Skip to main content

IpTables - The Linux Firewall

Introduction :
IpTables is the user space program , which is used create rules for packet filtering. IpTables used for create Firewall rules in Linux System. Before going to IpTables , first we want to get some knowledge about Firewall.

A firewall is a device or set of devices designed to permit or deny network transmissions based upon a set of rules and is frequently used to protect networks from unauthorized access. Many personal computer operating systems (windows, linux, mac, etc) include software-based firewalls to protect against threats from the public Internet. Many routers that pass data between networks contain firewall components and, conversely, many firewalls can perform basic routing functions.

Installation on linux:

Before going to installation , we need to check whether our kernel was compiled with iptables support. Follwoing steps are used to check.

# cat /boot/config-your.kernel.version.here | grep -i "CONFIG_IP_NF_IPTABLES"

If we get the display as CONFIG_IP_NF_IPTABLES=m , Our Kernel was compiled with iptables support. '=m' means iptables was compiled as a module.

First we need to check whether the iptables installed already. Here i'm using redhat enterprice linux. So using the command as follows,

# rpm -qa | grep iptables.

If you get output like iptables-INSTALLED-VERSION , Or you need to install iptables.

For installation, download iptables file from internet , or install using yum.

# rpm -qa | grep iptables
# rpm -Uvh iptables-downloaded.version.rpm


Importent files for iptables

/etc/init.d/iptables is the INIT script which is used to start, stop the service and/or to save the rulesets.
/etc/sysconfig/iptables this is the file that holds the saved rulesets.
/sbin/iptables and this is the iptables binary.

Checking current configuration

#iptables -L

There are 3 default chains avaliable. INPUT, OUTPUT, FORWARD.
INPUT - Rules for incoming traffic to server.
OUTPUT - Rules for outgoing traffic from server to Internet.
FORWARD - Rules for traffic forward to chients or server on network (LAN...).

When traffic moves through Linux kernel, a TARGET is determined by whether the packet matches a rule in the rulesets or not. There are three main targets are avaliable.

ACCEPT - Traffic is allowed to pass through linux server to its destination.
REJECT - Traffic is blocked from its destination and a packet is sent back to the sending host with a explanation by linux server.
DROP - Traffic is blocked with no explanation (Like closing connection).

Before going to configure new ruleset , following things are very importent.


Should know the order of rules going to add in ruleset. If order changes , It will give very bad results sometime. If your first rule is to deny everything... then no matter what you specifically allow, it will be denied.

Rule set is not active till you save rule. It will be done by seprate command.

If you are using ssh for configure iptables on remote server, first you shoud allow yourself.

Basic Iptables Options

Here are some of the iptables options.

-A - Append this rule to a rule chain. Valid chains for what we're doing are INPUT, FORWARD and OUTPUT, but we mostly deal with INPUT in this tutorial, which affects only incoming traffic.

-L - List the current filter rules.

-m conntrack - Allow filter rules to match based on connection state. Permits the use of the --ctstate option.
   --ctstate - Define the list of states for the rule to match on. Valid states are:
         NEW - The connection has not yet been seen.
         RELATED - The connection is new, but is related to another connection already permitted.
         ESTABLISHED - The connection is already established.
         INVALID - The traffic couldn't be identified for some reason.

-m limit - Require the rule to match only a limited number of times. Allows the use of the --limit option. Useful for limiting logging rules.
   --limit - The maximum matching rate, given as a number followed by "/second", "/minute", "/hour", or "/day" depending on how often you want the rule to match. If this option is not used and -m limit is used, the default is "3/hour".

-p - The connection protocol used.
   --dport - The destination port(s) required for this rule. A single port may be given, or a range may be given as start:end, which will match all ports from start to end, inclusive.

-j - Jump to the specified target. By default, iptables allows four targets:
        ACCEPT - Accept the packet and stop processing rules in this chain.
        REJECT - Reject the packet and notify the sender that we did so, and stop processing rules in this chain.
        DROP - Silently ignore the packet, and stop processing rules in this chain.
        LOG - Log the packet, and continue processing more rules in this chain. Allows the use of the --log-prefix and --log-level options.
--log-prefix - When logging, put this text before the log message. Use double quotes around the text to use.

--log-level - Log using the specified syslog level. 7 is a good choice unless you specifically need something else.

-i - Only match if the packet is coming in on the specified interface.

-I - Inserts a rule. Takes two options, the chain to insert the rule into, and the rule number it should be.
     -I INPUT 5 would insert the rule into the INPUT chain and make it the 5th rule in the list.

-v - Display more information in the output. Useful for if you have rules that look similar without using -v.

-s --source - address[/mask] source specification

-d --destination - address[/mask] destination specification

-o --out-interface - output name[+] network interface name ([+] for wildcard)

Allowing connections

We want to use some standard rules for general network traffic. The 3 way handshake between two hosts when transmitting data.

  • NEW => Server1 connects to Server2 issuing a SYN (Synchronize) packet.
  • RELATED => Server 2 receives the SYN packet, and then responds with a SYN-ACK (Synchronize Acknowledgment) packet.
  • ESTABLISHED => Server 1 receives the SYN-ACK packet and then responds with the final ACK (Acknowledgment) packet.
After this 3 way handshake is complete, the traffic is now ESTABLISHED. In order for this type of TCP communication, something similar to these three rules are necessary:

# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT


The last rule obviously allows any traffic the leave the server.

Now that we have our basics set in place, lets see what iptables lists for our rulesets:
# iptables --list
Chain INPUT (policy ACCEPT) target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED

Chain FORWARD (policy ACCEPT) target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT) target prot opt source destination
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED


Allowing Incoming Traffic on Specific Ports
You could start by blocking traffic, but you might be working over SSH, where you would need to allow SSH before blocking everything else.

To allow incoming traffic on the default SSH port (22), you could tell iptables to allow all TCP traffic on that port to come in.

# iptables -A INPUT -p tcp --dport ssh -j ACCEPT

Referring back to the list above, you can see that this tells iptables:
• append this rule to the input chain (-A INPUT) so we look at incoming traffic
• check to see if it is TCP (-p tcp).
• if so, check to see if the input goes to the SSH port (--dport ssh).
• if so, accept the input (-j ACCEPT).

Lets check the rules: (only the first few lines shown, you will see more)

# iptables -L
Chain INPUT (policy ACCEPT) target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh


Allow all incoming web traffic
# iptables -A INPUT -p tcp --dport 80 -j ACCEPT

Checking our rules, we have 

# iptables -L
Chain INPUT (policy ACCEPT)target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:www

Some more ruleset for iptables, For easy understanding

Individual REJECTS First:

BAD GUYS (Block Source IP Address):
# iptables -A INPUT -s 172.34.5.8 -j DROP

NO SPAMMERS (notice the use of FQDN):
# iptables -A INPUT -s mail.spammer.org -d 10.1.15.1 -p tcp --dport 25 -j REJECT

Then Open it up

MYSQL (Allow Remote Access To Particular IP):
# iptables -A INPUT -s 172.50.3.45 -d 10.1.15.1 -p tcp --dport 3306 -j ACCEPT

SSH:
# iptables -A INPUT -d 10.1.15.1 -p tcp --dport 22 -j ACCEPT

Sendmail/Postfix:
# iptables -A INPUT -d 10.1.15.1 -p tcp --dport 25 -j ACCEPT

FTP: (Notice how you can specify a range of ports 20-21)
# iptables -A INPUT -d 10.1.15.1 -p tcp --dport 20:21 -j ACCEPT

Passive FTP Ports Maybe: (Again, specifying ports 50000 through 50050 in one rule)
# iptables -A INPUT -d 10.1.15.1 -p tcp --dport 50000:50050 -j ACCEPT

HTTP/Apache
# iptables -A INPUT -d 10.1.15.1 -p tcp --dport 80 -j ACCEPT

SSL/Apache
# iptables -A INPUT -d 10.1.15.1 -p tcp --dport 443 -j ACCEPT

IMAP
# iptables -A INPUT -d 10.1.15.1 -p tcp --dport 143 -j ACCEPT

IMAPS
# iptables -A INPUT -d 10.1.15.1 -p tcp --dport 993 -j ACCEPT

POP3
# iptables -A INPUT -d 10.1.15.1 -p tcp --dport 110 -j ACCEPT

POP3S
# iptables -A INPUT -d 10.1.15.1 -p tcp --dport 995 -j ACCEPT

Any Traffic From Localhost:
# iptables -A INPUT -d 10.1.15.1 -s 127.0.0.1 -j ACCEPT

ICMP/Ping:
# iptables -A INPUT -d 10.1.15.1 -p icmp -j ACCEPT

Global REJECTS Last:
Reject everything else to that IP:

# iptables -A INPUT -d 10.1.15.1 -j REJECT

Or, reject everything else coming through to any IP:
# iptables -A INPUT -j REJECT
# iptables -A FORWARD -j REJECT


Saving rules in iptables

For save active rules:
# /etc/init.d/iptables save This will save rules to '/etc/sysconfig/iptables'.

If start iptables, the rules are read from '/etc/sysconfig/iptables'
# /etc/init.d/iptables startStarting iptables [OK]

If you stop iptables, all rules are flushed
# /etc/init.d/iptables stopStopping iptables [OK]

Export and importing rulesets to file

# iptables-save > /root/iptables-save.out This will save rules to iptables-save.out file

# iptables-restore -c /root/iptables-save.out
The -c tells iptables-restore that this is file was created using iptables-save to ruleset.

Conclusion
This is a basic tutorial about iptables. We can do lot of things by iptables. I hope good practice on iptables only give better knowledge. Keep practicing.

      Reference : Lot of articles from internet. Thanks to all. 

Comments

This is a complete list of references for the security feature.

Popular posts from this blog

Install and Uninstall VMware .bundle in Redhat - RHEL 6

Here the steps for Install and Uninstall VMware .bundle in Redhat and also Linux. I have checked with RHEL 6.

For install :
Login in as root user, Type following command

~]# sh VMware-***.bundle

Here *** will be your software and it's version.

This command will display normal GUI installation. Choose option as your wish.

For Uninstall :
Login in as root user, Type following command


~]# vmware-installer -l

This will display your product name and product version installed by VMware.

Ex:
*
*
*
Product Name         Product Version    
========== ==============
vmware-player        4.0.1.528992   

Note Name and Version, Use following command to uninstall

~]# vmware-installer -u {product-name} {product-version}

Ex:
~]# vmware-installer -u vmware-workstation 8.0.1.528992

Now you can uninstall with GUI.

* This is common for all VMware .bundle installation files. Ex: VMware-Workstation, VMware-Player etc.

Play NFS (Need For Speed) or other Games on Full Screen in Laptop with Windows 7

Now a days most of people playing NFS serious (NFS Most Wanted , NFS Carbon etc.) in Laptop.

We are facing the problem that NFS game does not play in full screen mode. It have some black bar at both right and left side.

We can fix it with simple steps, For this your video driver should be installed with it's "Graphics & Media Control Panel" application.

Here i have explained it with screen shot. It'll be mostly same for Intel boards. Settings for other video drivers may differ. You may need to search for it in their graphics control panel.


Step 1 :

Click aero button at right bottom corner for show available notifications and running process. There is Graphics & Media Control Panel Icon.
If it is not avaliable there, you can get it from "Windows Control Panel". It'll open your "Graphics & Media Control Panel".


Step 2 :

Click Graphics & Media Control Panel icon and choose Graphics Properties...


Step 3:

Under Intel Graphics and …