Wall Papers
News Feed
Blogs
Event Photos
Screen Shots
Polls
Popular Content
Get GNU / Linux
Members
SearchLINUX FIREWALLS
IPATBLES
by ramez.hanna
This is not a reference to IPTABLES in any way it is just a start that i gathered from several other documents with my humble knowledge and experience and i hope it could get you started with the firewalls configuration. This document is far from complete and I'll be adding more as soon as i have the time
General
Before we mention anything about firewalls i need to point out a critical point “a firewall’s power lies within the configuration” meaning that no matter what
the firewall application power is, a weak configuration will weaken
it.And also remember that security is not just a firewall. Think of a firewall as just a first line of defense you need to secure your applications and keep your system updated and patched for any exploits to secure your applications
Mainly a firewall is used to block or allow certain traffic based upon the network needs, it may block all incoming requests or it may allow requests to go through to the mail server within the local network
The firewall in Linux sits in the kernel waiting for network traffic from the NICs and handles it as mentioned in the configuration file.
It works on layer 3 and 4 of the OSI network model this mean it operates on the IP and TCP/UDP level thus it cannot filter upon the content of the packet and hence cannot be used to check mails for viruses or block unwanted content in web
pages
How IPTABLES is configured?
IPTABLES configuration file (/etc/sysconfig/iptables) consists of a set of rules, each line contains one rule
The IPTABLES daemon goes through the configuration file line by line, so it is important to pay attention for the order of the rules. When a packet is processed by the daemon for a certain match criteria it is directed to a certain
destination (REJECT/DROP/ACCEPT) the next time the same criteria is met the rule is ignored because this specific packet has been already filtered, only when you use the LOG destination it is logged and then the same criteria can be used again
There are two ways of creating the config file either by editing the config file directly or by using the #iptables command so here is this document I'll edit the file directly (no reason just that i used to do it both ways are good
but some people prefer using the command as it is more flexible)
IPTABLES has 3 tables :
- FILTER: where the filtering of the packets takes place
- NAT: packet modification such as NAT/PAT and IP msquerading
- MANGLE: for setting packet options such type of service
THE FILTER TABLE
The filter table has 3 default chains
- INPUT: any traffic directed to the local machine
How a rule is built?
A rule is a match criteria applied to the packets in a certain chain that reach the firewall machine. These match criteria are define packet properties and
information such as source IP, destination IP, etc . . .
I'll start by giving you the quick steps and some quick notes first then
I'll go through them one by one
- Add/Insert/Delete the rule
- Define the chain
- Create your match
- Determine the action
So lets go into more details
"Add/Insert/Delete the rule” as mentioned before the rules are placed in order so you just define -A to append a new rule, -I to insert a rule in a certain place, -D to delete a certain rule
-A
"Define the chain” define which chain you are dealing with
-A INPUT
"Create your match” will talk about this in details later
-A INPUT some match criteria
"Determine the action” tell the daemon what to do
-A INPUT some match criteria -j ACCEPT
So how a match is built?
Generally the matches that can be defined are:
- -p : to define a protocol which can be TCP, UDP or ICMP
--sport : to define the source port of the packet
- --dport : to define the destination port of the packet
- -m : use state matches
state
- --state : to define the connection state NEW, RELATED, ESTABLISHED, INVALID
--syn : to define that the packet contains a syn request equivalent to --state NEW
- -i : to define the incoming interface
- -o : to define the outgoing interface
Examples
-A INPUT -p tcp --dport 110 -m state --state NEW -j ACCEPTThe above example rule will accept incoming pop requests to the local server
-A OUTPUT -p tcp --dport 80 -m --syn -j ACCEPTThe above example rule will accept outgoing web requests
here is an example configuration file
The first line determines which table we are using
The following three lines set the default behavior
Then comes the rules
Then at the end to apply these rules you add COMMIT
- filter :INPUT ACCEPT 0:0 :FORWARD ACCEPT 0:0 :OUTPUT ACCEPT 0:0 -A INPUT -i lo -j ACCEPT -A FORWARD -i lo -j ACCEPT -A INPUT -p icmp --icmp-type any -j ACCEPT -A FORWARD -p icmp --icmp-type any -j ACCEPT -A INPUT -p 50 -j ACCEPT -A FORWARD -p 50 -j ACCEPT -A INPUT -p 51 -j ACCEPT -A FORWARD -p 51 -j ACCEPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
GUI frontend to IP tables:
EasyTables: is an easy-to-use GUI for iptables and will probably be much easier than setting the rules manually. GFCC: is a graphical interface tool for managing ipchains/iptables rules Shorewall: is a high-level tool for configuring Netfilter- Printer-friendly version
- Login or register to post comments
- 6749 reads
Nice article, only one thing,
Nice article, only one thing, in gentoo its : /var/lib/iptables/rules-save (configurable from /etc/conf.d/iptables)
^^^^ example from my file, drop all input, allow all forward/output, open some ports, reject 113 to make irc connect faster and allow the computer to be ping'ed. peace-OneOfOne kernel patching monkey/BORG drone.
GFCC
GFCC is a graphical interface tool for managing ipchains/iptables rules
Nice Info. But this example doesn't make any sense..
first of all, thanks for your efforts.
second, i think this replay is something late but i have just seen this ((article)). the theoretical information about iptables is good for any starter. but i don't understand the case of the example or the syntex of some rules within the iptables script.
for my knowledge, iptables or any networks securing application depends on generally 2 cases:
make chains policies all ACCEPT and use DROP and REJECT as target specifications to reject unwanted traffic.
in this case, make chains policies all DROP and use ACCEPT target specification to allow the wanted traffic.
in the above example, chains policies are ACCEPT and rules target specifications are ACCEPT too, so this doesn't make any sense to allow the things twice.
next, usually forward chain used basically in case of we have ip forwarding is enabled ?! so what's the use for it in this example.
finally, the use of -p with (port numbers if these are port numbers) such as 50 or 51 ?! > quoted from article (-p : to define a protocol which can be TCP, UDP or ICMP)
Ashraf A. Abd El-Aziem
this is a wiki page
feel free to edit it and add or modify anything.
cheers,
Alaa
http://www.manalaa.net "i`m feeling for the 2nd time like alice in wonderland reading el wafd"
EasyTables
EasyTables is an easy-to-use GUI for iptables and will probably be much easier than setting the rules manually.
-I used to be indecisive .. but now I'm not so sure
this is wiki.
feel free to edit it and add or modify anything.
add section for the front end GUI.
Diaa Radwan
GUI frontend to IP tables
GUI frontend to IP tables had been added
-I used to be indecisive .. but now I'm not so sure