Lunarpages Web Hosting Forum

Author Topic: Knowing the Linux firewall (IPTables)  (Read 6089 times)

Offline abhilash

  • Intergalactic Cowboy
  • *****
  • Posts: 61
Knowing the Linux firewall (IPTables)
« on: May 06, 2005, 11:19:45 AM »
Firewall
=======

A firewall is a structure intended to keep a fire from spreading. In the cyberspace, firewall protects the system from attackers when properly configured and maintained (at least some of them). Firewall can be compared to the front door of your home, in every sense.
 
A firewall has two principal roles : preventions and detections.
 
Here we choose IPTables as the firewall product to implement the technologies. Recent Linux releases (2.4 and 2.6 kernels) includes the iptables facility. IPTables supports stateful as well as stateless packet filtering and logging, two of the extensively used features.
 
I will try to discuss the very basics for manually configuring the firewall, using iptables. Implementing a proper firewall requires a proper understanding of the TCP/IP architecture and the states.
 
Basic commands
===============

 
Caution : Before trying any of the commands,
 
1. Know that the order of the rules are important, while top priority is for the first rule.
2. Open up two terminals/ ssh sessions
3. Read the tutorial completely before the hands on.
4. If you are a newbie to Linux,  please install APF, http://www.lunarforums.com/viewtopic.php?t=26214 and this tutorial is meant to help you understand the APF rulesets

Structure
=========

 
Code: [Select]
iptables [-t table] -ARDI CHAIN rule-specification -j TARGET [target option]
-t table --> table can be one of filter (default), nat and mangle
-A Append ; -R Replace ; -D Delete ; -I Insert (Mutually exclusive option)
-j TARGET --> TARGET can be ACCEPT, DROP, REJECT or RETURN (many others left)
 
Useful Examples
==============

 
1. Blocking Access
================

 
Mentioning DROP as target just totally ignores the packet, while REJECT sends a message back that the server isn't accepting connections from him. I prefer DROP over REJECT. Though I use REJECT when specifying rules in OUTPUT chain, like the third example.
 
Code: [Select]
iptables -I INPUT -s 192.168.0.1 -j DROP
The above command will ignore every packets coming from 192.168.0.1
 
Code: [Select]
iptables -I INPUT -s 192.168.0.1 -d 192.168.0.3 -p tcp --dport 22 -j DROP
This will deny ssh access for 192.168.0.1 to the IP 192.168.0.3 (which can be one of your subinterface IP)
 
Code: [Select]
iptables -I OUTPUT -p tcp --dport 6660:6670 -j REJECT
On execution of above command, server will reject the outgoing connections from the server to the port ranging from 6660-6670 (common irc server ports) stating the reason "Connection refused". You can change the reason using the --reject-with option.
 
Code: [Select]
iptables -I INPUT -s ! 192.168.0.2 -p tcp --dport 22 -j DROP
OR
 
Code: [Select]
iptables -I INPUT -s ! 192.168.0.2 -p tcp --dport ssh -j DROP
This will deny ssh access for all except 192.168.0.2, If 192.168.0.2 is your IP, the server will allow only you to ssh to the server.
 
 
2. Allowing access
==================

 
Code: [Select]
iptables -I INPUT -s ! 192.168.0.0/24 -p tcp --dport 80 -j ACCEPT
This will allow complete access to the website, except for the hosts ranging from 192.168.0.1 to 192.168.0.254
 
3. Listing the rulesets
====================

 
Code: [Select]
iptables -L
List all chains of the filter table (the default table)
 
Code: [Select]
iptables -L INPUT
List INPUT chain and it's rules.
 
Code: [Select]
iptables -nL --line-numbers
List the rules in numeric format (won't resolve IP address to hostnames) and display the rule order.
 
4. Deleting specific rules
======================

 
Start with the listing of the currently loaded rules adding the line-number option and delete the rule with the below command,
 
Code: [Select]
iptables -D INPUT line-number
Above command deletes the rule mentioned in line-number from the INPUT chain.
 
Also, you can delete the rules in another fashion
 
Code: [Select]
iptables -A INPUT -s ! 192.168.0.2 -p tcp --dport ssh -j DROP
You know what the above command does and you can delete the rule by the executing the below command
 
Code: [Select]
iptables -D INPUT -s ! 192.168.0.2 -p tcp --dport ssh -j DROP
5. Deleting all the rules
====================

 
Code: [Select]
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F INPUT
iptables -F

Why you need to execute 5 commands to delete all rules ? Well the last command is enough. But it would be nice to mention about what the -P option is all about. -P defines the default policies of a chain. Policies defines the fate of a packet when it reaches the end of chains. Most firewalls use the default policy as DROP which means when you just execute iptables -F in such a firewall configuration it will delete the chain ruleset, but server won't accept any new packets.
 
Instead of setting a default policy to DROP, I recommend adding a last rule like

Code: [Select]
iptables -A INPUT -s 0.0.0.0 -d 0.0.0.0 -j DROP
6. Limiting the packet flow (a bit advanced)
=====================================


It may be worthwhile just to mention the limit module also which can be used in fighting DoS. Limit is a match extension implementing the very useful limiting of execution of rules.
 
--limit defines the max count of rule matching per time frame defined in /second, /minute, /hour, or /day (/s , /m , /h or /d)
 
--limit-burst defines threshold; once threshold is reached limit kicks in
 
You can also use this module to avoid various denial of service attacks (DoS) with a faster rate to increase responsiveness.
 
Syn-flood protection:
 
Code: [Select]
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
Port scanner in stealth mode:
 
Code: [Select]
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
Ping of death:
 
Code: [Select]
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
SYN-FIN attack
 
Code: [Select]
iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
This was the very basics. I hope this documentation was not too much confusion for you :-P Well IPTables is fun to play with especially with it's stateful packet filtering, logging propeties. This is just about the filter table. NAT and Mangle are other builtin tables, which I skipped :-D
 
7. Saving the rules
=================

 
You can save the rulesets you have defined by executing one of the below commands,
 
Code: [Select]
/etc/init.d/iptables save
iptables-save

I hope these basic commands can help you understand the APF rulesets and also to define your own results.

References
==========

[1] http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO.html
[2] http://www.unix.org.ua/orelly/networking/firewall/appc_01.htm
[3] http://iptables-tutorial.frozentux.net/iptables-tutorial.html
« Last Edit: August 11, 2006, 11:32:37 AM by abhilash »
Abhilash

JSA Supervisor - System Admin Team