More about Linux Firewall

A firewall is a System that’s responsible for filtering network packets that are passed through it. Simply put, a firewall is used to block incoming/outgoing packets that can harm network resources. Generally, there are three ways in which a firewall can filter network packets:

  • source and/or destination IP address
  • source and/or destination port
  • network interface on which packets are received
A firewall can filter packets in three situations, as follows:
  • when it receives packets
  • when it sends packets
  • when it routes packets to other destinations
In Linux, these three situations are stored in separate networking tables which are also known as chains. The most common firewall software that can be found on a Linux machine is iptables. The program is an in-built feature on CentOS Systems.
The firewall chains are: INPUT, FORWARD and OUTPUT. You can visualize them by typing iptables -L
A firewall can either accept or reject a packet. This behavior is stated by the rule’s action. Each chain has a default action which can be seen in the above picture, by default, all chains will ACCEPT packets. You can change the policy of a chain by typing the following command:
iptables -P INPUT DROP 
This command will configure the chain to DROP all incoming packets as a default rule.
If you want to block incoming packets from a certain device, type the following:
iptables -A INPUT -j DROP
All incoming packets from the above host will be dropped.
Now let’s say you want to block only port 25 from this machine. To achieve this result, type the following:
iptables -A INPUT -s -p TCP –destination-port 25 -j DROP
For testing purposes let’s also add a rule which blocks all traffic from network and another rule that blocks port 53 both UDP and TCP for network:
iptables -A INPUT -s
iptables -A INPUT -s -p all
You can also block certain traffic for specific destination machines just like in the following example:
iptables -A INPUT -s -d -p tcp –destination-port 22
My INPUT chain looks like this now:
Note that the kernel will read each firewall chain table from top to bottom. If a firewall rule matches a certain packet then the firewall will automatically apply the rule without moving further with the others. You should always have a DROP rule at the bottom of each chain just to be sure that if no rule is specified above it, the default behavior would be to block all traffic. This way you ensure that only trusted traffic is accepted by the firewall, this is why I suggest setting the default policy for each chain to DROP.
To delete a certain rule type iptables -D INPUT rule_number
To insert a rule on top of a chain type:  iptables -I INPUT -s -j ACCEPT
You can also specify a certain insertion port by typing: iptables -I INPUT 3 -s -j ACCEPT

It may get a bit tricky to edit firewall rules if you have many entries in each chain, this is why you should use iptables -nL –line-numbers to visualize rules. This command adds numbers at the beginning of each rule thus making it easier to add/remove or insert rules:

I’ll delete the rules 6,7 and 8 by typing the following command:

for i in {6..8}; do iptables -D INPUT $i; done

We’ve discussed about firewall filtering based on source and destination IP address, source and destination port numbers but there are a lot more options features with iptables. I recommend reading the man page for this program because you may discover more interesting things about it that can be very helpful.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s