Archive for the tag 'iptables'

SBDavid
Oct 14th, 2009

iptables rule for routing outside the range of the LAN

iptables rule for routing outside the range of the LAN.

LAN range - 192.168.1.0/24
Outside LAN IP - 10.0.4.2

To set a rule for routing incoming HTTP requests to a dedicated HTTP server at 10.0.4.2 (outside of the 192.168.1.0/24 range of the LAN), NAT calls a PREROUTING table to forward the packets to their proper destination:

iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j DNAT –to-destination 10.0.4.2:80

iptables rules can be set to route traffic to certain machines, such as a dedicated HTTP or FTP server, in a demilitarized zone (DMZ) — a special local subnetwork dedicated to providing services on a public carrier such as the Internet.

With this command, all HTTP connections to port 80 from the outside of the LAN are routed to the HTTP server on a separate network from the rest of the internal network. This form of net work segmentation can prove safer than allowing HTTP connections to a machine on the network. If the HTTP server is configured to accept secure connections, then port 443 must be forwarded as well.

SBDavid
Oct 14th, 2009

Common iptables Filtering

Common iptables Filtering

Default policy set to block all incoming, outgoing, and forwarded packets, it is impossible for the firewall/gateway and internal LAN users to communicate with each other or with external resources. To allow users to perform network-related functions and use networking applications, administrators must open certain ports for communication.

To allow access to port 80 on the firewall, append the following rule:

iptables -A INPUT -p tcp -m tcp –sport 80 -j ACCEPT

This allows regular Web browsing from websites that communicate via port 80. To allow access to secure websites (such as https://www.serverbuddies.com/), you must open port 443, as well.

iptables -A INPUT -p tcp -m tcp –sport 443 -j ACCEPT

You must set a rule to allow first, and then set a drop rule on the subnet.

To arbitrarily insert a rule in an existing chain of rules, use -I, followed by the chain in which to insert the rule, and a rule number (1,2,3,…,n) for where the rule should reside. For example:

iptables -I INPUT 1 -i lo -p all -j ACCEPT

The rule is inserted as the first rule in the INPUT chain to allow local loopback device traffic.

$ sudo iptables -L -n -v

Chain INPUT (policy ACCEPT 235 packets, 45229 bytes)
pkts bytes target prot opt in out source destination
2 158 ACCEPT all — lo * 0.0.0.0/0 0.0.0.0/0
169 36782 ACCEPT tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp spt:80

To allow remote SSH access, the following rules may be used:

iptables -A INPUT -p tcp –dport 22 -j ACCEPT
iptables -A OUTPUT -p udp –sport 22 -j ACCEPT
SBDavid
Oct 13th, 2009

Saving and Restoring iptables Rules

Saving and Restoring iptables Rules

The iptables package comes with two more tools that are very useful, specially if you are dealing with larger rule-sets.

These two tools are called iptables-save and iptables-restore

Firewall rules are only valid for the time the computer is on; so, if the system is rebooted, the rules are automatically flushed and reset.

To save the rules so that they are loaded later, use the following command:

/sbin/service iptables save

The rules are stored in the file /etc/sysconfig/iptables and are applied whenever the service is started or restarted, including when the machine is rebooted.

#iptables-save -c > /etc/iptables-save

The above command will in other words save the whole rule-set to a file called /etc/iptables-save with byte and packet counters still intact.

Example

Save current iptables firewall rules:

# iptables-save > /root/iptables-save

To restore iptables rules:

# iptables-restore < /root/iptables-save
SBDavid
Oct 13th, 2009

Basic iptables Firewall policies (-P)

Basic iptables Firewall policies (-P)

The following rules block all incoming and outgoing packets on a network gateway:

iptables -P INPUT DROP
iptables -P OUTPUT DROP

Forwarded packets denied. To do this, use the following rule:

iptables -P FORWARD DROP

After setting the policy chains, you can create new rules for your particular network and security requirements.

Establishing basic firewall policies creates a foundation for building more detailed, user-defined rules. iptables uses policies (-P) to create default rules.

SBDavid
Oct 11th, 2009

iptables Overview

iptables Overview

iptables features advanced logging, pre and post-routing actions, network address translation, and port forwarding all in one command line interface.

Using iptables

The first step in using iptables is to start the iptables service.
This can be done with the command:

service iptables start

The ip6tables services should be turned off to use the iptables.

service ip6tables stop
chkconfig ip6tables off

To make iptables start by default whenever the system is booted, you must change runlevel status on the service using chkconfig.

chkconfig –level 345 iptables on

The syntax of iptables is separated into tiers. The main tier is the chain. A chain specifies the state at which a packet is manipulated. The usage is as follows:

iptables -A chain -j target

The -A option appends a rule at the end of an existing ruleset.

The chain is the name of the chain for a rule.
The three built-in chains of iptables (that is, the chains that affect every packet which traverses a network) are INPUT, OUTPUT, and FORWARD.

The -j target option specifies the location in the iptables ruleset where this particular rule should jump. Some built in targets are ACCEPT, DROP, and REJECT.

« Prev - Next »