Introduction to firewall and iptables

Q. Do you really need a firewall ? Why would anyone want to attack or send malicious packets to my computer?

A. Any computer connected to the internet is a potential target for a scan of the services that it offers and malicious intrusion attempts to gain access. With a successful intrusion the attacker might alter the services offered to cause a disruption in your network or use your computer as a host for attacking other computers. All unauthorized and unsolicited activity involving your server is bad. And hence you need a well configured firewall moderate the communication or packets that your system deals with.

Firewall(noun) – Any wall or partition designed to inhibit and prevent the spread of fire. In the case of networks, firewall discards or rejects unsolicited IP packets to prevent intrusion that is, keep the fire out of your networked machine. The Linux implementation of a Firewall is the iptables program.

Iptables is a powerful and versatile tool designed to accept,reject or simply discard any IP packets based on a set of rules. iptables works on the layer 3 of the OSI stack also called the networking layer. iptables can also perform Network Address Translation or NAT.

iptables works based on a 4 default tables, the filter table, the NAT table, the mangle table and the raw table. Each of these tables consists of different chains. The chains contain rules. Each rule has a classifier and a target.

The classifier helps in identifying the packet and the target decides what happens to the packet. List of valid targets include :

ACCEPT
REJECT
DROP
RETURN
LOG
ULOG
REDIRECT
CLASSIFY
DSCP
MARK
MIRROR
NETMAP
NFQUEUE
QUEUE
SAME
SECMARK
TOS
CONMARK
CONSEC
MARK
NOTRACK
ECN
MASQUERADE
TTL
SNAT
DNAT

As we can see from this list, iptables is very versatile in packet handling. We will only focus on packet filtering as the other roles of iptables like NAT and packet classification is beyond the scope of a single article. We may discuss NAT in a future article.

As a packet filter the main targets that we will be dealing with are :

ACCEPT – Accepts the packetREJECT – Rejects the packet, intimating the sender of rejectionDROP – Quietly discards the packetLOG – Creates a log with various log level

We will also be dealing with the Filter table, which contains 3 chain by default.

INPUTFORWARDOUTPUT

INPUT: This chain deals with packets coming in from the internet meant for the computer
FORWARD : This chain deals with packets originating from the internet and is meant for some other host in the internet
OUTPUT: This chain deals with packets originating from the host to the internet.

Lets start with installing the iptables package and configuring it.

Installing iptables

Aptitude based distro(ubuntu, debian, etc.):

apt-get install iptables

For a RPM based distro (fedora, red hat, etc.):

yum install iptables

Listing the current rules

iptables -L

Flushing or deleting rules

Flushing or deleting all rules

iptables -F

Flushing or deleting all rules in a particular chain

iptables -F INPUT

Setting Default rule for a chain

Default rule applies when a chain is traversed and no particular rule applies

To drop all packets that we receive and is not meant for us, stop forwarding packets

iptables -P FORWARD DROP

To allow all outgoing connections

iptables -P OUTPUT ACCEPT

Appending or Inserting new rules

iptables looks for a matching rule at the beginning of the chain and applies the first matching rule it finds. If you have a working iptables rule chain and you append a rule to allow a packet, it might not work. As there may be an earlier rule that drops or rejects the packet. I have found it better to insert the accept rules and append the drop or reject rules.

Insert a rule into the beginning of the chain :

iptables -I INPUT 1 -i lo -j ACCEPT

Breaking down the options:

-I INPUT 1 : Insert rule into the INPUT chain at position 1

-i lo : Interface lo, that is the loopback or 127.0.0.1

-j ACCEPT : Apply target ACCEPT

Append another rule into the INPUT chain :

iptables -A INPUT ! -i lo -d 127.0.0.0/8 -j DROP

-A INPUT : Append to the input chain

! -i lo : Not received at the the loopback port

-d 127.0.0.1/8 : With the destination IP and netmask of 127.0.0.1/8

-j DROP : Apply target DROP

Create a rule that ensures established connections are not affected by these rules

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

-m state : using the module state

–state ESTABLISHED,RELATED : This option is possible only if the state module is used. This identifies already established connections.

-j ACCEPT : applies the ACCEPT target to already established connections

Open up specific ports

Open up ports for the services that the host offers. Ensure that the service being offered is properly configured and sufficiently secure before opening the port.

For a web server listening on port 80 :

iptables -A INPUT -p tcp --dport 80 -j ACCEPT

here -p tcp specifies the TCP protocol

–dport 80 identifies packets destined for port 80.

Allowing ICMP packets :

iptables -A INPUT -p icmp -j ACCEPT

if you just want to allow ping look into using -m icmp option to select the icmp module and select only the ping messages with –icmp-type 8

Other ports may be opened based on the services being offered like ssh, etc.

Finally REJECT all other inbound traffic

iptables -A INPUT -j REJECT
iptables -A FORWARD -j REJECT

Once the rules are created they are followed until a system reboot. Upon reboot the default rules are applied. So to make our rules permanent we need to save them and restore them on reboot.

Saving iptables rules

We can save iptables rules with the iptables-save command. This outputs to console the current rules. We may redirect it to any file and restore the rules from the same file.

 iptables-save > /etc/iptables.persistant.rules

Here i am saving the rules to /etc/iptables.persistant.rules

Create a executable script with any name in /etc/network/if-post-down.d/ with the iptables-save command to automatically save the rules

Restoring iptables rules from a file

We can restore the rules that we have saved using the iptables-save command using iptables-restore command.

iptables-restore < /etc/iptables.persistant.rules

Create an executable script with any name in /etc/network/if-pre-up.d/ with the iptables-restore to automatically restore the rules at start-up

Conclusion

We have covered the basics of how to setup and run a firewall using iptables to secure our Linux systems. You can read more about the iptables in the iptables man pages.

Stay Smart and Stay Safe.

This site uses Akismet to reduce spam. Learn how your comment data is processed.