete all old rules
ip6tables -F

# close all ports
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP

#### IPv4 configuration block ####

# delete all old rules
iptables -F

# close all ports
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# special signals to manage IPv4 communication
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT

# allow local data traffic, necessary for the operating system!
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# allow answering on already existing connections
iptables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT

# allow incoming SSH, optionally change port number (for remote maintenance)
iptables -A INPUT -i ${interface} -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT

# allow outgoing DNS (for solving domain names)
iptables -A OUTPUT -o ${interface} -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT

# allow HTTP in and out (for software updates und web server)
iptables -A INPUT -i ${interface} -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -o ${interface} -p tcp --dport 80 -j ACCEPT

# allow outgoing NTP (for synchronizing with world time, obsolete in virtual servers)
iptables -A OUTPUT -o ${interface} -p udp --dport 123 -m conntrack --ctstate NEW -j ACCEPT

# Add here additional ports as required. Examples may be SSH und DNS. Adjust:
# => Direction "INPUT -i" (inward) or "OUTPUT -o" (outward)
# => Protocol "udp" or "tcp"
# => Portnumber

# central OpenSim services
iptables -A OUTPUT -o ${interface} -p tcp --dport 8002 -m conntrack --ctstate NEW -j ACCEPT
iptables -A OUTPUT -o ${interface} -p tcp --dport 8003 -m conntrack --ctstate NEW -j ACCEPT
# next 5 lines for Metropolis Grid only
iptables -A OUTPUT -o ${interface} -p tcp --dport 8000 -m conntrack --ctstate NEW -j ACCEPT
iptables -A OUTPUT -o ${interface} -p tcp --dport 8001 -m conntrack --ctstate NEW -j ACCEPT
iptables -A OUTPUT -o ${interface} -p tcp --dport 8004 -m conntrack --ctstate NEW -j ACCEPT
iptables -A OUTPUT -o ${interface} -p tcp --dport 8005 -m conntrack --ctstate NEW -j ACCEPT
iptables -A OUTPUT -o ${interface} -p tcp --dport 8006 -m conntrack --ctstate NEW -j ACCEPT
# own server
iptables -A INPUT -i ${interface} -p tcp --dport 9000 -m conntrack --ctstate NEW -j ACCEPT
# own regions
iptables -A INPUT -i ${interface} -p udp --dport 9001 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -i ${interface} -p udp --dport 9002 -m conntrack --ctstate NEW -j ACCEPT
# accept all external regions, also Hypergrid
iptables -A OUTPUT -o ${interface} -p tcp --dport 9000:65535 -m conntrack --ctstate NEW -j ACCEPT

3) Invocation of this script in the auto boot routine (already placed in there).

Caution: If after a reboot neither SuseFirewall2 nor your manually configured script is activated, your server runs without any protection. Hence it is highly recommended to have no services running which can be accessed from the outside Internet (apart from SSH). Also do not forget to test the firewall!

Hint: Please prepare an up to date backup prior to working on firewall configuration. Start and test the firewall manually before adding it to system startup scripts. Misconfiguration on the firewall can lock you out from your server!
Most server hosting companies however offer some means of web based configuration system where you can boot from a rescue system and mount your corrupted root file system to correct the settings. Check with your provider, if they offer similar support.

Optional: Open firewall for IPv6

OpenSim runs still exclusively with IPv4, but the optional web server can already be accessed with IPv6, if the server provider has already been allocated such new IP addresses. Please do not forget to activate the commented line for IPv6 in the web server configuration.

At the end of the "IPv6 configuration block" add the following lines in the bash script:

# special signals to manage IPv6 communication
ip6tables -A INPUT -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type router-advertisement -m hl --hl-eq 255 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -m hl --hl-eq 255 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -m hl --hl-eq 255 -j ACCEPT
ip6tables -A INPUT -p icmpv6 --icmpv6-type redirect -m hl --hl-eq 255 -j ACCEPT
ip6tables -A OUTPUT -p icmpv6 -j ACCEPT

# allow answering on already existing connections
ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
ip6tables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT

# allow HTTP in (for web server)
ip6tables -A INPUT -i ${interface} -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT

# allow incoming SSH, optionally change port number (for remote maintenance)
ip6tables -A INPUT -i ${interface} -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT



Continued: Setup auto boot