Q. Do you really need a firewall ? Why would anyone want to attack or send malicious packets to my computer?
A. Any computer connected to the internet is a potential target for a scan of the services that it offers and malicious intrusion attempts to gain access. With a successful intrusion the attacker might alter the services offered to cause a disruption in your network or use your computer as a host for attacking other computers. All unauthorized and unsolicited activity involving your server is bad. And hence you need a well configured firewall moderate the communication or packets that your system deals with.
Firewall(noun) – Any wall or partition designed to inhibit and prevent the spread of fire. In the case of networks, firewall discards or rejects unsolicited IP packets to prevent intrusion that is, keep the fire out of your networked machine. The Linux implementation of a Firewall is the iptables program.
Iptables is a powerful and versatile tool designed to accept,reject or simply discard any IP packets based on a set of rules. iptables works on the layer 3 of the OSI stack also called the networking layer. iptables can also perform Network Address Translation or NAT.
iptables works based on a 4 default tables, the filter table, the NAT table, the mangle table and the raw table. Each of these tables consists of different chains. The chains contain rules. Each rule has a classifier and a target.
The classifier helps in identifying the packet and the target decides what happens to the packet. List of valid targets include :
As we can see from this list, iptables is very versatile in packet handling. We will only focus on packet filtering as the other roles of iptables like NAT and packet classification is beyond the scope of a single article. We may discuss NAT in a future article.
As a packet filter the main targets that we will be dealing with are :
|ACCEPT – Accepts the packetREJECT – Rejects the packet, intimating the sender of rejectionDROP – Quietly discards the packetLOG – Creates a log with various log level
We will also be dealing with the Filter table, which contains 3 chain by default.
INPUT: This chain deals with packets coming in from the internet meant for the computer
FORWARD : This chain deals with packets originating from the internet and is meant for some other host in the internet
OUTPUT: This chain deals with packets originating from the host to the internet.
Lets start with installing the iptables package and configuring it.
Aptitude based distro(ubuntu, debian, etc.):
apt-get install iptables
For a RPM based distro (fedora, red hat, etc.):
yum install iptables
Listing the current rules
Flushing or deleting rules
Flushing or deleting all rules
Flushing or deleting all rules in a particular chain
iptables -F INPUT
Setting Default rule for a chain
Default rule applies when a chain is traversed and no particular rule applies
To drop all packets that we receive and is not meant for us, stop forwarding packets
iptables -P FORWARD DROP
To allow all outgoing connections
iptables -P OUTPUT ACCEPT
Appending or Inserting new rules
iptables looks for a matching rule at the beginning of the chain and applies the first matching rule it finds. If you have a working iptables rule chain and you append a rule to allow a packet, it might not work. As there may be an earlier rule that drops or rejects the packet. I have found it better to insert the accept rules and append the drop or reject rules.
Insert a rule into the beginning of the chain :
iptables -I INPUT 1 -i lo -j ACCEPT
Breaking down the options:
-I INPUT 1 : Insert rule into the INPUT chain at position 1
-i lo : Interface lo, that is the loopback or 127.0.0.1
-j ACCEPT : Apply target ACCEPT
Append another rule into the INPUT chain :
iptables -A INPUT ! -i lo -d 127.0.0.0/8 -j DROP
-A INPUT : Append to the input chain
! -i lo : Not received at the the loopback port
-d 127.0.0.1/8 : With the destination IP and netmask of 127.0.0.1/8
-j DROP : Apply target DROP
Create a rule that ensures established connections are not affected by these rules
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-m state : using the module state
–state ESTABLISHED,RELATED : This option is possible only if the state module is used. This identifies already established connections.
-j ACCEPT : applies the ACCEPT target to already established connections
Open up specific ports
Open up ports for the services that the host offers. Ensure that the service being offered is properly configured and sufficiently secure before opening the port.
For a web server listening on port 80 :
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
here -p tcp specifies the TCP protocol
–dport 80 identifies packets destined for port 80.
Allowing ICMP packets :
iptables -A INPUT -p icmp -j ACCEPT
if you just want to allow ping look into using -m icmp option to select the icmp module and select only the ping messages with –icmp-type 8
Other ports may be opened based on the services being offered like ssh, etc.
Finally REJECT all other inbound traffic
iptables -A INPUT -j REJECT
iptables -A FORWARD -j REJECT
Once the rules are created they are followed until a system reboot. Upon reboot the default rules are applied. So to make our rules permanent we need to save them and restore them on reboot.
Saving iptables rules
We can save iptables rules with the iptables-save command. This outputs to console the current rules. We may redirect it to any file and restore the rules from the same file.
iptables-save > /etc/iptables.persistant.rules
Here i am saving the rules to /etc/iptables.persistant.rules
Create a executable script with any name in /etc/network/if-post-down.d/ with the iptables-save command to automatically save the rules
Restoring iptables rules from a file
We can restore the rules that we have saved using the iptables-save command using iptables-restore command.
iptables-restore < /etc/iptables.persistant.rules
Create an executable script with any name in /etc/network/if-pre-up.d/ with the iptables-restore to automatically restore the rules at start-up
We have covered the basics of how to setup and run a firewall using iptables to secure our Linux systems. You can read more about the iptables in the iptables man pages.
Stay Smart and Stay Safe.