Welcome back to this the second part of the discussion about IPtables, if you missed the first part you can find it here. As mentioned previously, I plan to get into some basic usage and hands-on practice. A few notes before we get started. Firstly: IPtables from the CLI requires root or administrative access for the majority of commands. Second: for these demonstrations, we will be erasing all current existing entries.
I highly recommend that these be practiced on a home machine where you have admin rights and aren’t using IPtables as your active firewall. Since deleting the configuration will leave the computer vulnerable to attack. Under no circumstances should this be practiced on a live production network (i.e at work). Myself nor GBServers will be held responsible for any possible damages by ignoring these suggestions. I’d go as far as suggesting: unplugging your computer from the internet. You can practice with computers on your home network. You don’t necessarily need to be connected to the internet.
Also be aware that while Linux distros are more or less the same. There can be some differences in how services are started such as IPtables. But if you have read the first article, you hopefully have gotten IPtables installed as well as learned how to turn it on and off. With that said, lets get started..
The first thing you’ll want to do is to verify whether the firewall is installed or not. Typically the easiest way to check this is to open up a console/terminal window and at the prompt type: iptables –help (or iptables –h). If it is indeed installed you should see output similar to the following:
Note: The # symbol represents the command prompt. It shouldn’t be typed in, unless otherwise stated.
# iptables –help
iptables v1.2.9 Usage: iptables -[AD] chain rule-specification [options] iptables -[RI] chain rulenum rule-specification [options] iptables -D chain rulenum [options] iptables -[LFZ] [chain] [options] iptables -[NX] chain iptables -E old-chain-name new-chain-name iptables -P chain target [options] <…>
After it’s verified installed, a useful option is the –L switch. Which will list the current entries (if any):
# iptables -L
Chain INPUT (policy DROP) target prot opt source destination ACCEPT all — anywhere anywhere ACCEPT all — anywhere anywhere state RELATED,ESTABLISHED ACCEPT all — neo anywhere MAC 00:50:56:c0:00:08 DROP all — smith anywhere ACCEPT all — trinity anywhere MAC 00:50:56:c0:00:01 ACCEPT tcp — anywhere anywhere tcp dpt:ftp ACCEPT tcp — ict anywhere state NEW tcp dpt:ssh Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
If for some reason iptables doesn’t appear to be running. You can check to see if the module is enabled. By issuing the following command: # lsmod |grep ip ipt_mac . You should get some form of output such as:
2691 1 ip_tables 28644 3 ipt_mac,ipt_state,iptable_filter
Hopefully you have IPtables installed and verified it’s active. For this initial example we will start by writing a basic rule set, which will act as a useful stateful packet inspection firewall.
At a prompt type in:
# iptables -F iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
You can view the newly created rules as mentioned with: iptables –L . Which should output:
Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all — lo any anywhere anywhere 0 0 ACCEPT all — any any anywhere anywhere state RELATED,ESTABLISHED Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
That wasn’t too difficult was it :-). We now have a very simple SPI firewall. The rules you typed out will permit all outgoing traffic but also block (or deny) all incoming traffic, along with forwarded traffic.
To help understand the commands entered. I will briefly explain them:
– [iptables –F]: This command with the –F switch. Means to erase all existing rules. So that you start from scratch & ensures no current rules will cause any conflicts.
– [iptables –P Input Drop]: Using the –P sets a default rule. So we have set the Input table to Drop packets. In English this means that if a packet does not match up with any other rule in the list. Then the packet will get dropped or ignored.
– [iptables –P Forward Drop]: As above we’ve set a default rule. That any network packets being forwarded should be automatically ignored. Since we haven’t setup the system to act as a router. There’s no need to forward any traffic on.
– [iptables –P Output Accept]: Again a default rule. This simply means that any network traffic leaving our computer should automatically be accepted or allowed to pass. Since normally we know the software we run to be safe.
Now that we have set our defaults. The last few lines define slightly more specific filtering.
– [iptables –A Input –i lo –j Accept]: The –A is append (add) the rule to a certain chain. In this example it means to append to Input. The –I refers to interface (i.e network card). Or any traffic going to the network card specified. Which here is lo, or commonly known as the loopback/127.0.0.1. The –j means to jump to the action (i.e Accept). In plain English this line will allow any traffic going to the loopback (or 127.0.0.1)
– (iptables –A Input –m state –state Established,Related –j Accept): This line is really the meat and potatoes of the firewall. As before we are –A (appending) to Input. The –m means to load a module (i.e state). In this example we are filtering against network connections that are already existing (Established or Related). If the connection didn’t originate from the system itself (New) they will be blocked. If you were to add in “NEW” to the line as well. That would allow incoming traffic not from your computer to pass through. Which is a security risk hence it’s not included in the rule.
The final thing to do will be to save the rules we just entered. So that when the computer is rebooted, you don’t have to retype them in. Which on my system is the following:
# /sbin/service iptables save
Note: Linux versions do vary slightly. You may have to look up the correct path for Iptables on your particular Linux distro.
Finally what I typically do is create a simple bash script. That allows me to run the firewall by typing in a simple command. To do that you’ll want to open an editor. On Linux usually vi or nano is typically installed (I personally like nano).
Then you can paste the script:
#!/bin/bash
#
#
# iptables SPI firewall
#
# Flush all current rules from iptables
#
iptables -F
#
# Set defaults (INPUT, FORWARD, OUTPUT)
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
#
# Permit access for loopback (127.0.0.1)
#
iptables -A INPUT -i lo -j ACCEPT
#
# Accept packets for established, related connections
#
iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
The lines that start with # refers to a comment. So you can make your own personal notes. Apart from the first line: ” #!/bin/bash” which tells the computer it’s a bash file.
Next you’ll want to save the file for example: myfirstfirewall.sh . Once out of the editor make sure the script is executable by typing: chmod +x myfirstfirewall.sh (or whatever name you chose)
Finally run the script. By going to a command prompt and typing: ./myfirstfirewall.sh
I hope you have enjoyed this entry and will come back to read the next one.