Search

Recent Posts

Tags


« | Main | »

Linux firewall – iptables 101a

By Dale Reagan | January 3, 2010

Part 101a: Where should you start with a Linux firewall?

Review your configuration (review ALL tables – save the short script below to the file /tmp/show.firewall – you must be ‘root’ or use ‘sudo’)

#!/bin/bash
for TABLE in raw mangle nat filter
do
      printf "\t##### Table: ${TABLE} ####\n"
      iptables -nL -t ${TABLE}
      printf "\t#########################\n\n"
done

Execute the above and pipe to more:

bash /tmp/show.firewall | more

BEFORE you make any changes to your firewall the first commands you need to review are:

  1. iptables-save (run the command to save your current rule set)
  2. iptables-restore (be ready to use this to ‘restore’ the rules saved above)
  3. apropos iptables (shows a list of commands related to iptables on your system)

Go ahead and BACKUP your current rules:

iptables-save -c > /tmp/fw.rules.base

If/when you are ready to restore the rules that you saved above use:

iptables-restore -c < /tmp/fw.rules.base

BTW – the current rules on Fedora 11 (Red Hat) Linux systems are stored in /etc/sysconfig/iptables*.

Start simple – use one of the GUI tools (Firewall Builder, FireStarter, Fedora Firewall)

Examine the rules that the GUI tools above create, i. e.

  1. use the tool and make changes
  2. save the new rules (apply them)
  3. run the script again to see what has changed

Note that the GUI tools will typically WARN YOU that they will IGNORE your current rule sets – when you apply rules via the GUI you typically are replacing whatever rules you might have as well as re-setting your system-boot-up-default settings….

Ok –  so what does this TABLE info mean?

Each table has one or more chains which reflect your rule sets (allow or deny access.)  The tables listed below are typically empty (for simple configurations.)  The nat table in this example shows a postrouting entry since the system is running virtual machines – what you see will vary between Linux OS versions as well as depending upon the network magic that your system may need.

##### Table: raw ####
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
 #########################
 ##### Table: mangle ####
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
 #########################
 ##### Table: nat ####
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  192.168.122.0/24    !192.168.122.0/24

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
 #########################

For simple solutions, the filter table is where most of the firewall magic will occur – for the table filter below we see that a limited number of ports are open – connections to any other port should be ignored (but not necessarily dropped.)

# iptables -nL -t filter
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

So, if you are in a hurry (can’t wait for my next post) then you need to read THE iptables tutorial tome written by Oskar Andreasson (several hundred pages.)   

Some guidelines on working with firewall changes via iptables:

The next post on this topic will introduce using the iptables command to add/remove firewall rules from your system.  If you are running Apache then you may also want to review my posts on mod_security (search on this site for examples.)

Note – netfilter references the code in the Linux kernal that provides the firewall filtering capability used by iptables rules (iptables is a generic table structure for the definition of rulesets.)  ipchains is an earlier version/solution to kernal level network packet filtering.


DISCLAIMER


Topics: System and Network Security, Unix-Linux-Os | Comments Off on Linux firewall – iptables 101a

Comments are closed.


________________________________________________
YOUR GeoIP Data | Ip: 73.21.121.1
Continent: NA | Country Code: US | Country Name: United States
Region: | State/Region Name: | City:
(US only) Area Code: 0 | Postal code/Zip:
Latitude: 38.000000 | Longitude: -97.000000
Note - if using a mobile device your physical location may NOT be accurate...
________________________________________________

Georgia-USA.Com - Web Hosting for Business
____________________________________