Basic Security and Firewalls

An administrator installing a Scalix server in a productive environment must make some considerations before setting up his system:

• Is the server accessible from the Internet?
• Is the server accessible to untrusted users?
• Who must access Scalix? Who must access administration?
• Who must be prevented from gaining access?
• Which services must be accessible from where?

Though this may sound theoretical, such thoughts always play an important role when you are planning any productive server. In most cases, there are only three different setups for a groupware server:

• There are only local users in the company’s network and the server is located in the company.
• There are local users and remote users connecting to the Scalix server located in the company.
• There are both local and remote users connecting to the Scalix server located on the Internet.

While the installation leaves a perfectly configured system that is stable, there are several possible precautions that should be taken when your Scalix server is accessible from the Internet — the access should be controlled by a firewall, connections should be encrypted, and users must be forced to use strong authentication mechanisms. As always, there are several ways to achieve this.

Before we start, here is a list of services that have to be available for Scalix users accessing the server remotely:-

• SSH: TCP port 22, the standard remote administration for the admin.
  • SMTP: TCP port 25 — Sending mail.
  • IMAP: TCP port 143 — Retrieving mail with the IMAP protocol.
  • POP: TCP port 110 —  Retrieving mail with the POP protocol.
• HTTP: TCP port 80: Accessing the Web interface.
• Scalix UAL uses port 5287
• And as of 11.3, secure UAL connects over 5767

Linux Firewall Terminology

Basically speaking, a firewall is a piece of software that controls internet connections to and from a server. SUSE’s Linux systems come with a built-in firewall named SUSEfirewall that can easily be configured with YaST. On Red Hat Linux systems, there is Bastille and firewall GUIs like Shorewall, which are all good choices for any Linux system. All common Linux firewalls are based on iptables or its predecessor ipchains. Its concept is pretty simple: the administrator defines a chain of rules that are worked through by the operating system one after another for every incoming or outgoing connection or package. So-called targets define what to do with packages matching the rule specified. Targets may be, for example, Accept, Reject, Drop or Log. Furthermore, there are policies that define the default behavior for connections where no rule matches. The Linux program iptables controls these rules. A little glance on this tool may help understanding how a Linux firewall works.

iptables—the Standard Linux Firewall Tool

iptables (http://www.netfilter.org) is a simple command-line tool that controls the kernels’ IP tables. In these tables, rules that define how network packets are treated on this system can be stored. As always, the simple commands offer the best solutions when they are combined with an abundance of options. There is a vast amount of options and extensions for iptables, so this short description is far from perfect and far from complete.

The iptables syntax is very simple:

iptables <rule command> <chain> <matching extensions><target>

A typical rule command is A, which means Add the following rule. Since iptables use different chains (by default, INPUT, FORWARD, OUTPUT), we must declare a chain where this rule is to be added to. The following table shows three examples:

Another typical command is -P that sets the default policy for a chain. This should always be set to DROP, because then all packets arriving in this chain are dropped if not specified explicitly by another rule. This is the only way to make sure that only the traffic allowed by us is handled and any unspecified traffic is dropped.

A typical example for this is:

scalixbook:~ # iptables -P FORWARD DROP
scalixbook:~ # 

This would prevent your system from forwarding any traffic, unless specified otherwise, later on.

Then there are iptables’ targets. A target can be either DROP, REJECT or ACCEPT (among others) and is invoked by the switch — j. Furthermore, so-called “matching extensions” are like a filter specifying exactly which packet is meant.

Thus a rule like iptables -A INPUT <matching extension> -j DROP  means: Drop every packet that is headed for my firewall and matches the <matching extension>.

There are many other matching extensions, but these here should be sufficient to understand the basics of iptables. Have a look at these lines:

#!/bin/bash
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 143 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 25 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 143 -j ACCEPT
(...)

Do you already understand them? If you do, congratulations; if not, don’t worry, it’s easy. These lines represent a shell script that can be used to start a very simple firewall example. iptables is a command-line tool and therefore is simply called from a script with parameters like the following: