IPTABLES Firewall

 

Introduction

Network security is a primary consideration in any decision to host a website as the threats are becoming more widespread and persistent every day. One means of providing additional protection is to invest in a firewall. Though prices are always falling, in some cases you may be able to create a comparable unit using the Linux iptables package on an existing server for little or no additional expenditure.

This Tutorial shows how to convert a Linux server into:

• A firewall while simultaneously being your home website's mail, web and DNS server.
• A router that will use NAT and port forwarding to both protect your home network and have another web server on your home network while sharing the public IP address of your firewall.

Creating an iptables firewall script requires many steps, but with the aid of the sample tutorials, you should be able to complete a configuration relatively quickly.

What Is iptables?

Originally, the most popular firewall/NAT package running on Linux was ipchains, but it had a number of shortcomings. To rectify this, the Netfilter organization decided to create a new product called iptables, giving it such improvements as:

• Better integration with the Linux kernel with the capability of loading iptables-specific kernel modules designed for improved speed and reliability.
• Stateful packet inspection. This means that the firewall keeps track of each connection passing through it and in certain cases will view the contents of data flows in an attempt to anticipate the next action of certain protocols. This is an important feature in the support of active FTP and DNS, as well as many other network services.
• Filtering packets based on a MAC address and the values of the flags in the TCP header. This is helpful in preventing attacks using malformed packets and in restricting access from locally attached servers to other networks in spite of their IP addresses.
• System logging that provides the option of adjusting the level of detail of the reporting.
• Better network address translation.
• Support for transparent integration with such Web proxy programs as Squid.
• A rate limiting feature that helps iptables block some types of denial of service (DoS) attacks.

Considered a faster and more secure alternative to ipchains, iptables has become the default firewall package installed under RedHat and Fedora Linux.

How To Start iptables

You can start, stop, and restart iptables after booting by using the commands:

[root@linux-fw tmp]# service iptables start

[root@linux-fw tmp]# service iptables stop

[root@linux-fw tmp]# service iptables restart

To get iptables configured to start at boot, use the chkconfig command:.

[root@linux-fw tmp]# chkconfig iptables on

 

Some Basic Rules

List the current iptables rules

Chain INPUT (policy ACCEPT) target     prot opt source               destination   Chain FORWARD (policy ACCEPT) target     prot opt source               destination   Chain OUTPUT (policy ACCEPT) target     prot opt source               destination

[root@linux-fw tmp]# iptables –L

 

 

 

 

 

Change INPUT chain policy to DROP

Note: After this step our current connections will drop. And no further connections will be allowed.

[root@linux-fw tmp]# iptables –p INPUT DROP

[root@linux-fw tmp]# iptables –L

	Chain INPUT (policy DROP) target     prot opt source               destination   Chain FORWARD (policy ACCEPT) target     prot opt source               destination   Chain OUTPUT (policy ACCEPT) target     prot opt source               destination

 

 

 

 

 

 

After this policy change we will not be able to connect to the box and our current connections will also drop. Use console for this configuration step.

Now make the holes for required ports one by one.

Allow all IPs to connect using SSH ( port 22) and http ( port 80 )

[root@linux-fw tmp]# iptables –A INPUT –p TCP –dport 22 –j ACCEPT

[root@linux-fw tmp]# iptables –A INPUT –p TCP –dport 80 –j ACCEPT

[root@linux-fw tmp]# iptables –L

	Chain INPUT (policy DROP) target     prot opt source               destination ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http   Chain FORWARD (policy ACCEPT) target     prot opt source               destination   Chain OUTPUT (policy ACCEPT) target     prot opt source               destination

 

 

 

 

 

 

This configuration is not permanent and will go away once system is rebooted. We can make this configuration permanent.

On Redhat Enterprise Linux box:

[root@linux-fw tmp]#  /etc/init.d/iptables save

Saving firewall rules to file /etc/sysconfig/iptables