Configuring the firewall
Once iptables is running on your system, it's time to look at configuring the firewall. The main commands you should be familiar with are listed in Table A.
Table A.
| --append or –A | Append to chain |
| --delete or –D | Delete rule from chain |
| --list or –L [chain] | List rules in a chain or all chains |
| --flush or –F [chain] | Delete all rules in a chain or all chains |
The best way to set up your firewall so that the rules are saved and run each time your system boots is to create a script you can run manually and/or have the system run at startup. The firewall script shown in Listing A will get us started.
While this is a simple firewall, it covers many of the basic commands you will need to use. Our first step is to configure the variables used by the script. This is helpful in larger scripts, where it's much easier to change a variable once than to modify every entry containing that variable, such as an IP address. After that, we flush the rules with the IPTABLES -F command, allowing us to start from a clean slate by wiping out any current iptables rules that are running. This is important when you consider rules are checked in sequential order. We don't want a lingering filter to deny packets we now want to accept, or vice versa.
Next, we set the default rules for the three main chainsââ,¬"we deny incoming packets by default and we allow outgoing packets and forwarded (NAT) packets by default. As mentioned before, we want to open only what we need and make sure everything else is closed. We accomplish this by setting the default action on the INPUT chain (incoming packets) to DROP. Basically, all packets processed by the chain will be dropped unless explicitly allowed.
The OUTPUT and FORWARD chains are set to ACCEPT, as this traffic is coming from the internal network. If you plan on implementing policy with iptables, you should set this to DROP. It's also important to note that if you are allowing all traffic sourced from the internal network, it might be a good idea to do some commonsense filtering. One example of this would be to set a rule that discards packets received on the external interface with an internal IP address (a sure sign of someone who is up to something).
To permit users to connect to the server via SSH or to allow inbound HTTP requests, we need to tell iptables to allow these packets. We do this by appending rules to a particular chain. This example from my script shows how to allow SSH (TCP port 22) on the external interface:
$IPTABLES -A INPUT -i $WAN_IFACE -p TCP --destination-port 22 \ -j ACCEPT
Let's break this down. The -A means append, or add, a particular rule. The -i refers to the interface that will be receiving the packets. The protocol is specified with the -p option, which can be TCP, UDP, ICMP, or ALL. The destination port is dependent upon the particular service that access is being granted. In the case of SSH, it operates on the well-known TCP port 22. And finally, we have the target of the rule, which in this case is ACCEPT. Other possibilities include DROP, REJECT, and user-defined actions. ACCEPT allows the packet through, and DROP means the packet is discarded. REJECT is the same as DROP, but it also sends back an error response to the sender of the packet.
In the above example, we have an entry that provides port forwarding. This is a means by which services can be forwarded by an external machine to an internal one. This is especially handy when you have just one routable IP address but would like to use multiple servers. This is accomplished with a form of network address translation (NAT). In this instance, we are forwarding SMTP traffic on port 25 from our WAN_IFACE to the internal address of 192.168.1.5. Thus, an SMTP server looks like it is sitting at 10.0.0.1. But in reality, that's the external address of the firewall, which is forwarding all requests on SMTP port 25 to the internal server at 192.168.1.5. The use of NAT provides for the return communication as well, making its use completely transparent to those connecting to it from the Internet.
For more information on iptables configuration, check out these resources:
- Netfilter/iptables FAQ
- Linux 2.4 Packet Filtering HOWTO
- Oskar Andreasson's IPTables Tutorial 1.1.9
- Iptables MAN page
- MonMotha's IPTables Firewall
Summary
Linux can help administrators create a strong firewall with the powerful, kernel-based netfilter/iptables software. As I demonstrated, iptables can create general or specific packet filters to allow or deny traffic. This enables administrators to protect their servers from a wide variety of hazards, including service attacks and hack attempts. As always, the best way to learn is to get your hands dirty and experiment with iptables on a testing machine. This article introduced you to the basic concepts of building a strong iptables firewall. My next article will delve into some of the more advanced options that iptables has to offer.
TechRepublic is the online community and information resource for all IT professionals, from support staff to executives. We offer in-depth technical articles written for IT professionals by IT professionals. In addition to articles on everything from Windows to e-mail to fire walls, we offer IT industry analysis, downloads, management tips, discussion forums, and e-newsletters.
©2001 TechRepublic, Inc.
2%
4%
Great stuff!
More, please.