LINUX FIREWALLS

IPATBLES

by ramez.hanna

This is not a reference to IPTABLES in any way it is just a start that i gathered from several other documents with my humble knowledge and experience and i hope it could get you started with the firewalls configuration. This document is far from complete and I'll be adding more as soon as i have the time

General

Before we mention anything about firewalls i need to point out a critical point “a firewall’s power lies within the configuration” meaning that no matter what the firewall application power is, a weak configuration will weaken it.And also remember that security is not just a firewall. Think of a firewall as just a first line of defense you need to secure your applications and keep your system updated and patched for any exploits to secure your applications Mainly a firewall is used to block or allow certain traffic based upon the network needs, it may block all incoming requests or it may allow requests to go through to the mail server within the local network The firewall in Linux sits in the kernel waiting for network traffic from the NICs and handles it as mentioned in the configuration file.
It works on layer 3 and 4 of the OSI network model this mean it operates on the IP and TCP/UDP level thus it cannot filter upon the content of the packet and hence cannot be used to check mails for viruses or block unwanted content in web pages

How IPTABLES is configured?

IPTABLES configuration file (/etc/sysconfig/iptables) consists of a set of rules, each line contains one rule
The IPTABLES daemon goes through the configuration file line by line, so it is important to pay attention for the order of the rules. When a packet is processed by the daemon for a certain match criteria it is directed to a certain destination (REJECT/DROP/ACCEPT) the next time the same criteria is met the rule is ignored because this specific packet has been already filtered, only when you use the LOG destination it is logged and then the same criteria can be used again
There are two ways of creating the config file either by editing the config file directly or by using the #iptables command so here is this document I'll edit the file directly (no reason just that i used to do it both ways are good but some people prefer using the command as it is more flexible)
IPTABLES has 3 tables :

• FILTER: where the filtering of the packets takes place
• NAT: packet modification such as NAT/PAT and IP msquerading
• MANGLE: for setting packet options such type of service

THE FILTER TABLE The filter table has 3 default chains

• INPUT: any traffic directed to the local machine

How a rule is built?

A rule is a match criteria applied to the packets in a certain chain that reach the firewall machine. These match criteria are define packet properties and information such as source IP, destination IP, etc . . .
I'll start by giving you the quick steps and some quick notes first then I'll go through them one by one

• Add/Insert/Delete the rule
• Define the chain
• Create your match
• Determine the action

So lets go into more details
"Add/Insert/Delete the rule” as mentioned before the rules are placed in order so you just define -A to append a new rule, -I to insert a rule in a certain place, -D to delete a certain rule
-A
"Define the chain” define which chain you are dealing with
-A INPUT
"Create your match” will talk about this in details later
-A INPUT some match criteria
"Determine the action” tell the daemon what to do
-A INPUT some match criteria -j ACCEPT

So how a match is built?

Generally the matches that can be defined are:

• -p : to define a protocol which can be TCP, UDP or ICMP

• --sport : to define the source port of the packet

  --dport : to define the destination port of the packet

• -m : use state matches

• state

  --state : to define the connection state NEW, RELATED, ESTABLISHED, INVALID

  --syn : to define that the packet contains a syn request equivalent to --state NEW

  -i : to define the incoming interface

  -o : to define the outgoing interface

Examples

-A INPUT -p tcp --dport 110 -m state --state NEW -j ACCEPT

The above example rule will accept incoming pop requests to the local server

-A OUTPUT -p tcp --dport 80 -m --syn -j ACCEPT 

The above example rule will accept outgoing web requests
here is an example configuration file
The first line determines which table we are using
The following three lines set the default behavior
Then comes the rules
Then at the end to apply these rules you add COMMIT

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A INPUT -p icmp --icmp-type any -j ACCEPT
-A FORWARD -p icmp --icmp-type any -j ACCEPT
-A INPUT -p 50 -j ACCEPT
-A FORWARD -p 50 -j ACCEPT
-A INPUT -p 51 -j ACCEPT
-A FORWARD -p 51 -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT