Linode cloud firewall: Do you need it to protect the Linux server?

Final firewall policy

Final firewall policy
Linode is an original cloud platform and founded before AWS. Back then, we used to call them VPS (Virtual Private Server). Recently they added a new firewall feature to control network access to my Linode server from the Cloud. Let us test drive Linode cloud firewall.

iptables, ufw, firewalld for the Linux server?

Many developers, news Linux sysadmin, and users find iptables syntax difficult. Many end up setting up the wrong firewall policies and giving them a fake illusion and sense of security. Hence, one can use a cloud firewall to protect the server. We also call it Firewall-as-a-Service (FWaaS), and we are outsourcing the filtering IP packets job to the Linode firewall. Of course, we can combine both cloud firewall and iptables. In some cases, you are still going to need iptables. For instance, Linux containers and Docker-based app need NAT rules to redirect traffic to correct containers.

Test driving Linode cloud firewall

Adding a Linode firewall is simple. I logged into my Linode manager and chose Firewalls from the left menu. Click on the “Add a firewall.” We can use the CLI option too:

Linode cloud firewallLinode cloud firewall

Adding a new Linode firewall to protect my Alpine Linux box

The Linode firewall set up sensible inbound rules which allow DNS and SSH traffic by default. There is no outbound rule set up, and all traffic from my Linux server is allowed by default:

Linode Clouid Firewalls Inbound and Outbound RulesLinode Clouid Firewalls Inbound and Outbound Rules

Default Inbound/Outboud Firewall rule

Since I will host a website, I need to open TCP 443 (HTTPS) and 80 (HTTP) ports. You can open any ports and control access to a specific IP address or allow everyone to use the website:

Allow HTTP and HTTPS connection using Linode firewallAllow HTTP and HTTPS connection using Linode firewall

Opening HTTP and HTTPS ports

Let us restrict SSH traffic to OpenVPN or Wireguard CIDR 10.8.1.0/24 or a public IP address such as 1.2.3.4:
SSH Linode firewall rulesSSH Linode firewall rules
By default, ping-pong requests are blocked. Let us be a good netizen and allow ICMP using custom rule:

ping pong icmpping pong icmp

Allow incoming ping request

Linode outbound rules limit the outgoing network connections from a Linode service based on the port(s) and destinations we configure. By default, all outgoing requests from the server allowed, but I decided to tighten up the IP security policy. In the end here is how it looked:
Final firewall policyFinal firewall policy

However, I missed two features:

  1. Rate limitation for SSH or any other port. For instance, deny connections from an IP address that has attempted to initiate six or more connections in the last 30 seconds. That feature would be neat.
  2. I would also like to see a custom remark text box for custom rules. Say I need to find out what does UDP/1194 inbound rule is set up.

I hope they add these two tiny features, and it will make the product even better.

How to validate IP policy set by Linode cloud firewall

Use the nmap command from your Linux or macOS/BSD desktop:
sudo nmap your-linode-ip-here
Sample outputs:

Nmap scan report for li2xyz-abc.members.linode.com (172.10z.xxx.yyy)
Host is up (0.016s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
80/tcp closed http
443/tcp closed https

Summing up

Overall I found the user interface easy to use and perfect for new Linux developers or sysadmins. Outsourced cloud firewall takes out the guesswork of setting up valid IP policy. I always preferred to close all windows and open the required TCP/UDP ports IP policy approach. Security is like an onion to me. You need different layers to protect your websites or apps. Hence, apart from the Linode cloud firewall, we need to install WAF (web application firewall) like ModSecurity for Nginx or Apache. For DoS/DDoS attacks and bot control, you need a distributed cloud firewall provided by Cloudflare, Fastly, AWS and others. Don’t forget to check out Linode firewall documentation as it gives more information.

Disclaimer: Linode is a nixCraft corporate sponsor since 2017. I write this review as a happy user, and I recommend them to all my clients and blog visitors.

Posted by Contributor