ServerBuddies Support Blog

Saving and Restoring iptables Rules

The iptables package comes with two more tools that are very useful, specially if you are dealing with larger rule-sets.

These two tools are called iptables-save and iptables-restore

Firewall rules are only valid for the time the computer is on; so, if the system is rebooted, the rules are automatically flushed and reset.

To save the rules so that they are loaded later, use the following command:

The rules are stored in the file /etc/sysconfig/iptables and are applied whenever the service is started or restarted, including when the machine is rebooted.

The above command will in other words save the whole rule-set to a file called /etc/iptables-save with byte and packet counters still intact.

Example

Save current iptables firewall rules:

To restore iptables rules:

Basic iptables Firewall policies (-P)

The following rules block all incoming and outgoing packets on a network gateway:

Forwarded packets denied. To do this, use the following rule:

After setting the policy chains, you can create new rules for your particular network and security requirements.

Establishing basic firewall policies creates a foundation for building more detailed, user-defined rules. iptables uses policies (-P) to create default rules.

iptables Overview

iptables features advanced logging, pre and post-routing actions, network address translation, and port forwarding all in one command line interface.

Using iptables

The first step in using iptables is to start the iptables service.
This can be done with the command:

The ip6tables services should be turned off to use the iptables.

To make iptables start by default whenever the system is booted, you must change runlevel status on the service using chkconfig.

The syntax of iptables is separated into tiers. The main tier is the chain. A chain specifies the state at which a packet is manipulated. The usage is as follows:

The -A option appends a rule at the end of an existing ruleset.

The chain is the name of the chain for a rule.
The three built-in chains of iptables (that is, the chains that affect every packet which traverses a network) are INPUT, OUTPUT, and FORWARD.

The -j target option specifies the location in the iptables ruleset where this particular rule should jump. Some built in targets are ACCEPT, DROP, and REJECT.

Firewalls the core components of a network security implementation

Firewalls can be standalone hardware solutions, such as firewall appliances by Cisco, Nokia, and Sonicwall.
There are also proprietary software firewall solutions developed for home and business markets by vendors such as Checkpoint, McAfee, and Symantec.

Firewalls function:

NAT

Network Address Translation (NAT) places private IP subnetworks behind one or a small pool of public IP addresses, masquerading all requests to one source rather than several.

Packet Filter [iptables]

A packet filtering firewall reads each data packet that passes within and outside of a LAN. It can read and process packets by header information and filters the packet based on sets of programmable rules implemented by the firewall administrator.

The Linux kernel has built-in packet filtering functionality through the Netfilter kernel subsystem.

Proxy

A proxy machine acts as a buffer between malicious remote users and the internal network client machines.

Netfilter and iptables

The Linux kernel features a powerful networking subsystem called Netfilter. The Netfilter subsystem provides stateful or stateless packet filtering as well as NAT and IP masquerading services. Netfilter also has the ability to mangle IP header information for advanced routing and connection state management. Netfilter is controlled through the iptables utility.

Examples:

iptables - administration tools for packet filtering and NAT
shorewall - Shoreline Firewall, netfilter configurator - transitional package

Virtual Private Networks (VPNs)

VPNs allow for secured digital communication between two parties (or networks), creating a Wide Area Network (WAN) from existing Local Area Networks (LANs). Where it differs from frame relay or ATM is in its transport medium. VPNs transmit over IP using datagrams as the transport layer, making it a secure conduit through the Internet to an intended destination. Most free software VPN implementations incorporate open standard encryption methods to further mask data in transit.

VPNs transmit over IP using datagrams as the transport layer, making it a secure conduit through the Internet to an intended destination. Most free software VPN implementations incorporate open standard encryption methods to further mask data in transit.

There are several vendors with hardware VPN solutions such as Cisco, Nortel, IBM, and Checkpoint. There is a free software-based VPN solution for Linux called FreeS/Wan that utilizes a standardized IPsec (or Internet Protocol Security) implementation. These VPN solutions, regardless if hardware or software based, act as specialized routers that sit between the IP connection from one office to another.

When a packet is transmitted from a client, it sends it through the router or gateway, which then adds header information for routing and authentication called the Authentication Header (AH). The data is encrypted and is enclosed with decryption and handling instruction called the Encapsulating Security Payload (ESP). The receiving VPN router strips the header information, decrypts the data, and routes it to its intended destination (either a workstation or node on a network). Using a network-to-network connection, the receiving node on the local network receives the packets decrypted and ready for processing. The encryption/decryption process in a network-to-network VPN connection is transparent to a local node.

Because they employ several layers of authentication and encryption, VPNs are a secure and effective means to connect multiple remote nodes to act as a unified Intranet.