Linux Firewall


Linux Firewall

Iptables is an in-build firewall application that is shipped with most Linux distributions. In CentOS, iptables is used by administrators to create firewall rules that either block or allow network traffic based on some predefined set of rules. The whole firewall app is composed of two elements: iptables and netfilter. While the iptables module is used to configure firewall rules in predefined tables by using command lines, netfilter is a kernel module that’s responsible for filtering the network traffic. In this article I will show you how to work with iptables and how to configure your firewall rules. Network filtering with iptables is made by using several parameters: IP address, port numbers and protocols (TCP, UDP, FTP, etc.). When a firewall rule is created, it’s placed in one of the following categories:
  • Input – packets that have the Server as destination
  • Output – packets originated from the Server
  • Forward – packets routed through the network that are passed by the Server to other machines for further processing
When a packet is received by the Server its information is compared based on the firewall rules and if a match is found, the packet is either Accepted or Dropped. Each set of rules (Input, Output, Forward) will have several rules and every packet is checked with each one from top to bottom. Note that if all rules are checked and no match if found, then the default action is taken which can be either Accept or Drop. You should normally have a DENY ALL firewall rule that is placed at the bottom of each chain.
For this demonstration I will be using a CentOS 6.5 virtual machine. This is my testing environment so make sure you are not going to test Iptables in a production network. Iptables is deployed with all CentOS versions that are newer than 5.X. You can check if the packet has been installed by typing rpm -qa | grep iptables :
Linux software
I have two iptables packets installed , the basic packet + support for ipv6. We can use the lsmod command to view the modules loaded in the kernel. By default, the iptable_filter is loaded, type lsmod or lsmod | grep ip_tables to view the modules:
Linux kernel
To view all chains type iptables -L:
Firewall
To flush all rules type iptables -F, note that this command will erase all firewall rules and will ultimately close all ssh connections. I wanted to start from scratch with all rules so I’ve executed this command. We can delete a certain rule by typing iptables -D INPUT 4, where the number is the rule’s position within the chain:
Linux tutorial
Now if I execute iptables -F, the rules will look like this:
Iptables
Let’s build our firewall rules. We will start by enabling ssh from any location. To achieve this result we’ll need to type iptables -A INPUT -p tcp –dport 22 -j ACCEPT:
Firewall rules
If our server would host a BIND service (DNS) then we would allow all incoming requests on port 53 TCP/UDP by using the following commands:
iptables -A INPUT -p tcp –dport 53 -j ACCEPT
iptables -A INPUT -p udp –dport 53 -j ACCEPT
DNS traffic
I just remembered that I want to drop all incoming packets that are not matching any of my INPUT rules. We will create the rule by inserting it in the last position. We can also use the -A (append) parameter, but let’s try something different this time: iptables -I INPUT 4 -j DROP
Firewall tutorial
In a production environment you will probably have multiple firewall rules so maybe it will be harder to know what number to use when deleting a rule. You can type iptables -L -n –line-numbers  to view all rules and their associated number:
computer security
If your server has multiple interfaces and you need to open up ports for each one, you will need to add the -i parameter and specify the desired interface. My virtual machine has two interfaces: loopback and ethernet0. Let’s pretend our Server has a web service and we need to open HTTPS port on interface eth0 and HTTP on the loopback interface:
iptables -A INPUT -i lo -p tcp –dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp –dport 443 -j ACCEPT
To view a detailed information regarding the firewall rules, type iptables -L –verbose:
Linux firewall
Let’s say that you need to allow HTTP traffic for only one IP and HTTPS traffic for multiple IP addresses. We must first modify the rules created previously and DROP all traffic received on these two ports, except the ones that we desire. You cannot edit a rule directly in iptables but, you can replace it with another rule by typing the following:
iptables -R INPUT 5 -i lo -p tcp –dport 80 -j DROP
iptables -R INPUT 6 -i eth0 -p tcp –dport 443 -j DROP
iptables -L -n –line-numbers –verbose
Linux firewall
Ups…I forgot to delete the DROP all rule so I would simply type iptables -I INPUT 4. Now I will allow all HTTP incoming traffic originating from 192.168.0.50 through my loopback interface:
iptables -I INPUT 3 -s 192.168.0.50 -p tcp –dport 80 -i lo -j ACCEPT 
 
I will add a rule that will allow INBOUND HTTPS traffic on my eth0 interface coming from 10.10.10.0/24 network:
iptables -R INPUT 3 -s 10.10.10.0/24 -p tcp –dport 443 -j ACCEPT -i eth0
Let’s verify our results:
Linux security
We can be even more specific by filtering an INCOMING packet based on its source IP and MAC address by loading the mac module. This is how our firewall rule would look like for 172.16.0.20 IP:
iptables -I INPUT 3 -s 172.16.0.20 -p tcp –dport 443 -i eth0 -m mac –mac-source 00:26:B9:16:E5:B0 -j ACCEPT:
Firewall filtering
But what if we want to restrict a range of ports for a specific network? Then we would need add a rule that looks similar to:
iptables -I INPUT 6 -s 10.10.100.0/16 -p tcp –dport 60:70 -j DROP -i eth0
Linux firewall
 
On the OUTPUT chain I want to allow all connections. I will add a comment to this rule by loading the comments module:
iptables -A OUTPUT -j ACCEPT -m comment –comment “Allow all outbound connections”
Linux Firewall
What’s really important is to save your rules once you’re finished. This way, the newly created rules will be kept when the system is rebooted. You will need to type /sbin/service iptables save:
Firewall tutorial
 
The command will execute the iptables initiation script and will run /sbin/iptables-save and write changes to /etc/sysconfig/iptables. Note that with each reboot, the iptables initialization script executes /sbin/iptables-restore which will load all rules saved in /etc/sysconfig/iptables.
That’s about it for this article folks, I know that we’ve covered only the basics of Iptables, but should be enough for the first lesson. Iptables is a powerful Firewall program that enables you to create some really nice filtering rules. Wish you all the best and stay tuned for the following articles.
Advertisements

One thought on “Linux Firewall

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s