Make your own free website on Tripod.com

IPTABLES Firewall

 

Introduction

Network security is a primary consideration in any decision to host a website as the threats are becoming more widespread and persistent every day. One means of providing additional protection is to invest in a firewall. Though prices are always falling, in some cases you may be able to create a comparable unit using the Linux iptables package on an existing server for little or no additional expenditure.

This Tutorial shows how to convert a Linux server into:

Creating an iptables firewall script requires many steps, but with the aid of the sample tutorials, you should be able to complete a configuration relatively quickly.

What Is iptables?

Originally, the most popular firewall/NAT package running on Linux was ipchains, but it had a number of shortcomings. To rectify this, the Netfilter organization decided to create a new product called iptables, giving it such improvements as:

Considered a faster and more secure alternative to ipchains, iptables has become the default firewall package installed under RedHat and Fedora Linux.

How To Start iptables

You can start, stop, and restart iptables after booting by using the commands:

[root@linux-fw tmp]# service iptables start
[root@linux-fw tmp]# service iptables stop
[root@linux-fw tmp]# service iptables restart

To get iptables configured to start at boot, use the chkconfig command:.

[root@linux-fw tmp]# chkconfig iptables on

 

Some Basic Rules

List the current iptables rules

Chain INPUT (policy ACCEPT)

target prot opt source destination

 

Chain FORWARD (policy ACCEPT)

target prot opt source destination

 

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

 
[root@linux-fw tmp]# iptables L

 

 

 

 

 

Change INPUT chain policy to DROP

Note: After this step our current connections will drop. And no further connections will be allowed.

[root@linux-fw tmp]# iptables p INPUT DROP

[root@linux-fw tmp]# iptables L

Chain INPUT (policy DROP)

target prot opt source destination

 

Chain FORWARD (policy ACCEPT)

target prot opt source destination

 

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

 
 

 

 

 

 

 


After this policy change we will not be able to connect to the box and our current connections will also drop. Use console for this configuration step.

Now make the holes for required ports one by one.

Allow all IPs to connect using SSH ( port 22) and http ( port 80 )

[root@linux-fw tmp]# iptables A INPUT p TCP dport 22 j ACCEPT

[root@linux-fw tmp]# iptables A INPUT p TCP dport 80 j ACCEPT

[root@linux-fw tmp]# iptables L

Chain INPUT (policy DROP)

target prot opt source destination

ACCEPT tcp -- anywhere anywhere tcp dpt:ssh

ACCEPT tcp -- anywhere anywhere tcp dpt:http

 

Chain FORWARD (policy ACCEPT)

target prot opt source destination

 

Chain OUTPUT (policy ACCEPT)

target prot opt source destination

 
 

 

 

 

 

 


This configuration is not permanent and will go away once system is rebooted. We can make this configuration permanent.

On Redhat Enterprise Linux box:

[root@linux-fw tmp]# /etc/init.d/iptables save

Saving firewall rules to file /etc/sysconfig/iptables