Iptables Firewall
Post # 66 permalink Topic #66 by mreschke on 2008-05-20 21:48:00 (viewed 800 times)

This document describes a small portion of iptables and how to setup a basic firewall using iptables. There are many huge books on iptables so I cannot go into any sort of detail here. If you want to create a more advanced firewall, then I suggest installing shorewall and reading the documentation http://www.shorewall.net/Introduction.html about setting it up. I generally use shorewall on my systems and configure them using http://www.webmin.com/.

Iptables Command Line[-][- -][++]

Saving Changes[-][- -][++]

Changes to iptables are not saved until you manually save them. This gives a nice testing environment.

See http://tuxtraining.com/2008/05/15/iptables-how-to-save-and-restore-rules-at-boot-shutdown/
for documentation on how to save your rules on boot.

Note I save my iptables commands (not the same file from iptables-save) in a script.
The easiest way to setup iptable rules, is to create a script file with your firewall settings so you don't have to re-type them if you mess something up. I use /home/xxx/bin/iptables-rules.sh (see bottom of this doc for my example of this file).

So execute your script (mine is /home/xxx/bin/iptables-rules.sh) or manually add/remove rules until you like what you see. Then export your rules to /etc/iptables.rules with

Code Snippet
iptables-save > /etc/iptables.rules

Now, modify the /etc/network/interfaces config file to apply the rules automatically, add this below your interface (usually eth0)

Code Snippet
pre-up iptables-restore < /etc/iptables.rules

You can also prepare a set of down rules and apply them automatically when you shut the interface off. To do this, add the following line in /etc/network/interfaces below the eth0 and pre-up command you just created.

Code Snippet
post-down iptables-save -c > /etc/iptables.rules

Here is my config file (starting at eth0)

Code Snippet
# The primary network interface
allow-hotplug eth0
iface eth0 inet dhcp
pre-up iptables-restore < /etc/iptables.rules

Now reboot, and check with iptables -L, the rules should be there.

Adding a TCP or UDP port[-][- -][++]

Note that my CHAIN name for INPUT in fedora is RH-Firewall-1-INPUT

Open TCP port 80 in the RH-Firewall-1-INPUT chain for any source/destination and insert this rule above line-number 9

Code Snippet
iptables -I RH-Firewall-1-INPUT 9 -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT

or port 80 for UDP

Code Snippet
iptables -I RH-Firewall-1-INPUT 9 -i eth0 -p udp -m upd --dport 80 -j ACCEPT

To append to the chain (add to bottom), replace the first -I with -A and remove the 9 (line) number.

Code Snippet
iptables -A RH-Firewall-1-INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT

Append is not usually good because the very last line is a REJECT all other ports not listed above it.

Dropping a rule (by number)[-][- -][++]

Use the iptables -L --line-numbers to see what line to drop

Code Snippet
iptables -D RH-Firewall-1-INPUT 5

This will drop rule 5 from the RH-Firewall-1-INPUT chain

Misc Commands[-][- -][++]

List all rules

Code Snippet
iptables -L

List all rules with line numbers

Code Snippet
iptables -L --line-numbers

Settings up a new Firewall[-][- -][++]

A Great article starting iptables from scratch, very nice
http://www.howtoforge.com/linux_iptables_sarge

NOTE, the server this firewall is on will be 192.168.1.1 for examples

Allow all traffic[-][- -][++]

Code Snippet
# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

Rejects[-][- -][++]

Next we build individual rejects first (if any)
These are examples if you want to reject traffic

Reject an Individual by IP address

Code Snippet
# iptables -A INPUT -s 172.34.5.8 -j DROP

Reject
spammers

Code Snippet
# iptables -A INPUT -s mail.spammer.org -d 192.168.1.1 -p tcp --dport 25 -j REJECT

Accepts[-][- -][++]

These are examples, add what you want for your server

Code Snippet
apache http
# iptables -A INPUT -d 192.168.1.1 -p tcp --dport 80 -j ACCEPT

all traffic from localhost
# iptables -A INPUT -d 192.168.1.1 -s 127.0.0.1 -j ACCEPT

ICMP/ping
# iptables -A INPUT -d 192.168.1.1 -p icmp -j ACCEPT

SSH
# iptables -A INPUT -d 192.168.1.1 -p tcp --dport 22 -j ACCEPT

MYSQL (Allow Remote Access from a Particular IP):
# iptables -A INPUT -s 172.50.3.45 -d 192.168.1.1 -p tcp --dport 3306 -j ACCEPT

Global Rejects[-][- -][++]

Reject everything else to server

Code Snippet
# iptables -A INPUT -d 192.168.1.1 -j REJECT

Or, reject everything else coming through to any IP: (I use this one)

Code Snippet
# iptables -A INPUT -j REJECT
# iptables -A FORWARD -j REJECT

Now, make sure you save your rules or they will be lost on reboot

iptables-rules.sh[-][- -][++]

Code Snippet
#!/bin/sh

###Show Previous iptables
iptables -L --line-numbers

###Clear all 
iptables --flush

###Add the 3 way handshake, the traffic is now ESTABLISHED
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

###Individual Rejects First
##Reject any traffic by certian IP
#iptables -A INPUT -s 172.34.5.8 -j DROP

##Reject any spammers
#iptables -A INPUT -s mail.spammer.org -p tcp --dport 25 -j REJECT

###Open it UP
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 10051 -j ACCEPT
iptables -A INPUT -p tcp --dport 10050 -j ACCEPT

iptables -A FORWARD -p tcp --dport 10051 -j ACCEPT
iptables -A FORWARD -p tcp --dport 10050 -j ACCEPT

###Reject everything else
iptables -A INPUT -j REJECT
iptables -A FORWARD -j REJECT

###Show new iptables
iptables -L --line-numbers

###To save permanent
iptables-save

Resources[-][- -][++]