Skip to Content

IPTABLES

Pronco's picture

LINUX FIREWALLS

IPATBLES

This is not a reference to IPTABLES in any way it is just a start that i gathered from several other documents with my humble knowledge and experience and i hope it could get you started with the firewalls configuration. This document is far from complete and I'll be adding more as soon as i have the time

General

Before we mention anything about firewalls i need to point out a critical point “a firewall’s power lies within the configuration” meaning that no matter what the firewall application power is, a weak configuration will weaken it.And also remember that security is not just a firewall. Think of a firewall as just a first line of defense you need to secure your applications and keep your system updated and patched for any exploits to secure your applications Mainly a firewall is used to block or allow certain traffic based upon the network needs, it may block all incoming requests or it may allow requests to go through to the mail server within the local network pages

How IPTABLES is configured?

IPTABLES configuration file (/etc/sysconfig/iptables) consists of a set of rules, each line contains one rule There are two ways of creating the config file either by editing the config file directly or by using the #iptables command so here is this document I'll edit the file directly (no reason just that i used to do it both ways are good IPTABLES has 3 tables :

How a rule is built?

A rule is a match criteria applied to the packets in a certain chain that reach the firewall machine. These match criteria are define packet properties and I'll start by giving you the quick steps and some quick notes first then

So how a match is built?

Generally the matches that can be defined are:

Examples

  • filter -A INPUT -i lo -j ACCEPT -A FORWARD -i lo -j ACCEPT -A INPUT -p icmp --icmp-type any -j ACCEPT -A FORWARD -p icmp --icmp-type any -j ACCEPT -A INPUT -p 50 -j ACCEPT -A FORWARD -p 50 -j ACCEPT -A INPUT -p 51 -j ACCEPT -A FORWARD -p 51 -j ACCEPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT

    GUI frontend to IP tables:

Comments

Nice article, only one thing,

Nice article, only one thing, in gentoo its : /var/lib/iptables/rules-save (configurable from /etc/conf.d/iptables)

  • filter -A INPUT -i lo -j ACCEPT -A INPUT -m state --state INVALID -j DROP -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with icmp-host-unreachable -A INPUT -p tcp -m tcp --dport 5154 -j ACCEPT -A INPUT -p udp -m udp --dport 5154 -j ACCEPT -A INPUT -p tcp -m tcp --sport 60100:60200 -j ACCEPT -A INPUT -p tcp -m tcp --dport 60100:60200 -j ACCEPT -A OUTPUT -m state --state INVALID -j DROP COMMIT ^^^^ example from my file, drop all input, allow all forward/output, open some ports, reject 113 to make irc connect faster and allow the computer to be ping'ed. peace

Pronco's picture

GFCC

Ashraf's picture

Nice Info. But this example doesn't make any sense..


>*filter >-A INPUT -i lo -j ACCEPT >-A FORWARD -i lo -j ACCEPT >-A INPUT -p icmp --icmp-type any -j ACCEPT >-A FORWARD -p icmp --icmp-type any -j ACCEPT >-A INPUT -p 50 -j ACCEPT >-A FORWARD -p 50 -j ACCEPT >-A INPUT -p 51 -j ACCEPT >-A FORWARD -p 51 -j ACCEPT >-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT >-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT >-A INPUT -j REJECT --reject-with icmp-host-prohibited >-A FORWARD -j REJECT --reject-with icmp-host-prohibited >COMMIT

first of all, thanks for your efforts.

second, i think this replay is something late but i have just seen this ((article)). the theoretical information about iptables is good for any starter. but i don't understand the case of the example or the syntex of some rules within the iptables script.

for my knowledge, iptables or any networks securing application depends on generally 2 cases:

  • mostly opened system:

make chains policies all ACCEPT and use DROP and REJECT as target specifications to reject unwanted traffic.

  • mostly closed system:

in this case, make chains policies all DROP and use ACCEPT target specification to allow the wanted traffic.

in the above example, chains policies are ACCEPT and rules target specifications are ACCEPT too, so this doesn't make any sense to allow the things twice.

next, usually forward chain used basically in case of we have ip forwarding is enabled ?! so what's the use for it in this example.

finally, the use of -p with (port numbers if these are port numbers) such as 50 or 51 ?! > quoted from article (-p : to define a protocol which can be TCP, UDP or ICMP)

Ashraf A. Abd El-Aziem

Alaa's picture

this is a wiki page

feel free to edit it and add or modify anything.

Alaa


"i`m feeling for the 2nd time like alice in wonderland reading el wafd"

Pronco's picture

EasyTables


-I used to be indecisive .. but now I'm not so sure

Conceptor's picture

this is wiki.

feel free to edit it and add or modify anything.

add section for the front end GUI.

Diaa Radwan

Pronco's picture

GUI frontend to IP tables

GUI frontend to IP tables had been added


-I used to be indecisive .. but now I'm not so sure

Shorewall is an excellent

Shorewall is an excellent example of Linux firewall configuration utility, but I don't think a serious mention of shorewall would be complete without a look at one "meta-Shorewall" application. The shorewall webmin module allows the admnistrator to configure the most useful capabilities of shorewall from a web interface. While it does not support all of the most esoteric features of shorewall, it does allow most standard configurations to be quickly and easily set up. More advanced features of shorewall can still be setup by hand, and I would recommend keeping an ssh session open to the firewall machine when using the module. The module has a nasty habit of committing whatever changes you specified. It does a decent job of picking out errors, but sometimes something gets by that shorewall will refuse to use. When you hit "restart shorewall" you may inadvertently shut the firewall down, meaning no new traffic gets from, to, or through the box. If you don't have an already open connection with ssh, you may have to log in at the console to fix it. I think this is a minor problem with the module, and every release of the module gets better at preventing you from shooting yourself in the foot. It is still better to use the module and get a little error checking, than to hand edit the files and get none. All in all, you will probably be a lot more productive using the module than you would be hand editing all the config files, unless you spend some really quality time with shorewall. I think most of us want it up quick and never want to deal with it again.

_

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.


Dr. Radut | book