Your mother and I were talking last night about how important it is to properly configure Iptables, and how despite that fact, many just choose to disable it. So today we are going to discuss iptables.
Overview:
By far the easiest way to setup a simple firewall using Iptables is to use system-config-firewall, or system-config-firewall-tui. I prefer this method as iptables can be a bit confusing on the command line and in its config file (/etc/sysconfig/iptables) is not exactly user friendly. At the very least you can create a basic set of rules and then customize by hand. Lets take a look at the file in its default form on my RHEL 6 box.
But before we do that, lets review a couple of terms that we need to know.
- INPUT – are inbound packets
- OUTPUT are outbound packets
- FORWARD – packets from another machine that the firewall should forward (like to a vm on the host).
- ACCEPT – the packet is accepted
- DROP – the packet is dropped as if it never existed
- REJECT – the packed is rejected and and error message is returned to sender
- RULE – the basic building block — tells the firewall what to do with a packet
- CHAIN – a list of all rules which will be checked in order from first to last
- POLICY – the default action, like accept, drip, reject, forward
Now that you have memorized the list above, here is my /etc/sysconfig/iptables.
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT
-A INPUT -j REJECT –reject-with icmp-host-prohibited
-A FORWARD -j REJECT –reject-with icmp-host-prohibited.
Now lets run system-config-firewall tui and enable apache and ftp, plus we want to configure our box to respond to ICMP ping requests. This process is pretty self explanitory once you start.
Once that is done lets view /etc/sysconfig/iptables again.
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -m icmp –icmp-type echo-request -j REJECT –reject-with icmp-host-prohibited
-A INPUT -p icmp -m icmp –icmp-type echo-reply -j REJECT –reject-with icmp-host-prohibited
-A INPUT -p icmp -m icmp –icmp-type destination-unreachable -j REJECT –reject-with icmp-host-prohibited
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 80 -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 21 -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 443 -j ACCEPT
-A INPUT -j REJECT –reject-with icmp-host-prohibited
-A FORWARD -j REJECT –reject-with icmp-host-prohibited
COMMIT
Iptables Command:
The iptables command can be used in several different ways.
List the current rules in use, similar to viewing the /etc/sysconfig/iptables file
#iptables -L
To set a default policy use iptables -P, in the example below we are setting the default INPUT policy to DROP.
#iptables -P INPUT DROP
Now lets say we want to delete all our existing rules, note that i did not say policy
#iptables -F
To add a rule use iptables -a, for example lets say you have a default policy of INPUT DROP but we want to accept all established and related packets. Note that -m must be used when adding rules to a chain as it forces modprobe to load any necessary modules.
#iptables -A INPUT -m state –state ESTABLISHED, RELATED
Now lets say that we want to reject all packets from 192.168.10.10. Note -j specifies the action that the rule is to take — in the case below, REJECT
#iptables -A INPUT -s 192.168.10.10 -j REJECT
Now lets say we want to ACCEPT all ICMP traffic from our local subnet. The -p is protocol
#iptables -A INPUT -p ICMP -s 192.168.1.0/24 -j ACCEPT
Please note that under RHEL you can use following commands to save firewall rules.Make sure that you do this before you restart iptables.
#service iptables save